@Unoptanio Just looking at your screenshots I don't think upping your firewall Maximum Table Entries would help. But you need more physical memory -- 8 Gig is not near enough to turn on all the "toys". I recommend at least 32 Gig these days.

@jrey said in Cron Job Once/Day: Installing the 23.09RC likely also contributed to that clean up.. Agree...

@reynold said in Block social but allow facebook: Hi, I need to block majority of social network with pfblocker but I need to allow some of them such as facebook. Is there a way to do that? thank you Go to Firewall > pfBlockerNG > DNSBL and scroll down until you see DNSBL Whitelist and click the plus sign to get drop down box like below and add facebook.com then save: [image: 1698979352025-screenshot-2023-11-02-at-9.39.02-pm-resized.png] Then, go to DNSBL > DNSBL Group, click add...scroll down to custom like below then click the plus and add the ones you want to block, then save: [image: 1698979637674-screenshot-2023-11-02-at-9.37.53-pm-resized.png] You will need to force update and reload. Please read these: https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html https://docs.netgate.com/pfsense/en/latest/recipes/block-websites.html?highlight=pfblockerng

@marcoaapereira said in Block Audio/Video but allow Youtube only.: @NollipfSense Hi, thanks for the answer! :-) I used: Firewall -> pfblockerng -> DNSBL -> DNSBL Category Then I selected UT1 (Un. Toulouse) and after clicked in Audio/Video option. The problem is that I need to block Netflix, Amazon, etc, but not Youtube, because Professors use it. Thank you! Okay, I had only used the shellalist... If I were you, I would disable the audio/video then add YouTube only to the DNSBL whitelist...just click on the plus sign and add youtube.com in the drop down box, then force update and reload. [image: 1698681050780-screenshot-2023-10-30-at-10.46.48-am.png]

@Ir0nsh007er If your still using a very old version of pfBlocker from before October 2022, then no. Because you didn't update/upgrade. If you did upgrade : then yes, fixed : @mrtumnus said in How to unblock duckduckgo and find why it's being blocked.: I can confirm that duckduckgo does load properly now.

@tbr281 Are you running into this ? https://forum.netgate.com/topic/182156/pfblockerng-asn-downloads-only-contain-a-header/46?_=1698167808688

@SteveITS @coffeecup25 was actually applying the concept here for a DNS sinkhole https://forum.netgate.com/topic/182752/can-pfblocker-sinkhole-an-address-domain-overrides/16 in addition to the mail sample provided, I do similar for other specific traffic as well (like DNS)

@Bob-Dig Follows is my final solution. It appears to work well. The problem to solve: pfBlockerNG blocked many addresses repetitively. It appears that 80% of the blocks came from 20% of the dns addresses. I considered that as pollution. Streaming TV is the worst offender. The objective: Continue blocking these addresses, but take them out of pfBlockerNG so lists show everyone except the usual suspects. The solution: Identify the polluting dns addresses and put them in an alias Create a LAN rule that blocks the addresses in the alias from ever leaving the network Whitelist the offenders in ofBlockerNG so the LAN rule gets them instead. Blocking still works very well and pfBlockerNG is bypassed entirely for those addresses. You must reload DNSBL after these changes for pfBlockerNG to know about them.

Getting back to this, looks like I found a solution. In my dumb little Pi-hole VM I created a cname entry pointing www.bing.com to nochat.bing.com. Looked at having resolver do it, but I don't see a way to add a cname, just overrides and aliases..

@jrey said in pfBlockerNG ASN downloads only contain a header: I can't speak to the -dev version - however, No need to, that was what I was running so it is not fixed for both. Good to know. I have read your news on the beta.

@basherstech It might be easier to use firewall rules to allow the PCI network access out. That is a separate network or VLAN? Though, you'd have to maintain a list of the Windows Update IPs which could be a challenge. One could find and allow all Microsoft IPs by ASN number in pfBlocker. Many, many years ago we did something similar but it was not for PCI so wasn't on a separate network, and was on a Windows Server network. The client just wanted to prevent certain PCs from web surfing. I tried to look it up but don't have that info anymore. I think it had to do with Conditional Forwarding which is a feature on Windows DNS. But, if you set up your own DNS server on the PCI network you might be able to forward only certain domains and not resolve the rest of the world? One other thought, there is a "Python Group Policy" feature which is named poorly but it will "bypass DNSBL for the defined LAN IPs." Possibly, use a service like CloudFlare family DNS to block adult content via forwarding, block all domains in DNSBL, and set everything on LAN to bypass DNSBL? So the PCs on LAN would get forwarded to CloudFlare. In other words, block *.com but add microsoft.com to the DNSBL Whitelist section. Sorry for the vague answer, maybe it helps.

@orangehand If you want to outsource it you can set DNS Resolver to forward to CloudFlare or others that block adult sites (1.1.1.3). https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

@totowentsouth OK thx