Thanks for the heads up!

Hey BBcan177,

you made my day!
This solved the issue:

@BBcan177:

Alternatively, you can try to manually run the MaxMind update process from the shell:

php /usr/local/www/pfblockerng/pfblockerng.php dc

Thanks a lot! And thanks for this helpful package!!!

Thanks

Good on the prod boxes. Whatever it is- it's just on initial sync. After that I can seem to make changes, etc. without issue and just let CRON do its job.

SOLVED. Thanks

@BBcan177:

See the following:
https://forum.pfsense.org/index.php?topic=102470.msg671811#msg671811

Will give it a go, thanks.

2.3.3 snapshots, browser being mostly Chrome. Why's unbound compiled without python, no idea.

@Mr.:

Thank you BB  :-*

Is it very difficult to have pfBlockerNG generate a human understandable error like 'feed is DOA'?

I just need to write a fully automated system to read the thoughts of each admin and configure/monitor/tweak ….  <grin>  :P :P

If I find a decent solution to improve this error, I will for sure add it to the code.... code name Jingle …</grin>

Hi,

I don't have your environment to test, but I do have some changes to the Lighttpd web server configuration to listen on 10.10.10.1 (For DNS requests made from pfSense itself) and log those blocked domains… Not sure if this will help your situation or not?

Save to  [  /var/unbound/pfb_dnsbl_lighty.conf  ]

# #pfBlockerNG Lighttpd DNSBL configuration file # server.bind                    = "0.0.0.0" server.port                    = "8081" server.event-handler            = "freebsd-kqueue" server.network-backend          = "freebsd-sendfile" server.dir-listing              = "disable" server.document-root            = "/usr/local/www/pfblockerng/www/" server.errorlog                = "/var/log/pfblockerng/dnsbl_error.log" server.pid-file                = "/var/run/dnsbl.pid" server.modules                  = ( "mod_access", "mod_fastcgi", "mod_rewrite" ) server.indexfiles              = ( "index.php" ) mimetype.assign                = ( ".html" => "text/html", ".gif" => "image/gif" ) url.access-deny                = ( "~", ".inc" ) fastcgi.server                  = ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) ) debug.log-condition-handling    = "enable" $HTTP["host"] =~ ".*" {         url.rewrite-once = ( ".*" => "index.php" ) } $SERVER["socket"] == "10.10.10.1:80" {         $HTTP["host"] =~ ".*" {                 url.rewrite-once = ( ".*" => "index.php" )         } } $SERVER["socket"] == "0.0.0.0:8443" {         ssl.engine              = "enable"         ssl.pemfile            = "/var/unbound/dnsbl_cert.pem"         ssl.use-sslv2          = "disable"         ssl.use-sslv3          = "disable"         ssl.honor-cipher-order  = "enable"         ssl.cipher-list        = "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS"         $HTTP["host"] =~ ".*" {                 url.rewrite-once = ( ".*" => "index.php" )         } } $SERVER["socket"] == "10.10.10.1:443" {         ssl.engine              = "enable"         ssl.pemfile            = "/var/unbound/dnsbl_cert.pem"         ssl.use-sslv2          = "disable"         ssl.use-sslv3          = "disable"         ssl.honor-cipher-order  = "enable"         ssl.cipher-list        = "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS"         $HTTP["host"] =~ ".*" {                 url.rewrite-once = ( ".*" => "index.php" )         } }

then:

/usr/local/etc/rc.d/dnsbl.sh restart

Note: The NAT address of 127.0.0.1, is defined here:

/usr/local/pkg/pfblockerng/pfblockerng.inc

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L791

Hi.

Stop the fw filter, via shell ( menú, option 8 ) Shell):```

pfctl -d

Reconfigure your pfBlockerNG or whatever you need. … and enable the fw filter again

pfctl -e

Regards.

Either will work… Up to you whats an easier method to manage...

I haven't tested these myself, but you could try these for Proxy blocking …

http://tools.rosinstrument.com/proxy/l100.xml
http://tools.rosinstrument.com/proxy/plab100.xml
http://www.xroxy.com/proxyrss.xml
http://www.sslproxies.org/
http://www.socks-proxy.net/
http://www.proxz.com/proxylists.xml
http://www.proxylists.net/proxylists.xml
http://txt.proxyspy.net/proxy.txt
http://www.proxyrss.com/proxylists/all.gz

I just found the problem!

For LAN I have firewall rules that allow/pass some ports and, at the end, a deny all rule. Apparently with this setum (i.e. no default allow rule) for DNSBL to work properly two rules need to be added:
on LAN, pass source any, destination 127.0.0.1 port 8081
on LAN, pass source any, destination 127.0.0.1 port 8443

In fact, before this rules DNSBL was working…kind of, the browser was timing out to each blocked blockec dns/ip.

Hopefully this will help others newbe to pfBlockNG.

I take this as an opportunity to thank BBcan177 for the outstanding work!

SenseRider

You should not need to do anything manually. It will install dependencies automatically.

Post the whole output from the install attempt that failed.

Hi.

ok, i see now. Do not edit floating rule (sorry  :) )
Set to "Permit Inbound" in pfBlockerNG to AUstralia, both its not necessay.
As you already have the rule of nat port forwarding, I suppose it was automatically created (along with the nat) one rule in the lan to allow access from wan to the port tcp3389 at the rdp server, and at wan,the pfBlockerNG floating rule permit traffic from AUstralia. An the default (last rule) rule at wan, block the rest.

Regards

Do you have suppression enabled?

https://forum.pfsense.org/index.php?topic=105977.msg592741#msg592741

Yep, tried it both ways plus placing DNS server addresses in the OPEN VPN override bit  (using openvpn as main interface so all traffic is thru the VPN)  and anywhere else I can find to put them but its ignored.

Seems to be a problem with DNS resolver or my inability to find how to set up DNS on the system

The message is coming up because the DNS request is pointing to the internal server, which responds with an SSL encrypted gif encrypted using its internal certificate.

IIRC you may be able to get rid of the message by having the client trust the server certificate, but the blocking offered is a DNS redirection so even then it won't stop blank boxes from coming up as that's part of the HTML/CSS of the page.

You'd need to use Squid and one of the adblock solutions which alters the html content if you want to completely hide the blank spaces/ invalid certificate messages.

Thank you so much for taking the trouble to point me in the right direction.

@nahadot:

Hi Guys,

I have been running into some issues with my SG-2440 and i thought someone might be able to help me sort things out.
I am running version 2.3.2-RELEASE-p1

Issues:
1. When i am using pfblockerNG and i am selecting GEOIP blocking for specific countries, it all works well. Then i am trying to add some exceptions for some IPs in the countries i have previously blocked so i am adding this rules above the GEOIP ones. I am saving then order (Save Button, then "Apply Changes", then "reload filter") then i am applying and  this also works well if i don't touch anything else.  However once i am forcing a reload (Update->RUN or Force Reload), the rule that i placed above the GEOIP goes below it for some reason. Because the pfblockerNG is updating the config every day, then every day i have to reorder the rules again. I would normally expect that the order of rules stay the same. Is there a workaround for this?

2. I have noticed that every time i am touching the WAN interface (unplugging/replugging the cable) the PFSense firewall is getting into some kind of stuck state even minutes after the cable is replugged. Everything becomes very slow when accessing the 2440 device via LAN and i PFSense box is also loosing access to internet. I am not using PPPoE on the WAN. my provider is giving me IP address via DHCP and on the WAN i can see i have IP address after cable is replugged. I did not have too much time to look into this last issue yet. I will post some more info once i debug this a bit more. However i noticed the same problem when i tried to hardcode speed/duplex. The only way i could recover was to reboot the PFsense box. i will try to reproduce and do a packet capture and see what is going on exactly. but if someone recognizes the symptoms described above let me know.

Thanks!
Modify message

I have seen the same issue when every my ISP does a reset on my cable model and changes the IP.  I was able to debug part of the issue, it came down to how /etc/rc.newwanip interacts with services_unbound_configure which is defined in /inc/services.inc.  A race condition happens when DNSBL is enabled, in my case 1,366,154 lines in /var/unbound/pfb_dnsbl.conf try to load

As a quick fix, I committed out the reload process in /etc/rc.newwanip. I am sure the devs have a reason to reload unbound when the WAN IP changes but have not had time to investigate.

/* reload unbound */
        /services_unbound_configure();

Thank you very much. I change all to Alias type and make own rules manualy and all is working.