@planedrop Where will that be to check DNS over HTTPS?

D'oh! I actually had created an alias in the past and haven't used it for a long time which does contain those FQDNs... Also "LAN" is misleading.

@SteveITS thank you for your help.

@sfigueroa My advice. That screenshot i would assume is for your WAN facing. By default, pfsense blocks all inbound attempts. So you blocking the world may not make sense if you are not hosting services behind your firewall. If you are hosting services behind your firewall, then you are better off only whitelisting / passing just the countries you need instead of blacklisting the ones you dont.

@Rogerthat said in Help understanding DNSBL alerts: so I am just confused as to why my device would be sending these requests when I connect to the LAN interface, if I am not actually trying to reach those domains? Not you as a person. But, for example, if you are using a Windows PC or modern handheld device as a smartphone, hundreds of tasks running right now are communication with something somewhere on the Internet. "Doing there things". These processes uses host names that have to be resolved first. That are the host names you saw in your Unified log. If you want to know what is actually going on, that you should take a look at every process on your system, and checking with whatever means you have to see what it is doing. @Rogerthat said in Help understanding DNSBL alerts: Will unchecking the box you pictured above, stop it from doing that? That option will keep already lookup up host name up to date in the unbound DNS resolver cache. If a domain xxxx.tld is in the cache, that is because your LAN device has asked for it.

@periko oh wow i never knew this existed. Going to try this out now. Specifically the command for pfblocker dnsbl. seems that most of the .sh scripts arent working in 23.05.1 The way im testing is grabbing the script and running it from the shell on pfsense. I get either Command not found or Illegal variable name. Are you running the latest pfsense version? edit 1: cancel everything i said. This is working great. Just went into the bash shell to test and my goodness this is great.

Old topic but I noticed some problems. If I use rsync I get an error: rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-1.uceprotect.net dnsbl1 [ dnsblOne_v4 ] Downloading update . RSYNC Failed... [ pfB_UCEPROTECTNetwork_v4 - dnsblOne_v4 ] Download FAIL [ 08/5/23 10:14:49 ] Cannot Resolve Host: DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download. The Following List has been REMOVED [ dnsblOne_v4 ] Something is not working as intended, at least I can resolve rsync-mirrors.uceprotect.net without a problem on pfSense. If I am switching to the WGET-lists, on my two pfSense boxes I get different sized tables. One has 22,402 records, the other has 12,288 records. If I download the list with the browser, I get roughly 80,000 records. So my guess is, this format is still not compatible with pfBlocker? But what is up with the first problem I mentioned with rsync?

@ctarbet pfsense is a stateful firewall. states are created by SYN packets.. If there is no state to allow traffic, then it would be blocked. https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#troubleshooting-blocked-log-entries-for-legitimate-connection-packets

Solved with Restart and Reinstall package Thankyou

I found a way to do this using a "pre" script which fetches the file itself, a "post" script example would still be welcome.

@viragomann thanks a bunch, will have a look when I get home.

@AWilson60 Great, glad it's working. Sorry I could not follow up any sooner but great advice from @johnpoz . Lots of help on this forum.

@iTestAndroid said in pfBlocker hidden whitelists: "/var/db/pfblockerng/pfbdnsblsuppression.txt" is created with what you've entered here : Firewall > pfBlockerNG > DNSBL at the bottom, you have a "DNSBL Whitelist", deploy it and the info shown there creates "/var/db/pfblockerng/pfbdnsblsuppression.txt". When I empty : [image: 1689682694586-e3bd17b2-6a1f-446a-bcbc-dab9f69f50c1-image.png] the file will be nearly empty (just one line). Where does "yandex" etc comes from ? Well ... ask SSH into your box (or console), option 8. Goto /usr/local/pkg/pfblockerng: grep -R 'yandex' * or grep -R 'adservices' * These files come with pfblockerng when you install it. You'll find pfb_py_hsts.txt. What I know : this file contains sites that are known to use "hsts" (wikipedia hsts please). Anyway ..... I've emptied my 'master' DNSBL whitelist and now : [image: 1689683755748-0a78e557-30ef-4e9d-aeab-6dcfbc346030-image.png] as you can see, "Whitelist" only contains "localhost.localdomain"

@luisenrique I can agree to one degree of extent but otherwise dis-agree. The internal download link pointing to the .tar.gz list file itself that leaves download failure errors as well as any IP addresses that remain in these files if used (squidguard uses them but not sure pfBlocker does though) these all should be removed to eliminate errors and false-positives if they were rendered. As to remove ShallaList's contributions altogether would basically be literally the same thing as to say "when Bill Gates dies, lets just simply delete Microsoft Windows entirely worldwide and FORGET the project ever existed." The download link yes is dead, and ANY ip address list will become deprecated in time if not updated as individual IP addresses become to be re-purposed. The domain lists on the other-hand of millions of categorized bad domains is still 99% valid world-wide, regardless if in ShallaList or other DNS blacklists, whether its a "static" list or update-able as an "online" feed, and IF and when any of these are found to be outdated domain names or ones that are found to be needed/non-malicious by Network Admin managing their OWN networks, any and each can easily be whitelisted at the Admin level to allow access for their own network users. If we dis-own any/all open-source community contributors contributions in the endlessly growing IT world at that point of a contributor simply "moving on with their life" or when one passes away, we as a whole worldwide would be in fact still be sitting in the IT industry and Internet itself of 1980 with literally one ISP, your government, and with literally one PC manufacturer also, your government.

@jlauzer said in Installation of pfBlockerNG breaks NAT Port Forwading Rules: Thank you!! You're welcome!

@revilzs It has to at least be big enough to hold the data. Extra space won't hurt. enabled De-Duplication One note on this...if you use pfBlocker to create overlapping deny rules the deduplication works across rules, so may remove an entry from additional rules. If that's the case for you, disable it, or use Alias Native and create your own rules.

@bgroper you should be fine. @SteveITS and @johnpoz are correct. Just for context, I've had 2FA (yubikey) enabled since March and have had no problem. The API used in pfBlocker is authorized via a license key you create on the website.

@droidus you can kill off specific states in the state table