@lohphat said in ASN lookup failing with empty files [solved]:

I still think that the failure mode could be better handled and alerted -- the logs indicated empty files, but was it due to d/l failure or the server returned an empty file? Something should throw an alert if possible.

Ofcourse that could be a good Idea!

@steveits The Gateway status shows the right default gateway but traceroute still shows the fail-over WAN.

It does not fall back by just going to the Routing page. Traceroute starts showing the default WAN the moment I turn off pfBlockerNG.

Where did you find the map view??

For context it will clear, but then some or all of the previous DNSBL counts will return within a few seconds. Clearing it multiple times seems to take care of it, but this clearly skews the numbers during a one-time daily reset.

@pinkie2 said in pfBlockerNG not working:

The reason for GeoIP / why I had hoped to find a way to use this is that I have servers running behind pfsense (ie Exchange).
Obviously, the required ports are pointing at the servers (ie SMTP).
I'd wanna filter some more spam out by blocking IP's from funky places.

That might be a reason to 'protect' you internal, LAN based mail server.
I wasn't aware you were exposing 'public' services to the internet.

@pinkie2 said in pfBlockerNG not working:

But GeoIP (i hope) could be an additional safety mechanism?

Dono.
I've a postfix multi IP / multi (many) host names) dedicated 'barebone' server, but mine isn't behind a ISP IP (that would be a disaster for me as my mail server is also used for a company).
I don't block IPs by default, so my mail server is open bar. But, rules do apply. Remote mail servers that try to drop mails that don't play the rules, like : no/bad SPF, no/bad DKIM, no/bad DMARC, mails using TLS1 or 1.1, etc are marked as such.
Mails that are dropped on the mail backup server why the master server is running : they are marked ans scrapped for good.
Etc etc.
Test results are logged, end then handled by failtoban, who feeds the firewall (iptables as this server is a Debian).
Depending on my mood, the position of the moon, and the colour of the dress of my wife, I'll blacklist them for xx days : see here.

@cyrus104 All apple.com? I wouldn't use a list that was so 'aggressive' that it blocks Apple and live.com. Not worth messing with IMO, having to band-aid it to make it work properly... For the occasional OOPS- yea there's the DNSBL WHITELIST, but for large issues I just use another feed. Too 'aggressive' to me is really a lot of false positives, followed by a lot of chasing fixes.

@canaryforge said in pfblocker working on ip but not DNS, not sure how to fix:

Does it go something like pfSense will use any cached resolutions first, and if the entry is not there, pfsense will query the external dns provider and then save to cache?

100 % exact.

@gertjan good afternoon, i found a solution if you add dns
youtubei.googleapis.com in DNSBL, then the application on smartphones also gets blocked, thank you very much for your help

@pfsjap I was wondering this myself. Got confused with Suricata where this feature is an option.

@shkiber Enable Python mode, and add IPs on the Python Group Policy section. Force reload.

Note if using IPv6, applications/devices often use temporary IPv6 addresses.

@jdeloach

The origin of the request was from your "LAN" interface.

But it was unbound itself that generated the request.
I can only offer an example why you see the 127.0.0.1 (localhost) :
A dns request came in on the LAN interface, port 53.
It was a A request.
The A was resolved, and points to a CNAME.
Ok, unbound re-curses, throws out a DNS request to itself (= 127.0.0.1) to get the CNAME.
That CNAME was found in a block list, thus blocked.

I agree that a line like this :

cf083a46-6f52-459d-8241-7b85e40ab3ba-image.png

is more logic. You can see that my TV was asking for an A record, and it was blocked.

@digitalrcs

You saw a new version came out : 3.1.0_7. It might include a solution for you.

@digitalrcs said in pfb_filter Keeps stopping:

PFB_Filter

That's a PHP script continually running as a task.
e5f7784a-3adf-463c-9ab0-9e359c7b3005-image.png

It's job is to read all new firewall log entries, and reformats them for pfBlocker statistics.
If its not running, no graphs ans stats (reports) but the IP part that blocks IP addresses using aliases and pfBlockerng firewall rules probably still works.

@digitalrcs said in pfb_filter Keeps stopping:

just to much trouble.

As told : you are using the newer FreeBSD 14 kernel (no an issue I guess) and the new PHP version 8.x, and that's a big issue, as minor PHP syntax changes need cod rewrite.
Guess what : pgBlockerng is probably the biggest PHP write up that exists, for pfSense.
More often then not, every PHP error can be 'googled' and corrected to a working 8.1 equivalent, as I presume you can read and write PHP.
Still, the dev version is known as 'bleading edge' where edge means your still ok, but just.
The bleading part is .... well, you get it.

edit : you saw : https://forum.netgate.com/topic/175254/pfblockerng-producing-php-errors-on-cron/6

@jdeloach said in 3.1.0_6 UPDATE and SHALLALIST:

@nimrod

I mainly use pfBlockerNG to filter the advertisments in web pages. I'm not that concerned about viriuses, malware, etc. If you keep your PCs on your network up to date, OSes and antivirus software, that is more than enough.

Well, i use FreeBSD as my main OS so i dont have to worry about viruses and malware. I have a Linux machine as well. No Windows or MacOS spyware here.

@johnpoz The either/or of IPv4 vs Ipv6 is a false dichotomy you're imposing on yourself where it doesn't exist from external pressure. Not even the IETF is proposing a sundown for IPv4 but they ARE pushing for dual stack interoperability ASAP.

The better throughput due to improved congestion handling is a big one. Most of my Google/YouTube traffic (the bulk of my traffic is streaming media) and now, some of my gaming traffic is IPv6. Most of my mobile traffic is IPv6.

The "we don't have to because IPv4 is not going away" mantra is only a form of procrastination and ignoring the market trend. We're already past 50% adoption in the developed world. Get your IPv6 skills and infrastructure in the game as soon as you can so that you're comfortable with it and prepared so that it's not a mystery.

As an infrastructure player, pfSense needs to stay in the game. Fine, make your personal choices for your use case, but from this point forward, if an infrastructure vendor isn't IPv6 compliant, it's off my vendor list. I'm not going to make capital investments in hobbled gear who can't support a 20 year ratified protocol with over 50% adoption.

@keyser

WOW, thanks for that reply so fast.

It just worked. Also, i am really dumb, i experienced this in the past but dont know why it happens now again and i never could imagine it would be this.

Thanks for all!!

@gertjan If you open the Unified Log, do you see many "ServFail" entries? I see hundreds since I reenabled Python a little while ago, but when I see blocks it indeed shows what blocklist was used. Maybe it's user error, don't know.
Never mind, ServFail doesn't mean what I thought it did.

Thanks again for your replies.

@keyser said in pfblockerNG-devel 3.1.0_5:

strange there are no proper release notes to be found - AND niether version fixes the only big and very obvious known bug

I wrote above that the repo history I linked (https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-pfBlockerNG-devel) appeared to fix it because it's listed under "Commits on Aug 31, 2022." Sorry if I led anyone astray. Seems odd that wouldn't be included in a _5 and _6 version.

I don't know that Netgate has ever had specific release notes for packages? Sometimes posts in the forum, but I don't think I've seen that for a while now.

Per that page BBcan177 made a commit in March 2022.

The thing about open source is, it's great and free if someone else does the work. Anyone can step in and make changes. It's a bit unfair to expect one person to work for free forever. What if the main person gets sick, or retires? I'm just talking in general here, not picking on anyone in this thread, and if you look back through the history others have made changes.

BBcan177 does have a Patreon page and that does occasionally have posts (the latest being March).