@bigsy said in Failure when starting pfb_dnsbl service: @cmcdonald Working for me now on 23.05-RC (lighttpd: 1.4.69 -> 1.4.69_1). Many thanks! Same here.

@spyderturbo007 Can you post one update attempt from your pfblockerng.log log file? (pfB/Logs tab)

I went through and re-organized my list, strengthened the character sets on a few hundred lines to combine and eliminate others and added a few, de-duplicated what was left, so far no errors on either box. All was gathered from through the communities, slightly tweaked, and here for any whom want to use, test, or improve upon. pfSene pfBlockerng regex list 5-4-23.txt

I hoped there was a configuration setting in pfblocker to disable reverse lookups and repeat lookups, but it has been a while since I posted to the forums and there have been no replies, so I assume there is not. I created a workaround because I enjoy tinkering, but, unless you have my same use case, there is no reason to take this route. Please just stick with PFBlocker. That said, I uninstalled pfblocker and did the following... [1] get the priority 1 threat lists [2] normalize the output and put it on a webserver [3] use a pfsense firewall alias and fetch it as a URL table [gui] [4] update this to hourly on pfsense cron [cli] [5] change the file time hourly [cli] [6] create firewall rules to block using this alias [gui] NOTE: I used a debian linux machine for steps 1-2 (because I already had it generating other URL lists and it was just easier to do it there). Steps 3-6 are done on the pfsense. I had fun doing it and I learned a few things about how pfsense works in the process. If you want the details of how I did it in case you need to do something similar, then read on. Otherwise, this forum post is probably done. Cheers [STEP 1] script 1 (feedlist-fetch.sh) #!/bin/bash # start in the right place cd /home/donutjustice/PFSENSE-scripts/quietblocker/ # get the lists curl -s https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt > ips-feodo.txt curl -s https://sslbl.abuse.ch/blacklist/sslipblacklist.txt > ips-sslbl.txt curl -s https://cinsarmy.com/list/ci-badguys.txt > ips-cinsarmy.txt curl -s https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt > ips-ET-emerging.txt curl -s https://rules.emergingthreats.net/blockrules/compromised-ips.txt > ips-ET-compromised.txt curl -s https://isc.sans.edu/block.txt > ips-isc-block.txt curl -s https://www.spamhaus.org/drop/drop.txt > ips-spamhaus-drop.txt curl -s https://www.spamhaus.org/drop/edrop.txt > ips-spamhaus-edrop.txt curl -L -s https://talosintelligence.com/documents/ip-blacklist > ips-talos.txt [STEP 2] script 2 (quietblocker.sh) #!/bin/bash # # threat feed data cleanup # copy to web server # # grab data from all the lists cd /home/donutjustice/PFSENSE-scripts/quietblocker/ `/home/donutjustice/PFSENSE-scripts/quietblocker/feedlist-fetch.sh` sleep 35 # cleanup the output cat ips-cinsarmy.txt > BUILD.txt cat ips-ET-compromised.txt >> BUILD.txt cat ips-talos.txt >> BUILD.txt grep -v \# ips-ET-emerging.txt >> BUILD.txt grep -v \# ips-feodo.txt >> BUILD.txt grep -v \# ips-sslbl.txt >> BUILD.txt grep -v '^;' ips-spamhaus-drop.txt | cut -d\; -f1 >> BUILD.txt grep -v '^;' ips-spamhaus-edrop.txt| cut -d\; -f1 >> BUILD.txt grep -v \# ips-isc-block.txt | awk -F '\t' '{ print $1 "/24" }' >> BUILD.txt # move it to the local webserver cat BUILD.txt | sort -u > /var/www/html/quietblocker/quietblocker.html This script is run hourly on the debian box. It runs 5 minutes before pfsense grabs the URL to ensure the threatlist is fresh. The local crontab looks like this: 25 * * * * /home/donutjustice/PFSENSE-scripts/quietblocker/quietblocker.sh [STEP 3] In the gui set pfsense firewall alias to fetch the URL. I named mine "quietblocker" (relevant in step 5 where this becomes quietblocker.txt. If you name yours something different, just make sure it matches in step 5.) and the URL looks like this http://10.1.1.100/quietblocker/quietblocker.html /1 [STEP 4] ssh to pfsense and edit /etc/crontab EDIT the "urltables" line from a 12 to a *. It should look like this 30 * * * * root /usr/bin/nice -n20 /etc/rc.update_urltables [STEP 5] keep editing /etc/crontab (just like step 4) ADD a new crontab line (I suggest below the urltables). It should look like this. 35 * * * * root /usr/bin/touch -t 1001011230 /var/db/aliastables/quietblocker.txt This step is necessary because the urltables script checks the timestamp on the file and won't update anything less than 1 day old. This just changes the date, so it is always old enough. I preferred this method to monkeying with the urltables script. [STEP 6] Now create firewall rules to meet your needs using this firewall alias.

@nickyw To control where rules are created, on Firewall/pfBlockerNG/IP under Inbound Firewall Rules (or Outbound) select both WAN interfaces. re: Alias Native, on Firewall/pfBlockerNG/IP/IPv4 open your entry and for Action choose Alias Native. That will create an alias but create no rules. Then you can create whatever rules you want in any order using that alias.

@johnpoz Where do i find a list for YT etc?

@nogbadthebad Interesting, yes that would allow me to use all Mulvad's IP's to go through the firewall, thanks. I did a feature request here: https://redmine.pfsense.org/issues/14324 Pierre

@lohphat Very cool.

@netboy Another observation... I connect my iphone to wifi 172 subnet. Type https://www.cnn.com get "your connection is not private"... Turn off wifi and use the data plan that comes with my phone Connect to https://www.cnn.com connects like a charm I am going to assume this has something to do with my pfsense router....100% Now I connect my iphone to wifi 192 subnet and it works like a charm.. Remember I have made ZERO changes to my router I am happy to troubleshoot if somebody can help me I "disabled" pfblockerNG and I get the same symptoms...So it appears it has to do with pfsense rather than pfblockerNG? Not sure SOLVED!! Nothing to do with pfsense.....I had a wifi repeater for 172 network...(nokia router in bridge mode) - rebooted it and everything worked fine...... Close this thread please

@katinatez Thanks. That worked well. [image: 1682206631501-ejrv_ppnv4_v4-upload.jpg] I now have a text file with all the IP addresses in it "Ejrv_VPNv4_v4.orig" which I renamed "Ejrv_VPNv4_v4.txt". I assume not I should be able to reload this in topfBlocker if required. Ejrv_VPNv4_v4.txt

@katinatez said in XBox Live Domains to be whitelisted?: My question is which domains should I whitelist? Only xbox users and who use also pfSense and who use pfBlockerng and who use the list you use see what you see : blocked domains. So, its very possible your are the only one. Easy solution ; use another dnsbl ;) edit : Maybe WindowsSpyBlocker isn't good for you, as you want not to block what WindowsSpyBlocker proposes to block. Next best solution : connection only your xbox to pfSense. Do what you do with the xbox. And while doing so, keep an eye on the Firewall > pfBlockerNG > Alerts page. These is ( for me ) a section with : [image: 1682063067563-594eeab7-2caf-40e5-a2cb-0ba4efa6d433-image.png] and half way down : [image: 1682063090631-2338604a-5917-4953-927e-787114e280eb-image.png] now do what admin do : whitelist what is needed. Click on [image: 1682063132214-56c9ba2e-ff04-46ee-83d2-063d46e4d1c6-image.png] and do whitelist - and do this for dnsbl that xbox needs to contact.

@jrey pfBlockerng main page : [image: 1682054587407-dcb17243-a367-4b36-89de-d58344499187-image.png] Related cron setting : [image: 1682054612878-7080e3aa-61cc-4e30-b90b-c4cca04ac992-image.png] But wait : [image: 1682057889342-5eca5f3f-81bc-4c86-b48a-ca25651934da-image.png] So, I guess, I've set to 'every day' at 8h15 The cron settings are now (after a force reload ! - see bottom of the page) : [image: 1682058007105-589793b6-c3d3-48b8-8c00-78fd6a386b9c-image.png] where is the "8" ? for 8 o'clock 'AM' ? (bug ?) Anyway. Note that /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron will execute syslog(LOG_NOTICE, '[pfBlockerNG] Starting cron process.'); pfblockerng_sync_cron(); and the function pfblockerng_sync_cron(); will do a // Call log mgmt function // If Update GUI 'Manual view' is selected. Last output will be missed. So sleep for 5 secs. sleep(5); pfb_log_mgmt(); at the end. My dns_reply.log was reduced, while testing, to a mere 20000 (my setting) and it grows rapidly, because I see hundreds of lines per minute.

@rcoleman-netgate here is a PCAP. I believe the delay to be the Request By the Computer asking who 130.140.1.1 is and the Computer IP is 130.140.1.78 I believe this hand shake when 20 Chrome books are opened at the same time may be the delay. please let me know what you think. 18:17:12.757414 IP 130.140.1.78.45893 > 130.140.1.1.53: UDP, length 33 18:17:12.800455 ARP, Request who-has 130.140.1.1 tell 130.140.1.78, length 46 18:17:12.800459 ARP, Reply 130.140.1.1 is-at 90:ec:77:2e:23:66, length 28 18:17:12.894371 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 117 18:17:13.145360 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 117 18:17:13.216904 IP 130.140.1.78.50345 > 130.140.1.1.53: UDP, length 34 18:17:13.223810 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 33 18:17:13.224656 IP 130.140.1.78.39310 > 239.255.255.250.1900: UDP, length 176 18:17:13.264188 IP 103.41.69.203.443 > 130.140.1.21.56272: tcp 31 18:17:13.369452 IP 130.140.1.21.56272 > 103.41.69.203.443: tcp 0 18:17:13.396245 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 117 18:17:13.464245 IP6 :: > ff02::1:ff44:b751: ICMP6, neighbor solicitation, who has fe80::98f3:cdff:fe44:b751, length 32 18:17:13.504526 IP 130.140.1.78.39790 > 130.140.1.1.53: UDP, length 32 18:17:13.568218 IP6 :: > ff02::1:ff82:f129: ICMP6, neighbor solicitation, who has fe80::681e:6ff:fe82:f129, length 32 18:17:13.597080 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 105 18:17:13.636389 34:60:f9:3e:4c:09 > ff:ff:ff:ff:ff:ff, RRCP-0x25 reply 18:17:13.725156 IP 130.140.1.78.41801 > 130.140.1.1.53: UDP, length 33 18:17:13.772959 IP 130.140.1.78.8735 > 130.140.1.1.53: UDP, length 33 18:17:14.227125 IP 130.140.1.78.39310 > 239.255.255.250.1900: UDP, length 176 18:17:14.228747 IP 130.140.1.78.55421 > 130.140.1.1.53: UDP, length 34 18:17:14.516916 IP 130.140.1.78.26674 > 130.140.1.1.53: UDP, length 32 18:17:14.735840 IP 130.140.1.78.20216 > 130.140.1.1.53: UDP, length 33 18:17:14.815218 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 105 18:17:15.228837 IP 130.140.1.78.39310 > 239.255.255.250.1900: UDP, length 176 18:17:15.406804 IP 192.168.2.15.5060 > 69.84.152.140.5060: UDP, length 496 18:17:15.496426 IP 142.250.190.42.443 > 130.140.1.41.34848: UDP, length 157 18:17:15.496446 IP 69.84.152.140.5060 > 192.168.2.15.5060: UDP, length 601 18:17:15.590042 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 33 18:17:15.636337 34:60:f9:3e:4c:09 > ff:ff:ff:ff:ff:ff, RRCP-0x25 reply 18:17:15.648896 IP 142.250.190.42.443 > 130.140.1.41.34848: UDP, length 157 18:17:15.652443 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 34 18:17:15.781370 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 33 18:17:15.795484 IP 130.140.1.78.12841 > 130.140.1.1.53: UDP, length 33 18:17:15.840301 IP 142.250.190.42.443 > 130.140.1.41.34848: UDP, length 25 18:17:15.937358 IP 130.140.1.78.44996 > 142.250.111.188.5228: tcp 26 18:17:16.023659 IP 130.140.1.78.56339 > 130.140.1.1.53: UDP, length 53 18:17:16.037245 IP 130.140.1.78.55934 > 130.140.1.1.53: UDP, length 43 18:17:16.039043 IP 130.140.1.78.5619 > 130.140.1.1.53: UDP, length 34 18:17:16.045365 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 33 18:17:16.066272 IP 130.140.1.78.39005 > 130.140.1.1.53: UDP, length 35 18:17:16.066488 IP 130.140.1.78.20031 > 130.140.1.1.53: UDP, length 47 18:17:16.112145 IP 142.250.190.42.443 > 130.140.1.41.34848: UDP, length 25 18:17:16.201394 IP 130.140.1.78.44996 > 142.250.111.188.5228: tcp 26 18:17:16.222290 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 40 18:17:16.223315 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 40 18:17:16.223971 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 46 18:17:16.224550 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 45 18:17:16.225050 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 34 18:17:16.225395 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 33 18:17:16.225744 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 44 18:17:16.229370 IP 130.140.1.78.39310 > 239.255.255.250.1900: UDP, length 176 18:17:16.251355 IP 130.140.1.78.14830 > 130.140.1.1.53: UDP, length 34 18:17:16.271198 IP 130.140.1.39.5353 > 224.0.0.251.5353: UDP, length 1436 18:17:16.271623 IP6 fe80::217:c8ff:fe84:30.5353 > ff02::fb.5353: UDP, length 1436 18:17:16.276728 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 60 18:17:16.277288 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 61 18:17:16.278096 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 71 18:17:16.278943 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 71 18:17:16.317286 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 3

@mpfrench said in Is it Possible to Run the DNSBL UT1_Adult on a Netgate 1100?: @Gertjan found that UT1_Adult did not block pornhub.com and the list has 4.5M entries. Correct. The first time I tried, using dnsbl at the end of (huge) list didi resolve to the real IP, not 0.0.0.0 ( I don't forward to 10.10.10.1 = internal pfB web server as https can't be redirected so the browser error will get shown ). I saw that the complete pfBlockerNG reload / force all didn't terminated with a " UPDATE PROCESS ENDED", it just stopped somewhere in the middle, leaving the process in a undefined state. Several days later, I redid the test, it took close to 10 minutes to finish, but it did finish this time. Now, it blocked dnsbl from the UT1 list. Again : using a 4100 with 4 Mbytes of ram. I share your conclusion.

@chrislynch said in Frequent DNS timeouts: I had special DHCP static leases for specific devices that handed out those DNS servers instead of the firewall, and they still had DNS timeouts. These devices 'talk' directly to "1.1.1.1, 1.0.0.1, or even Googles DNS (8.8.8.8, 8.8.8.1)" which means it's some TCP and mostly UDP traffic to these IPs using port destination 53. pfSense does nothing with this traffic except 'routing it'. IMHO : That's for sure an uplink issue.

@teranom Euh, lol ? See the pfBlockerng forum, where you nposted, and look at the very first non pinned post called pfBlockerNG 3.2.0_4 ! Its out for several days now.

@bbcan177 It is already set to localhost according to web interface which is default. I'm not sure where else to look. Here's the pfb_dnsbl_lighty.conf is that helps. #pfBlockerNG DNSBL Lighttpd configuration file server.tag = "pfBlockerNG DNSBL" server.bind = "10.10.10.1" server.port = "80" server.event-handler = "freebsd-kqueue" server.network-backend = "freebsd-sendfile" server.dir-listing = "disable" server.document-root = "/usr/local/www/pfblockerng/www/" server.max-request-size = "1" server.pid-file = "/var/run/dnsbl.pid" server.use-ipv6 = "enable" server.modules = ( "mod_auth", "mod_fastcgi", "mod_rewrite", "mod_openssl" ) index-file.names = ( "index.php" ) mimetype.assign = ( ".html" => "text/html", ".gif" => "image/gif" ) url.access-deny = ( "~", ".inc" ) fastcgi.server = ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) ) $HTTP["scheme"] == "http" { url.rewrite-once = ( ".*" => "/index.php" ) } $HTTP["remoteip"] =~ ".*" { $SERVER["socket"] == "10.10.10.1:443" { ssl.engine = "enable" ssl.pemfile = "/var/unbound/dnsbl_cert.pem" ssl.dh-file = "/etc/dh-parameters.4096" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" ssl.ec-curve = "secp384r1" ssl.honor-cipher-order = "enable" ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2") } $SERVER["socket"] == "[::10.10.10.1]:80" { # } $SERVER["socket"] == "[::10.10.10.1]:443" { ssl.engine = "enable" ssl.pemfile = "/var/unbound/dnsbl_cert.pem" ssl.dh-file = "/etc/dh-parameters.4096" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" ssl.ec-curve = "secp384r1" ssl.honor-cipher-order = "enable" ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2") } $HTTP["host"] =~ ".*" { url.rewrite-once = ( ".*" => "/index.php" ) } }

@motivio said in Rest DNSBL Block Stats: Hi, How can I rest the "DNSBL Block Stats" of the pfBlockerNG? Thanks! There are two ways you can do this. Go to Firewall / pfBlockerNG and then click on Logs tab. In dropdown menu under Log/File selection select dnsbl.log and click on a trash can to remove. [image: 1681179062819-2750dc31-42f8-4348-991d-87bccd753836-image-resized.png] Go to Diagnostics / Command Prompt and type this into Execute Shell Command field: rm -rf /var/log/pfblockerng/dnsbl.log Click on yellow execute button and thats it. [image: 1681179208056-880a2ea4-af7f-47f1-861e-13b3206be784-image.png]