@SteveITS I use pfBlocker only for generate geoip lists. So, I use this lists for allow/block rules on wan interfaces.

@coffeecup25 After some back and forth I was able to get a list together. For anyone interested, this list got Facebook working properly for me.

facebook.com
whatsapp.com
fb.me
messenger.com
whatsapp.net
whatsapp-cdn.net
fbstatic-a.akamaihd.net
fbcdn-photos-b-a.akamaihd.net
fbcdn-photos-a-a.akamaihd.net
fbexternal-a.akamaihd.net
fbsbx.com
fbsbx.com
m.me

-RYknow

@SludgeT try using an RFC1918 IP address for the DNSBL webserver.

@MaxFactor-0 I suspect something isn't matching. Did the name or the URL change? Maybe the old URL is being redirected?

As long as the file exists on disk pfB should use it as is. It doesn't mean it's being updated. And being Unknown doesn't mean the feed isn't downloading it just means it's not recognized in the predefined list.

@SteveITS said in Is it possible to modify pfBlockerNG to pfAllowNG?:
This is a dirty patch
/usr/local/pkg/pfblockerng/pfb_unbound.py
Let the Python regex list use for AllowOnly
Is there a potential bugs here?

# Block via Regex if not isFound and pfb['regexDB']: isRegexMatch = pfb_regex_match(q_name) #print q_name + ' regex: ' + str(isRegexMatch) if not isRegexMatch: isFound = True feed = 'PythonAllow' #isRegexMatch group = 'DNSBL_Regex'

@unknownName said in pfBlockerNG not working:

Yes, this is the pfBlockerNG version I've installed. And now is not allowing either to install/uninstall packages, save new config changes, etc., but the firewall is up and running, so it has internet connectivity. This is due to some PHP functions missing/not found based on error logs ...

The latest pfSEnse packages are build against the latest pfSense version.
This means : with the news libraries, new or other functions etc.

This is why : (to make a long story short ) you should not install/upgrade packages before you've updates pfSense itself. Doing so might break things;
You've seen the results.

The long story :

Before, this was recalled whenever a pfSense upgrade was announced : see here for pfSense 2.7.2.

On that page you'll find :

Netgate has a detailed Upgrade Guide available in the pfSense documentation to help explain the process. Below are the high-level steps to perform the upgrade.

Clicking on Upgrade guide brings you to the upgrade guide.

Now click on "Packages" :

95eddd8d-53dd-43e5-992d-a8a51325a7e7-image.png

The Packages page starts with :

Do not upgrade packages before upgrading pfSense® software. Either remove all packages or leave the packages alone before running the update.

Great, right ? 😊

IMHO : The fastest way out :
Get a copy of 2.7.2.
Save your config.
Install 2.7.2 over 2.7.0 (this will wipe the disk etc but who cares ^^)
Import your config.
Done.

Plan B : If de installing pfBlockerng is possible, do so.
Now, use the GUI to upgrade.
Re install pfBlockerng.

@xantonin

The file is created, and lines are added by 'pfBlockerng'.
So the manual (== the source code 😊 ) should give you hints about how the line is created and with what info.

I've found /var/unbound/pfb_unbound.py line 802 :```

csv_line = ','.join('{}'.format(v) for v in ('DNSBL-python', timestamp, q_name, q_ip, isDNSBL['p_type'], isDNSBL['b_type'], isDNSBL['group'], isDNSBL['b_eval'], isDNSBL['feed'], dupEntry))

Be careful. It's Python.

@johnpoz I believe the original (Suricata warning) post said January but wasn’t specific.

@rtorres well Chrome is Google of course. Is there a reason to allow any?

I’ve seen one issue, we have Dish satellite and though it’s DVR uses local DNS its video on demand “app” uses public DNS/DoH and I had to allow it out from that device.

@pulsartiger From what I was reading, they mentioned about another job running at the same time the pfBlockerNG CRON is running. Changing the time allows the other job to complete for this one to run without issues.

But now I'm having an issue with pfB_PRI1_v4 - ISC_Block_v4 😓 Per the error message, there is an SSL error that times out.. but I can access just fine via the browser. I'll open another thread if I can't figure it out! 😅

@Authec If you have an Android TV, have a look at https://github.com/yuliskov/SmartTube.

@christopherbradski Very interesting!

When I was checking out the IPs - -I noticed quite often that amazon was involved. I unchecked the US reps and will see what happens.

I noticed that 85000 addresses were removed when PFB updated...

thank you!

No changes to Firewall rules, skipping Filter Reload

Updating: pfB_NAmerica_v4
85423 addresses deleted.

UPDATE PROCESS ENDED [ 02/2/24 06:12:41 ]

@HorstZimmermann I've been working on bringing that support to pfBlockerNG

You can find my code here: https://github.com/andrebrait/FreeBSD-ports/tree/pfblockerng-adblock

Let me know if you're interested in trying it out :)

Further to my last, an update.

I reverted my workaround changes (back from Network to Host) and reloaded pfBlockerNG but the issue did not return. I wonder if converting the type (described above) from Host to Network and back has reset something?

Followed your suggestion of installing the non Dev version of pfBlocker and reloaded. All seems normal and operational using Host again.

If I come across any subsequent "funnies" I shall report back, but for now I think I'll leave this post as is, in case any one else runs into a similar issue.

Cheers again for your help.

@CZvacko For the first attempt/part, technically you can do that without pfBlocker...create an alias, add your hostnames, and pfSense will resolve the hostnames in the alias every 5 minutes by default. However there are caveats as you found:

every hostname initially queried has to be entered (www.example.com, svr2.example.com) one cannot use a wildcard (*.example.com) hostnames may change IPs frequently

Doing that in pfBlocker, I don't know offhand if it resolves the names every 5 minutes or at reload. Haven't tried.

An option is to create a host override or domain override in DNS Resolver, and point the names to nowhere.

In pfBlocker one can create a DNSBL Group and block domains, but that's the opposite of what you're asking for.

I have not tried, but possibly you could block *.com, *.net, etc., enable Wildcard Blocking (TLD), and then add entries to the DNSBL whitelist?

@nasheayahu
pfBlockerNG has to know, which are inbound and which are outbound interfaces. Maybe you have only one each (WAN, LAN), but anyway you have to tell this pfBlockerNG.

You can do this on the IP tab in recent versions.