@fabrizior What are you using? Block rules would go on LAN. DNSBL should also apply to LAN as a whole. Are you blocking DoH/DoT?

@spindok73 Deep ? That is : I clicked on Interfaces, and down with the mouse pointer, click on pfBlockerng, and the click on Reports : [image: 1764257021691-c171bc66-b722-473b-a680-130cdd6cba0e-image.png] pfBlockerng is probably pfSense's biggest package, yet it is small. Install and set up a "pi-hole" for yourself, doing basically the same thing, and we'll talk afterwards ^^ Also, pfSense tends to be a firewall with "all the options". So, you wind up with "all the menus".

I found this thread very helpful in solving my errors,,, but,,,,, as I could not find much about the settings... what is necessary to check and to leave alone? Thanks [image: 1764183291213-pfblocker-dnsbl-unbound-python.png] [image: 1764183291252-dns-general-revolver-python.png]

@Gertjan FWIW, the (apparent) default kern.ipc.maxsockbuf is also ~ 4 MB on CE. Presumably OP could've increased this value dramatically—in excess of 10 MB—to match Unbound's configured 'message cache size.' But that's as bad of an idea as arbitrarily increasing the latter in the first place.

@shady28 Are you maybe looking at IP block list feeds vs DNSBL feeds?

@fireodo thank you very much for the help I will look into the sanity check.

@vicking said in No blocks on IP: Is it a bad idea to have the action set to deny both instead of inbound only? Question is squarely for admin. Per the infoblock which explains, in part, the "Deny Inbound", "Deny Outbound", and "Deny Both" actions: 'Deny' Rules: 'Deny' rules create high priority 'block' or 'reject' rules on the stated interfaces. They don't change the 'pass' rules on other interfaces. Typical uses of 'Deny' rules are: Deny Both - blocks all traffic in both directions, if the source or destination IP is in the block list Deny Inbound/Deny Outbound - blocks all traffic in one direction unless it is part of a session started by traffic sent in the other direction. Does not affect traffic in the other direction. One way 'Deny' rules can be used to selectively block unsolicited incoming (new session) packets in one direction, while still allowing deliberate outgoing sessions to be created in the other direction. In other words: When set to "Deny Inbound", incoming connection requests from WAN hosts are blocked and therefore no state will be created. However a LAN host can still establish state to an otherwise listed IP. If set to "Deny Outbound", outgoing connection requests from LAN hosts are blocked and therefore no state will be created. However an incoming connection request from an otherwise listed IP to an 'open' WAN port can still establish state. If set to "Deny Both", both incoming connection requests and outbound connections requests are blocked and therefore no state will be created regardless of connection direction.

@netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

@Gertjan yes, that was an example, a false positive from a list that is not being blocked anymore.

@Gertjan Thanks a lot for your help. This really helped me: I'm not using "pfSense pfBlocker Web server logging" (DNSBL Webserver/VIP ) as the "you are blocked web page" only shows up when the end browser user visits http sites, something that doesn't exist anymore on the Internet. All sites are https these days, and https sites can be redirected to "another https web server" like the "pfSense pfBlocker Web server". With that hint I was able to resolve my issue by: Unchecking the Python Group Policy Enable checkbox for the DNSBL Webserver Configuration on the DNSBL tab in pfblockerng. Checking the Permit Firewall Rules Enable checkbox and selecting the appropriate interfaces for the DNSBL Configuration on the DNSBL tab in pfblockerng. Forced Update | All. It now appears that all the blocked domains are appearing on the Alerts tab in pfblockerng. I couldn't find that host name in the "/var/db/pfblockerng/dnsbl/Max_MS.txt" file - where does your "/var/db/pfblockerng/dnsbl/Crazy_Max_Extra.txt:" come from ? I get that DNSBL, and 2 others, from the original maintainer (https://github.com/crazy-max/WindowsSpyBlocker): https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/update.txt. I really appreciate your help!

Resurrecting this thread for two reasons: 1.) Because this is where I landed when newly confronted with the topic using pfBlockerNG-devel 3.2.10 on pfSense CE 2.8.1-RELEASE; and 2.) to confirm that the 'issue' and 'fix' here continue to be viable despite the TLD analysis function being considerably modified since the last post in September 2024. Current function @ L7255 of /usr/local/pkg/pfblockerng/pfblockerng.inc: // Determine max Domain count available for DNSBL TLD analysis (Avoid Unbound memory exhaustion) $pfs_memory = (round(get_single_sysctl('hw.physmem') / (1024*1024)) ?: 1000); $pfb['pfs_mem'] = [ '0' => '100000', '1500' => '150000', '2000' => '200000', '2500' => '250000', '3000' => '400000', '4000' => '600000', '5000' => '1000000', '6000' => '1500000', '7000' => '2000000', '8000' => '2500000', '12000' => '3000000', '16000' => '4000000', '32000' => '8000000' ]; if ($pfb['dnsbl_py_blacklist']) { array_walk($pfb['pfs_mem'], function (&$value) { $value = $value * 3; }); } foreach ($pfb['pfs_mem'] as $pfb_mem => $domain_max) { if ($pfs_memory >= $pfb_mem) { $pfb['domain_max_cnt'] = $domain_max; } } On a system with 32 GB of RAM attempting to 'analyze' over 24M but less than 27M domains, the line "'32000' => '8000000'" was changed to "'32000' => '9000000'" (i.e., permitting a maximum number of 27M domains to be 'analyzed') in order for the function to complete successfully. Analyzing (and then subsequently loading) precisely this number of domains... Original Matches Removed Final ---------------------------------------- 24270656 21017552 6463516 17807140 ----------------------------------------- ...results in Unbound's stable operational consumption of ~6 GB of RAM and any/all pfBlockerNG 'Reload' options consuming as much as ~6 GB of RAM, concurrently. Therefore one should only attempt this DNSBL hack if they're confident that their system has at least 13 GB of memory 'headroom' (taking into account normal system operation and any other resource-consuming, installed packages).

@Zaketis dedup is only Deny Feeds which would also include and GeoIP lists. Aggregation works in separate silos for each type ie: permit or deny etc...

Hello, The issue is resolved! Without me having to change anything / touch a thing , I tried adding an ASN this morning and it worked; the dropdown list appeared. Thank you very much to everyone who took the time to reply. Have a good day, everyone.

@Gertjan Very thank's, I'll try to do somethings like that...

@Gertjan @Gertjan said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start: think this "DNSBL Webserver" usage is something that belongs to the past, as this web server was useful in the past, when everybody was using http:// web sites. Yes you are right about the http web page. I don't really care if they can see the web page pfb_dnsbl offers or not. You gotta have it for pfb_dnsbl to work ... Roy

@smolka_J said in Download failed for certain Lists "PFB_FILTER - 17": @Beerman I stumbled upon this same error on a dozen er so feeds when I recently upgraded to 24.03. Mr BBcan177 posted a temporary workaround on https://forum.netgate.com/topic/187931/pfblockerng-v3-2-0_10-unable-to-download-txt-blocklists until the next stable or long term fix is implemented. Editing /usr/local/pkg/pfblockerng/pfblockerng.inc file around line #259, added a line in the list of mime types adding 'text/x-file', and then running an Update>Force>Reload ALL takes care of this error for now until if pfBlockerNG package version 3.2.0_10 is re-installed, it does survive reboots I have the error since July of this year, and the log sadly gives no indication of which list it might be, I checked the file and the line is already there, its a shame but pfblockerng feels like its just breaking more and more, I have been fixing multiple issues at this point manually on it.

@Patch The Spamhaus lists were combined and converted to the new json format in the latest pfB update (25.07). Agree on Talos, may need a redmine...?

Based on the Timings it seams that KEA stuff stopped the Unbound and don't start it again? or just coincidence? i currently not understand by kea is involved, because i didn't have activated dhcp lease to dns ... (DNS Registration) But its also strange the unbound gets two time restarted on pfblockerng cron-task General Log: Sep 28 00:00:00 php 12862 [pfBlockerNG] Starting cron process. Sep 28 00:00:31 php 12862 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Sep 28 01:00:00 php 71023 [pfBlockerNG] Starting cron process. Sep 28 01:00:14 php 71023 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Sep 28 02:00:00 php 5372 [pfBlockerNG] Starting cron process. Sep 28 02:00:22 php 5372 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Sep 28 03:00:00 php 37595 [pfBlockerNG] Starting cron process. Sep 28 03:00:31 php 37595 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Sep 28 03:01:00 root 31193 rc.update_bogons.sh is starting up. Sep 28 03:01:00 root 32722 rc.update_bogons.sh is sleeping for 66003 Sep 28 04:00:00 php 49188 [pfBlockerNG] Starting cron process. Sep 28 04:20:17 php 49188 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Sep 28 05:00:00 php 29707 [pfBlockerNG] Starting cron process. Sep 28 05:05:16 php 29707 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Sep 28 06:00:00 php 3228 [pfBlockerNG] Starting cron process. Sep 28 06:00:00 php-cgi 4046 [Suricata] Checking for updated MaxMind GeoLite2 IP database file... Sep 28 06:01:00 php-cgi 4046 [Suricata] ERROR: GeoLite2-Country IP database download failed. The HTTP Response Code was . Sep 28 06:01:00 php-cgi 4046 [Suricata] ERROR: GeoLite2-Country IP database update check failed. The GeoIP database was not updated! Sep 28 06:01:00 php-cgi 4046 [Suricata] Cleaning up temp files after GeoLite2-Country database update. Sep 28 06:05:16 php 3228 [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload DNS-Resolver Log: Sep 28 00:00:23 unbound 27650 [27650:0] info: service stopped (unbound 1.23.0). Sep 28 00:00:23 unbound 27650 [27650:0] info: [pfBlockerNG]: pfb_unbound.py script exiting Sep 28 00:00:24 unbound 29770 [29770:0] notice: init module 0: python Sep 28 00:00:24 unbound 29770 [29770:0] info: [pfBlockerNG]: pfb_unbound.py script loaded Sep 28 00:00:24 unbound 29770 [29770:0] info: [pfBlockerNG]: init_standard script loaded Sep 28 00:00:24 unbound 29770 [29770:0] notice: init module 1: validator Sep 28 00:00:24 unbound 29770 [29770:0] notice: init module 2: iterator Sep 28 00:00:24 unbound 29770 [29770:0] info: start of service (unbound 1.23.0). Sep 28 00:05:46 unbound 29770 [29770:0] info: service stopped (unbound 1.23.0). Sep 28 00:05:46 unbound 29770 [29770:0] notice: Restart of unbound 1.23.0. Sep 28 00:05:46 unbound 29770 [29770:0] info: [pfBlockerNG]: pfb_unbound.py script exiting Sep 28 00:05:46 unbound 29770 [29770:0] notice: init module 0: python Sep 28 00:05:46 unbound 29770 [29770:0] info: [pfBlockerNG]: pfb_unbound.py script loaded Sep 28 00:05:47 unbound 29770 [29770:0] info: [pfBlockerNG]: init_standard script loaded Sep 28 00:05:47 unbound 29770 [29770:0] notice: init module 1: validator Sep 28 00:05:47 unbound 29770 [29770:0] notice: init module 2: iterator Sep 28 00:05:47 unbound 29770 [29770:0] info: start of service (unbound 1.23.0). Sep 28 03:13:53 unbound 29770 [29770:0] info: service stopped (unbound 1.23.0). DHCP Log: Sep 28 03:13:53 kea2unbound 88766 Unbound reloaded: /var/unbound/unbound.conf Sep 28 03:13:53 kea2unbound 88766 Include updated: /var/unbound/leases/leases4.conf (a7cfad6c13eb8df1) Sep 28 03:13:53 kea2unbound 88766 Unbound lease include is missing or inconsistent: /var/unbound/leases/leases4.conf Sep 28 00:05:46 kea2unbound 11822 Unbound reloaded: /var/unbound/unbound.conf Sep 28 00:05:46 kea2unbound 11822 Include updated: /var/unbound/leases/leases4.conf (a7cfad6c13eb8df1) Sep 28 00:05:46 kea2unbound 11822 Unbound lease include is missing or inconsistent: /var/unbound/leases/leases4.conf