@dharmender-bankal said in Unable to block website.: Created alias for yatra and facebook along with IP address for both sites. Read Aliases, especially the Warning and the Note. Facebook uses thousand of IPs. Not 'one'. You have to look up what an "ASN" is, and how to use use it with pfBlockerng-devel.

@kenj05 Version 2.1.4_28 of pfBlockerNG is an old version that is no longer supported nor recommended by the package maintainer. You need to upgrade to the latest version of pfBlockerNG-devel 3.1.0_6 or _x, depending on which version of pfSense you are using. If you are still having issues after you upgrade, come back to forum and someone will be glad to help you.

@bob-dig unfortunately that’s still not what I mean. I’m referring to dnsbl feeds in bfblocker blocking domains.

@steveits said in pfblockerNG- tuning needed or do i have an error in config?: There is also DNS over HTTPS or DNS over TLS which bypasses local DNS servers altogether. :) I think this could be blocked true the ip feeds for DoH ("ipv4 DoH_IP the Great Wall" for example) and block port 853 for DNS over TLS (DoT) as long as i don't use it.

@victor-1 I'm using pfBlockernd-devel - latest version. facebook isn't blocked for me. If it is for you : a) stop using the feed that blocks it ?! b) whist-list it ?! yatra.com is, according their web page, not accessible for European visitors (wonder what they have done to earn that position).

@lohphat said in ASN lookup failing with empty files [solved]: I still think that the failure mode could be better handled and alerted -- the logs indicated empty files, but was it due to d/l failure or the server returned an empty file? Something should throw an alert if possible. Ofcourse that could be a good Idea!

@steveits The Gateway status shows the right default gateway but traceroute still shows the fail-over WAN. It does not fall back by just going to the Routing page. Traceroute starts showing the default WAN the moment I turn off pfBlockerNG.

Where did you find the map view??

For context it will clear, but then some or all of the previous DNSBL counts will return within a few seconds. Clearing it multiple times seems to take care of it, but this clearly skews the numbers during a one-time daily reset.

@pinkie2 said in pfBlockerNG not working: The reason for GeoIP / why I had hoped to find a way to use this is that I have servers running behind pfsense (ie Exchange). Obviously, the required ports are pointing at the servers (ie SMTP). I'd wanna filter some more spam out by blocking IP's from funky places. That might be a reason to 'protect' you internal, LAN based mail server. I wasn't aware you were exposing 'public' services to the internet. @pinkie2 said in pfBlockerNG not working: But GeoIP (i hope) could be an additional safety mechanism? Dono. I've a postfix multi IP / multi (many) host names) dedicated 'barebone' server, but mine isn't behind a ISP IP (that would be a disaster for me as my mail server is also used for a company). I don't block IPs by default, so my mail server is open bar. But, rules do apply. Remote mail servers that try to drop mails that don't play the rules, like : no/bad SPF, no/bad DKIM, no/bad DMARC, mails using TLS1 or 1.1, etc are marked as such. Mails that are dropped on the mail backup server why the master server is running : they are marked ans scrapped for good. Etc etc. Test results are logged, end then handled by failtoban, who feeds the firewall (iptables as this server is a Debian). Depending on my mood, the position of the moon, and the colour of the dress of my wife, I'll blacklist them for xx days : see here.

@cyrus104 All apple.com? I wouldn't use a list that was so 'aggressive' that it blocks Apple and live.com. Not worth messing with IMO, having to band-aid it to make it work properly... For the occasional OOPS- yea there's the DNSBL WHITELIST, but for large issues I just use another feed. Too 'aggressive' to me is really a lot of false positives, followed by a lot of chasing fixes.

@canaryforge said in pfblocker working on ip but not DNS, not sure how to fix: Does it go something like pfSense will use any cached resolutions first, and if the entry is not there, pfsense will query the external dns provider and then save to cache? 100 % exact.

@gertjan good afternoon, i found a solution if you add dns youtubei.googleapis.com in DNSBL, then the application on smartphones also gets blocked, thank you very much for your help

@pfsjap I was wondering this myself. Got confused with Suricata where this feature is an option.

@shkiber Enable Python mode, and add IPs on the Python Group Policy section. Force reload. Note if using IPv6, applications/devices often use temporary IPv6 addresses.