@katinatez said in XBox Live Domains to be whitelisted?:

My question is which domains should I whitelist?

Only xbox users
and who use also pfSense
and who use pfBlockerng
and who use the list you use

see what you see : blocked domains.

So, its very possible your are the only one.

Easy solution ; use another dnsbl ;) edit : Maybe WindowsSpyBlocker isn't good for you, as you want not to block what WindowsSpyBlocker proposes to block.

Next best solution : connection only your xbox to pfSense.
Do what you do with the xbox.
And while doing so, keep an eye on the Firewall > pfBlockerNG > Alerts page.

These is ( for me ) a section with :

594eeab7-2caf-40e5-a2cb-0ba4efa6d433-image.png

and half way down :

2338604a-5917-4953-927e-787114e280eb-image.png

now do what admin do : whitelist what is needed.
Click on

56c9ba2e-ff04-46ee-83d2-063d46e4d1c6-image.png

and do whitelist - and do this for dnsbl that xbox needs to contact.

@jrey

pfBlockerng main page :

dcb17243-a367-4b36-89de-d58344499187-image.png

Related cron setting :

7080e3aa-61cc-4e30-b90b-c4cca04ac992-image.png

But wait :

5eca5f3f-81bc-4c86-b48a-ca25651934da-image.png

So, I guess, I've set to 'every day' at 8h15

The cron settings are now (after a force reload ! - see bottom of the page) :

589793b6-c3d3-48b8-8c00-78fd6a386b9c-image.png

where is the "8" ? for 8 o'clock 'AM' ? (bug ?)

Anyway.

Note that

/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron

will execute

syslog(LOG_NOTICE, '[pfBlockerNG] Starting cron process.'); pfblockerng_sync_cron();

and the function pfblockerng_sync_cron(); will do a

// Call log mgmt function // If Update GUI 'Manual view' is selected. Last output will be missed. So sleep for 5 secs. sleep(5); pfb_log_mgmt();

at the end.

My dns_reply.log was reduced, while testing, to a mere 20000 (my setting) and it grows rapidly, because I see hundreds of lines per minute.

@rcoleman-netgate here is a PCAP. I believe the delay to be the Request By the Computer asking who 130.140.1.1 is and the Computer IP is 130.140.1.78 I believe this hand shake when 20 Chrome books are opened at the same time may be the delay. please let me know what you think.

18:17:12.757414 IP 130.140.1.78.45893 > 130.140.1.1.53: UDP, length 33
18:17:12.800455 ARP, Request who-has 130.140.1.1 tell 130.140.1.78, length 46
18:17:12.800459 ARP, Reply 130.140.1.1 is-at 90:ec:77:2e:23:66, length 28
18:17:12.894371 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 117
18:17:13.145360 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 117
18:17:13.216904 IP 130.140.1.78.50345 > 130.140.1.1.53: UDP, length 34
18:17:13.223810 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 33
18:17:13.224656 IP 130.140.1.78.39310 > 239.255.255.250.1900: UDP, length 176
18:17:13.264188 IP 103.41.69.203.443 > 130.140.1.21.56272: tcp 31
18:17:13.369452 IP 130.140.1.21.56272 > 103.41.69.203.443: tcp 0
18:17:13.396245 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 117
18:17:13.464245 IP6 :: > ff02::1:ff44:b751: ICMP6, neighbor solicitation, who has fe80::98f3:cdff:fe44:b751, length 32
18:17:13.504526 IP 130.140.1.78.39790 > 130.140.1.1.53: UDP, length 32
18:17:13.568218 IP6 :: > ff02::1:ff82:f129: ICMP6, neighbor solicitation, who has fe80::681e:6ff:fe82:f129, length 32
18:17:13.597080 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 105
18:17:13.636389 34:60:f9:3e:4c:09 > ff:ff:ff:ff:ff:ff, RRCP-0x25 reply
18:17:13.725156 IP 130.140.1.78.41801 > 130.140.1.1.53: UDP, length 33
18:17:13.772959 IP 130.140.1.78.8735 > 130.140.1.1.53: UDP, length 33
18:17:14.227125 IP 130.140.1.78.39310 > 239.255.255.250.1900: UDP, length 176
18:17:14.228747 IP 130.140.1.78.55421 > 130.140.1.1.53: UDP, length 34
18:17:14.516916 IP 130.140.1.78.26674 > 130.140.1.1.53: UDP, length 32
18:17:14.735840 IP 130.140.1.78.20216 > 130.140.1.1.53: UDP, length 33
18:17:14.815218 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 105
18:17:15.228837 IP 130.140.1.78.39310 > 239.255.255.250.1900: UDP, length 176
18:17:15.406804 IP 192.168.2.15.5060 > 69.84.152.140.5060: UDP, length 496
18:17:15.496426 IP 142.250.190.42.443 > 130.140.1.41.34848: UDP, length 157
18:17:15.496446 IP 69.84.152.140.5060 > 192.168.2.15.5060: UDP, length 601
18:17:15.590042 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 33
18:17:15.636337 34:60:f9:3e:4c:09 > ff:ff:ff:ff:ff:ff, RRCP-0x25 reply
18:17:15.648896 IP 142.250.190.42.443 > 130.140.1.41.34848: UDP, length 157
18:17:15.652443 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 34
18:17:15.781370 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 33
18:17:15.795484 IP 130.140.1.78.12841 > 130.140.1.1.53: UDP, length 33
18:17:15.840301 IP 142.250.190.42.443 > 130.140.1.41.34848: UDP, length 25
18:17:15.937358 IP 130.140.1.78.44996 > 142.250.111.188.5228: tcp 26
18:17:16.023659 IP 130.140.1.78.56339 > 130.140.1.1.53: UDP, length 53
18:17:16.037245 IP 130.140.1.78.55934 > 130.140.1.1.53: UDP, length 43
18:17:16.039043 IP 130.140.1.78.5619 > 130.140.1.1.53: UDP, length 34
18:17:16.045365 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 33
18:17:16.066272 IP 130.140.1.78.39005 > 130.140.1.1.53: UDP, length 35
18:17:16.066488 IP 130.140.1.78.20031 > 130.140.1.1.53: UDP, length 47
18:17:16.112145 IP 142.250.190.42.443 > 130.140.1.41.34848: UDP, length 25
18:17:16.201394 IP 130.140.1.78.44996 > 142.250.111.188.5228: tcp 26
18:17:16.222290 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 40
18:17:16.223315 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 40
18:17:16.223971 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 46
18:17:16.224550 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 45
18:17:16.225050 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 34
18:17:16.225395 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 33
18:17:16.225744 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 44
18:17:16.229370 IP 130.140.1.78.39310 > 239.255.255.250.1900: UDP, length 176
18:17:16.251355 IP 130.140.1.78.14830 > 130.140.1.1.53: UDP, length 34
18:17:16.271198 IP 130.140.1.39.5353 > 224.0.0.251.5353: UDP, length 1436
18:17:16.271623 IP6 fe80::217:c8ff:fe84:30.5353 > ff02::fb.5353: UDP, length 1436
18:17:16.276728 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 60
18:17:16.277288 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 61
18:17:16.278096 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 71
18:17:16.278943 IP 130.140.1.78.5353 > 224.0.0.251.5353: UDP, length 71
18:17:16.317286 IP 130.140.1.41.34848 > 142.250.190.42.443: UDP, length 3

@mpfrench said in Is it Possible to Run the DNSBL UT1_Adult on a Netgate 1100?:

@Gertjan found that UT1_Adult did not block pornhub.com and the list has 4.5M entries.

Correct. The first time I tried, using dnsbl at the end of (huge) list didi resolve to the real IP, not 0.0.0.0 ( I don't forward to 10.10.10.1 = internal pfB web server as https can't be redirected so the browser error will get shown ).
I saw that the complete pfBlockerNG reload / force all didn't terminated with a " UPDATE PROCESS ENDED", it just stopped somewhere in the middle, leaving the process in a undefined state.

Several days later, I redid the test, it took close to 10 minutes to finish, but it did finish this time. Now, it blocked dnsbl from the UT1 list.

Again : using a 4100 with 4 Mbytes of ram.

I share your conclusion.

@chrislynch said in Frequent DNS timeouts:

I had special DHCP static leases for specific devices that handed out those DNS servers instead of the firewall, and they still had DNS timeouts.

These devices 'talk' directly to "1.1.1.1, 1.0.0.1, or even Googles DNS (8.8.8.8, 8.8.8.1)" which means it's some TCP and mostly UDP traffic to these IPs using port destination 53.
pfSense does nothing with this traffic except 'routing it'.

IMHO : That's for sure an uplink issue.

@teranom

Euh, lol ?

See the pfBlockerng forum, where you nposted, and look at the very first non pinned post called pfBlockerNG 3.2.0_4 !

Its out for several days now.

@bbcan177 It is already set to localhost according to web interface which is default. I'm not sure where else to look. Here's the pfb_dnsbl_lighty.conf is that helps.

#pfBlockerNG DNSBL Lighttpd configuration file

server.tag = "pfBlockerNG DNSBL"
server.bind = "10.10.10.1"
server.port = "80"
server.event-handler = "freebsd-kqueue"
server.network-backend = "freebsd-sendfile"
server.dir-listing = "disable"
server.document-root = "/usr/local/www/pfblockerng/www/"
server.max-request-size = "1"
server.pid-file = "/var/run/dnsbl.pid"
server.use-ipv6 = "enable"
server.modules = ( "mod_auth", "mod_fastcgi", "mod_rewrite", "mod_openssl" )
index-file.names = ( "index.php" )
mimetype.assign = ( ".html" => "text/html", ".gif" => "image/gif" )
url.access-deny = ( "~", ".inc" )
fastcgi.server = ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) )

$HTTP["scheme"] == "http" {
url.rewrite-once = ( ".*" => "/index.php" )
}

$HTTP["remoteip"] =~ ".*" {

$SERVER["socket"] == "10.10.10.1:443" { ssl.engine = "enable" ssl.pemfile = "/var/unbound/dnsbl_cert.pem" ssl.dh-file = "/etc/dh-parameters.4096" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" ssl.ec-curve = "secp384r1" ssl.honor-cipher-order = "enable" ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2") } $SERVER["socket"] == "[::10.10.10.1]:80" { # } $SERVER["socket"] == "[::10.10.10.1]:443" { ssl.engine = "enable" ssl.pemfile = "/var/unbound/dnsbl_cert.pem" ssl.dh-file = "/etc/dh-parameters.4096" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" ssl.ec-curve = "secp384r1" ssl.honor-cipher-order = "enable" ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2") } $HTTP["host"] =~ ".*" { url.rewrite-once = ( ".*" => "/index.php" ) }

}

@motivio said in Rest DNSBL Block Stats:

Hi,
How can I rest the "DNSBL Block Stats" of the pfBlockerNG?
Thanks!

There are two ways you can do this.

Go to Firewall / pfBlockerNG and then click on Logs tab. In dropdown menu under Log/File selection select dnsbl.log and click on a trash can to remove.

2750dc31-42f8-4348-991d-87bccd753836-image.png

Go to Diagnostics / Command Prompt and type this into Execute Shell Command field: rm -rf /var/log/pfblockerng/dnsbl.log

Click on yellow execute button and thats it.

880a2ea4-af7f-47f1-861e-13b3206be784-image.png

Hmm, still no other reports of that.

The trace makes it look like there's a rogue character in an IP address there somewhere. Since it's only you seeing it do you have some custom lists maybe?

@mpfrench said in Redesign pfBlockerNG to Run DNSBLs Using Unbound in Both Resolver and Forwarder Modes:

and the browser shows the "Try again Charlie" screen.

They won't. They'll understand.
They have Google. They will do what you would do.
.... 5 minutes later ....
They stop using 'your network', and take another one, like a SIM 4G/5G data card from their phone.
Case 'solved'.

I say this because " I've been there - seen it - thought I needed to do something with a tool ".
All you can do is explaining, and showing the right example.
It has been written somewhere : everybody has the right to dig its own hole, and then fall into it.
I bought a rope, so I can help, if asked or needed ;)

I think i found the answer to my own question.
It seems that i will not need PFBlockerNG to perform GEOIP blocking since it can be done via some rules set at cloudflare Require specific countries.

@provels said in pfblocker not blocking weather channel app on iOS:

It's probably getting the ad from other than weather.com.

Let's hope so ;)
If it was getting the add from weather.com, there's no way to block the add, except blocking the "weather.com" all together.

"weather.com" could even supply a "IP list" into it's weather info, bypassing any DNS needs.
So now you have to look for these IP addresses.
These will always be "some" from a bigger unknown add server pool.

The cleanest and simplest solution would be : ditch the weather app.
Next best : get the "$" version.

If you have some time left : with some packet capturing, DNS hunting etc you will find the list of host names, and or "add" IP servers.
This will be an ongoing job as publicity host names and or IP addresses constantly change, as the add companies know that people are looking them up to put them on 'lists' 😊

@gertjan said in Problem installing SCANNER list:

Using pfBlockerNG-devel 3.2.0_3 on pfSense 23.01-RELEASE (amd64)

When you copy paste both URLs into a browser, you get a XML file ?

Thank you for the reply.
I am on the same version.
Yes the xml file would be visible.
I also tried adding /?xml at the end of the URL, this didnt work either.

It turns out I was having other issues as well. pfSense was not returning available package lists. Snort would not update rules either. So I made a backup, factory reset and applied specific restorations. I decided to manually reinstall Snort and pfBlockNG. This fixed the issue I was having.

@mpfrench I think you'll need to edit the config.inc file after each pfSense upgrade. They are probably trying to be as safe as possible. It all depends on what is being read in to memory...I use pfBlocker but smaller lists so don't have a problem. I've been told not to run a RAM disk on 3100s either but as long as the logging volume is low the RAM usage is low so it's all relative.

@johnpoz said in How to block a Domain and it's subdomains being accessed via IP address (without DNS-Filter):

They use the 1e100.net for their PTR for every one of their IPs.. This is a "reverse" lookup, again not something you should be concerned with.. You should be concerned with blocking the forward fqdn your device/user is trying to go too.

Yes, thank you, I read the article from the link. 😊

I'm not really worried about it either. But I hate it when a system tries to escape my control by cooking its own soup. It's just a principle that triggers me and I enjoy trying to find a solution. Besides, you always learn quite a lot in the process.

I looked at what Chrome does on startup using mitmproxy and if I saw it correctly, Chrome doesn't actually do DoH/DoT queries. Presumably some IPs are actually hardcoded.

The easiest thing to do is probably to uninstall Chrome. 😇 😂

Update...
Did a factory reset of the device and reloaded the package.
Working OK now.

Try https://github.com/StevenBlack/hosts, I use the following:-

https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-porn/hosts

@steveits thank you for quick response.

I just disabled deduplication and I see the lists got updated as expected.

So my understanding of deduplication in this case was wrong. I would think that only the same addresses that are used in different lists should not be updated multiple times. Interesting :)

Thank you!
Marek

@jdeloach Yes, only new keys. Anyway, patching validation method from the links above worked like a charm.