Getting back to this, looks like I found a solution. In my dumb little Pi-hole VM I created a cname entry pointing www.bing.com to nochat.bing.com.
Looked at having resolver do it, but I don't see a way to add a cname, just overrides and aliases..

@jrey said in pfBlockerNG ASN downloads only contain a header:

I can't speak to the -dev version - however,

No need to, that was what I was running so it is not fixed for both. Good to know.

I have read your news on the beta.

@basherstech It might be easier to use firewall rules to allow the PCI network access out. That is a separate network or VLAN? Though, you'd have to maintain a list of the Windows Update IPs which could be a challenge. One could find and allow all Microsoft IPs by ASN number in pfBlocker.

Many, many years ago we did something similar but it was not for PCI so wasn't on a separate network, and was on a Windows Server network. The client just wanted to prevent certain PCs from web surfing. I tried to look it up but don't have that info anymore. I think it had to do with Conditional Forwarding which is a feature on Windows DNS. But, if you set up your own DNS server on the PCI network you might be able to forward only certain domains and not resolve the rest of the world?

One other thought, there is a "Python Group Policy" feature which is named poorly but it will "bypass DNSBL for the defined LAN IPs." Possibly, use a service like CloudFlare family DNS to block adult content via forwarding, block all domains in DNSBL, and set everything on LAN to bypass DNSBL? So the PCs on LAN would get forwarded to CloudFlare. In other words, block *.com but add microsoft.com to the DNSBL Whitelist section.

Sorry for the vague answer, maybe it helps.

@orangehand If you want to outsource it you can set DNS Resolver to forward to CloudFlare or others that block adult sites (1.1.1.3).
https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

@mOrbo said in PFBlockerNG Python-Mode - Source-IP in Reports:

you ignore the warning you will see the block page.

Very correct.
The thing is, you know that, and you probably know that black part of the URL is showing what is your pfSense device.
Like this URL :

956b07f4-b11b-4085-9e59-8d9d040d06fe-image.png

The netgate.com part is in black. Because that the one that is important. That's the one matching the certificate from Netgate. So, ok, you know what you do. Internet isn't a dangerous place for you.

Now for the other 99,x % of us : if they all start to click through this "wrong cert" warning, pishing sites and other fake ones will have a bright future front of them.
So I tell them always : don't think - close it right away. Do not click any where.

IMHO : we as pfSense admins shouldn't contribute to the fact that our network users see this kind of info. It will introduce bad habits. And these 'stupid' users will pay the price later on.

Their IP will get logged of course, thus feeding the pfBlockerng stats.

@totowentsouth OK thx

@Aseknet Thank you

I submitted a merge request to FreeBSD-ports https://github.com/pfsense/FreeBSD-ports/pull/1309

EDIT: I see the above will be obsolete if/when https://github.com/pfsense/FreeBSD-ports/pull/1303 is merged.

@SteveITS said in XMLRPC Sync with pfBlocker?:

There was a bug in a recent version and I want to say it was fixed in the Plus package code but not CE?

Turned out it is fixed in the non devil version of the same number... So I am on it now too. Thanks @SteveITS !

I configured the "Advanced Inbound Firewall Rule Settings" and now its working.
Thanks.

Disabling logging on the FW rule continues not to update the pfBlocker stats/reports pages. I understood this to be independent so is there something else at play here and must i have the FW log rammed with pfB alerts being triggered on the WAN?

@table1 Can anyone confirm if this is a known issue?

Does it have a fix or is it a configuration issue?
Would a complete reload provide any solutions to the issue?

I am new to pfsense, and learning as I go!

Thanks in advance.

@danno91

83eaa859-3cfd-4628-a823-bc128ec6006c-image.png

For a list to show blocked packets, your devices have to visit host names present in the list.
And your devices used on the pfSense LAN have to use pfSense as their your DNS.

@HomeLabGuy Have you tried re-installing phBlockerNG?

@Unoptanio said in Pfsense 2.7.0 pfblockerng ERROR: could not update pfB_PRI1_v4 content from ...:

Could the alias have been included in version 2.6.0 by default?

2.6.0, or the current 2.7.0 : make use of the fact that it is open source so look for yourself in this folder, the GUI web root folder : https://github.com/pfsense/pfsense/tree/master/src/usr/local/www : there is no /pfblockerng/ folder - neither the PHP file in that folder : pfblockerng.php (ok, this is quiet obvious).

Also, when pfblockerng is installed, there are no DNSBL feed or IP feeds activated, they have to be selected and downloaded first.
When you install pfblockerng, it does nothing, it has to be set up first.

Still, I'm curious. To be sure, I would have to get a copy from a non infected source : https://www.pfsense.org/download/ and see what I find in the aliases when done. That's .... hum..... to much work 😊

@gwaitsi I have the same exact error. Did you find a solution?

I have the "pfBlockerNG-devel" package installed. The DNSBL part is turned off. This is the error I get:

[19-Sep-2023 12:18:28 Etc/UTC] PHP Fatal error: Uncaught ValueError: escapeshellarg(): Argument #1 ($arg) must not contain any null bytes in /usr/local/pkg/pfblockerng/pfblockerng.inc:3816
Stack trace:
#0 /usr/local/pkg/pfblockerng/pfblockerng.inc(3816): escapeshellarg('^192\.168\.1\.1...')
#1 /usr/local/pkg/pfblockerng/pfblockerng.inc(5647): find_reported_header('192.168.1.15\x00\x00\x00...', '/var/db/pfblock...', false)
#2 /usr/local/pkg/pfblockerng/pfblockerng.inc(1031): pfb_daemon_filterlog()
#3 {main}
thrown in /usr/local/pkg/pfblockerng/pfblockerng.inc on line 3816