@steveits said in Bypass pfBlocker for Clients:

@bob-dig Did you run an update after adding the IP? IPv6 isn’t being used? Flush any DNS cache on the client?

Yes to all of that.

@keyser and why not for 2.5.2 since its the last usable edition...

@txdk said in Very high Ram usage:

my cpu does have 4 cores and 4 hypertread cores making it 8 in total

👍 I guess I learned something.
A process per core : why not. Although I see on my '4100', a 2 core atom, mostly one bound thread, not two.
I'm actually not sure that all your unbound instances are separate memory spaces, as they all have the same PID : 45676.

So : to be sure : shut down pfBlocker, the DNSBL part : if memory goes down a lot, and stays down, over a day or so, you know it is pfBlocker. And in that case : RAM usage is related to 'how many DNSBL you have'.

@gregeeh said in HELP - pfBlockerNG stopped working since upgrade:

@jdeloach said in HELP - pfBlockerNG stopped working since upgrade:

Did you go to PfblockerNG/Update and do a Force, Reload, All, Run?

Yes I did do that.

EDIT: Just did it again and now working. Thanks.

Good, glad that it worked for you.

@dma_pf Bro thank u so much

@uzumaki I'm sure it will, as time permits. I think @BBcan177 is very busy currently.

@gregeeh

Ah, right : you are not using the "Python mode" but the Unbound mode.

@gertjan Thanks for the response. I waited for 3 or 4 days and it did update on its own. Now it’s time for me to start adding some new lists. Thanks again for the explanation.

@gertjan said in pfblocker filter alerts:

https://redmine.pfsense.org/issues/13156#note-18

The link in #18 doesn't work to me but the first patch in #19 does, so thank you, finally alerts for IP are working again.

@jperezme

You could try replacing Unified hosts = (adware + malware) with Unified hosts + porn

https://github.com/StevenBlack/hosts

@noonstarx said in pfblocker is not working. it does not block anything.:

There are a couple of NAT rules:

Those are not WAN based, they redirect 10.10.10.1, the IP of the build in web browser, to 127.0.0.1 so it can show you the "You've accessed a blocked site" page.

Which, IMHO, is a useless functionality, as most sites are accessed by https these days, and https can't redirected like that. Only ancient http request could be redirected.

I'm not using the this pfblockerng web server, but do 0.0.0.0+logging.

Your outbound nat rules are by default, that's fine.

This is pure BS :

@noonstarx said in pfblocker is not working. it does not block anything.:

C:\Users\user>nslookup facebook.com
Server: dns.google
Address: 8.8.8.8

why would you want your device (PC) to ask 8.8.8.8 to resolve for you ? ? ?

You are completely bypassing the resolver running on pfSense.
Conclusion : you are bypassing the pfSense resolver == bypassing pfblockerng. Remember : pfblockerng integrates itself into unbound, the resolver.

Read again :

3d213e58-f9be-4689-9793-242929fbeb5f-image.png

I guess its 'case closed' now 😊

@Gertjan The Unbound python mode seems to be working. It's definitely stripping content from advertising emails but not all. I'll take what I can get.

@periko

No, of course not ™

I'm using pfSense at work, a hotel, and I'm also using the captive portal so my clients can have a Wifi Internet connection (they always have use up their monthly xxx GB) so they use the hotel-Wifi.

I'm not trying to block a maximum of DNSBL, as I'm not the one that should decide what people are seeing on their screen : They want it ? They have it !

Dono what they are doing with that connection.
Must be work related, right 😊

I have tried the update in those posts. I have updated /usr/local/pkg/pfblockerng/pfblockerng.inc Finding $r = explode(')', $result, 2); and replacing it with $r = explode(' ', $result, 2); as instructed. In all those posts they are saying the issue happens in version 22.05, however looking at the release information the base version of pfSense CE software release 2.6.0 is version 22.01. So I do not think this applies in this situation. Am I incorrect in this information?

@igoldstein said in issue with a non USA IP getting added to North America IPV4 List:

IPs that are used in USA, not just Registered in USA

Good luck finding that list... Not sure how many times this needs to be said, there is no such list. There will always be mistakes, IPs move all the time. I could route a network out of Dallas today, and Paris tomorrow..

Your best solution is IPs you find that are not coming from the US put in your own block list, and put this top your rules order. Before you allow of the US IP list.

Still curious how you found this IP was not coming from the US. Did you go through the complete list of networks in the US list?

edit: https://support.maxmind.com/hc/en-us/articles/4407630607131-Geolocation-Accuracy
"It is not possible for us to guarantee 100% geolocation accuracy. Accuracy exhibits high variability according to country, distance, type of IP (cellular vs. broadband, IPv4 vs. IPv6), and practices of ISPs."

@leonardo-2 said in TLD processing with pfBlockerNG-devel v3.1.0_4:

In the UT1 adult's list there is

This list :

04208776-cd2c-4281-ac47-c775491ab58f-image.png

?

Read :

This is an Advanced process to determine if all Sub-Domains should be wildcard blocked for each listed Domain.
Click infoblock before enabling this feature! 
Definition: TLD -  represents the last segment of a domain name. IE: example.com (TLD = com), example.uk.com (TLD = uk.com)

When enabled and after all downloads for DNSBL Feeds have completed; TLD will process the Domains.
TLD uses a predetermined list of TLDs, to determine if the listed Domains should be wildcard blocked (Block all sub-Domains).
The predetermined TLD list can be found in  /usr/local/pkg/pfblockerng/dnsbl_tld

To exclude a TLD/Domain from the TLD process, add the TLD/Domain to the TLD Exclusion custom list:
• This only excludes the domain from the TLD process, it doesn't whitelist the domain.
• Only the specific Sub-Domains/Domains listed in the DNSBL Feeds will be blocked.
• A Force Reload - DNSBL, is required after manually adding to the TLD Exclusion

Note:  Whitelisting a "sub-Domain" for a TLD Blocked "Domain" in the Custom Domain Whitelist will not whitelist a TLD Wildcard Blocked domain!
    Either add the domain to the TLD Exclusion, or wildcard Whitelist the whole domain.

TLD Blacklist, can be used to block whole TLDs.  IE: xyz
When Enabling/Disabling this option, a Force Reload - DNSBL is required.

And when you and observe a force reload of pfblockerng-devel, do you see this :

ee037757-0500-4944-9ce1-34e45bcae8ff-image.png

Note the x's

My advise : when the x's show up, stop uisng "Wildcard Blocking (TLD)" or use smaller feed/lists.

@leonardo-2 said in TLD processing with pfBlockerNG-devel v3.1.0_4:

is inserted in pfb_py_zone.txt, others in pfb_py_zone.txt

That's just pfb_py_zone.txt ;)

@steveits Yeah this is very screwed up, last time I had this issue a few days ago setting up another unit, it simply worked later out of nothing...

@beerguzzle

Because pfblocker itself does ... nothing.
It uses the syslog to build most of the pages with IP related stats.
I gets the info from the logs, as the firewall logs into the stats.
IP feeds are build into aliases, and these aliases have to 'firewall' log.
DNSBL uses the its own, internal logs.