@johnpoz said in Disconnected after installing pfBlockerNG-devel??:

Ya lost me there

You are correct of course, I should've tried that route first

@patch This is great, thank you!

@nollipfsense

You completely skipped the essence of the question. This is probably one for the developer.

@aspiringnetworkadmin Do some reading to help yourself then, if you have problems, post issues:

https://docs.netgate.com/pfsense/en/latest/services/dns/index.html

https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng

Well, as you can probably guess, there is no easy answer here. We all have varying needs, some only want to block ads, others try to keep their kids safe and this is one tool in the toolshed. Others are looking to GEOBLOCK... Me, not so much geoblock, as ad blocking and 'not-nice' sites, along with blocking public DNS, together with nat rules to redirect IOT back to PFSense for DNS. It took months of trial and error to come up with a workable mix, the lists are not maintained by BBcan (with the exception of his) but by 3rd parties. List owners can change as the lists are bought by new owners sometimes. Sometimes a list works well, then not so. Sometimes they are abandoned and don't get updated or disappear. So this is not a 'set and forget'. I pop into PFSense about once a month just to check that the lists are updating, or if there are newer lists that may do better that I could test out. It's the nature of internet security; it really IS shooting ducks in a barrel...

If you've had issues in the past with it, perhaps the way to go is to wade in a little at a time. Start with IP blocking only. Select the lists that appear to do what you are looking for, example, Emerging Threats, Talos, and I use cins army. You can round it out with a coinblocker and maybe a few others in other categories. Work with those for long enough to confirm they aren't blocking things that are causing issues. You could also go to their websites and read about their lists to determine what you think is important.

Once that is stable, you can do something similar with the DNSBL lists. Nothing is turnkey here. Things take time.

@patch said in Beginner minimal pfBlockerNG setup:

They are not on reputable internet bock lists

In the current climate blocking VPN end points is currenlty very useful. It appears at the moment about 50% of the scanners are from VPN sites. So from pfBlockerNG-devel using this feed in a block list is useful https://raw.githubusercontent.com/ejrv/VPNs/master/vpn-ipv4.txt

@nollipfsense Thank you, that worked!

This 'telemetry' crap is common as dirt. Telemetry my arce. They are collecting data about usage- like where you go on the internet. See it with Firefox (incoming.telemetry.mozilla.org), my phones once I switched them to my internet carrier (v-collector.dp.aws.charter.com), MS does it (v10.vortex-win.data.microsoft.com)... you name it, they are trying to make a buck off your usage. Malwarebytes also has that 'browser guard'. I keep saying NO and sure enough it pops up again 'please turn me on'. Where else to better see where you are going, than with a plugin in the browser?

These days, many AV products are moving away from local 'definition' files/local scanning, to cloud based scanning. I get it, real time scanning, zero day bla bla. But I wonder what they are storing up there 'in the cloud'- their servers, and how it affects computer performance. Malwarebytes is on the mild side here- we use Fireeye at work and their xagt process can chew up 80% of the processor- you really feel it. Horrible. Maybe Malwarebytes has a central control console (not familiar with what they offer for business use) where you can turn telemetry off without having to manually do it on 200 machines...

@jperezme You may be looking for pfBlockerNG-devel, which we've had in use at all clients for several years and I've seen the package maintainer recommend. It looks like non-devel still does have some updates...two commits last year that weren't Netgate URLs or copyright dates. But -devel has way more functionality. We could not get the MaxMind codes to work with the non-devel version.

@rkbest
Hmm. There have been a few pfSense and pfBlockerNG updates since the instructions were posted. I wonder if something has changed that would affect that command. Unfortunately, I am not knowledgable enough to troubleshoot that - I was basically following a recipe to make this work. Sorry I can't be of more help here.

@lpd7 You can do that or create your own custom list then be sure to add to firewall floating rule with the quick set option check and that blocks quickly, instantly...I am away from my system and unable to share screen shots...hopefully someone will share.

@keyser Thank you very much!

@alek said in pfBlockerNG blocking SMTP:

No ?

That's the easy / easier way.

Have a look at this list : Youtube Netgate everything you always wanted to know, and more.
There is a Muti WAN video. There is a video about VIP, Carps, etc.

The videos are old, but still very valid and very informative. It's a guy from Netgate talking about Netgate/pfSense.

@nollipfsense

Respected sir

There is top spamer country Option and i selected all country of top spamer deny both then Gmail and other country website not working

Please suggest

@cukal

re the rep files https://dev.maxmind.com/geoip/whats-new-in-geoip2

"Finally, we also include a represented_country key for some records. This is used when the IP address belongs to something like a military base. The represented_country is the country that the base represents. This can be useful for managing content licensing, among other uses."

You do know you can use pfBlocker to create aliases using GeoIP country codes, under Firewall -> pfBlockerNG -> IP -> IPv4.

Allow SSH/SFTP access to a host in my DMZ from the UK & Ireland only.

Screenshot 2022-04-12 at 18.56.25.png

Screenshot 2022-04-12 at 18.56.00.png

@gertjan

You dont read what I write...

I ask for a honeypot to collect the IP's used in a DDoS stress test. Nothing else.

Then feed them into a pfblocker list so the compromised IP's doesnt reach servers behind pfsense in any way.

Adblock and trackers are not important here.... just a bonus on top of the honeypot list.

And then the lists could be distributed to others as a feed.

@patch said in ransomwaretracker.abuse.ch feed:

Did I do something wrong with the installation?

pfBlockerng-devel, by itself, does nothing.
True, on the Firewall > pfBlockerNG > Feeds page it shows sources that could consider using.
pfBlockerng-devel has no affiliation with them (exception : the PRI5 BBcan177 feed maybe).

You should assure yourself that these sources do what you want, and that they (still) exist.
Most of them are created and maintained by a person or small group of persons, and as such, these feeds come, and go.

Btw : it has been seen that sources (feeds) included their own IP and/or host name as a DNSBL ^^