@ghostshell said in Blocked Page: https://www.reddit.com/r/pfBlockerNG/comments/lnczld/is_dnsbl_webserver_for_ssl_https_connections/ I don't understand what has been said there. pfBlockerNG-devel logging isn't the issue here. The internal unbound (python, or not) or Lighttpd logs are not available to our browsers. Our browser see what the web server @10.10.10.10:443 is replying after a page request. It doesn't understand the answer. What I think ** what is happening : Our browser caches web server certificates, as HSTS has become wide spread. So, our browsers knows what type of cert it should get back from web server. Because it caches certificates, for days, weeks, or even months (so naughty you, you've visited this site already ones without pfBlockerNG ;) - the cert was loaded and cached ). Many encryption types exist, and the self generated (self signed) cert from the web server of pfBlockerNG cert does not have the right 'format'. If it had the right format, the host name would have been verified (and the date and many more aspects) and then a more understandable error would have been shown. This issue can not be resolved. Our browsers could show more comprehensible message, true, but it all boils down to : You wanted to visit a.tld but b.tld replied. That's a MITM situation and that's a no-go ** Firefox is open source. So the source code will show the exact conditions of the error.

@pulsartiger pfBlockerNG -devel???? ,on the current version? 3.1.0 should be no problem if you upgrade if Keep settings is checked, also takes settings, lists, etc. with it when upgrading BTW: be careful, since you are switching to new FreeBSD version and the pfBlockerNG - devel has got a lot of new features in the near past... I have to say you waited a long time for the update, 2.6 is almost here

I think I have found a very easy way to bypass unbound. In general setup/DNS Resolution Behavior I changed it to use remote DNS servers and ignore local DNS. And in DNS Server Settings I added my local BIND DNS ip addresses. In client ip address assignment, I still give pfSense IP address for dns, however pfSense just ignores unbound and uses my local dns for resolutions. It’s still utilizing the DNSBL and IP blocklists as they are defined in the firewall floating rules by pfblockerng. Resolutions now are much faster. Hope this keeps working as I just could not stand unbound resolution performance issues.

@gertjan Thks @jdeloach if this list is blocking something that you want access to, just don't use this list You misunderstood the troubles we report here. Yes of course if it’s a list that is dedicated to block public dns and you want to reach them, we can advice you not to use this list But here we re talking about a “not normal” blocking. Like when they block GitHub or, worse, their own website which is stopping us to follow your advice … to report to them. When it reaches a so low level of conscientiousness you can’t justify that saying it’s done by folks for free. It’s insulting for all the others who do the same, for free, but seriously. But as @BBcan177 said, he has to include a list in his plugging but he can’t keep vetting every list every time. It would be a full time job. That’s why we report. Since you say you use others lists, if you know good lists don’t hesitate to suggest some. Maybe he can swap in the list included in the package. He cannot be aware of every existing lists.

@keyser Ok thanks a lot . I simply disable « hide IP » and add are blocked by Pfblocker . Best regards .

@ttblum said in Microsoft hosted site being blocked by Oceania Alias: updated with Microsoft's current IP space? for what office365? https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

@gertjan Thank you. Adjusted as recommended and no further problems. Reminds of the DOS days when you had to define the number of file handles. Never crossed my mind that there was the same thing for tables.

@johnpoz said in Permit United States only for specific port on WAN interface: @ciscox its set to alias - which is shown on that first summary sort of page [image: 1636994754896-setalias.jpg] What the heck, I didn't know about this. This is going to make things much easier now :) Thank you very much :)

@jdeloach Such great advise and so quick. I followed you suggestions and have switched to pfBlockerNG-devel, 3.1.0 Everything is working perfectly now. Thank you, so appreciate your fine assistance.

@jimfreeze said in pfBlockerNG 2.1.4_26 borked Netgate 6100: I assumed the unstable one would be the devel version Yes that is logical. A couple years ago, give or take, I saw the maintainer had posted to use -devel. Either in early 2019 or 2020 we had to switch because we couldn't get the MaxMind key to work on the non-devel one. So all our clients have it. Short version is, most people who don't frequent the forum probably use the non-devel, and most people here probably use -devel. Now, I have not run into DHCP not working or routing breaking, but there is a known issue with the -devel install stopping the DNS Resolver. As I understand it, it has to do with how the package installation happens so Netgate has to fix it.

@heliop100 said in pfBlockerNG not showing alerts after pfSense 2.5.2 update.: I change the rules to block all south america and north america countries but are not blocking anything. What rules ? Placed on what interfaces ?

@mariog I run Monterey, 7 y.o. iPad w/ 15.1, iPhone X w/ 15.1 My devices are set to hide IP from trackers. I am not using ipV6, not sure if that matters. My devices use Quad 9 for dns (via pfSense). I do not use dnssec. pfBlocker is at 3.1.0 and DNSBL runs in unbound python mode. I get a few ads, but rarely. I mostly get popup's complaining that I'm blocking ad's. If I do see ad's I figure it is because I do not have a lot of feeds defined in DNSBL. Not always, but on occasion I do notice a bit of latency in Safari on iPad or Mac (rarely use iPhone at home, screen is too small to be useful). If 10 sec or so goes by w/o a page load I do a refresh and that usually brings a page up. I have not noticed if ad's are on the page when this happens but now I will pay attention. I just clicked around a site I never go to and did not see any ads and all the pages loaded very quickly. That site was cnn so I imagine it's loaded with ads. I don't know if this is helpful or not, I'm not that knowledgable about this topic.

v1.1 - writes date/time at the top of the outfile. fetch -o /tmp/PIA.json "https://serverlist.piaservers.net/vpninfo/servers/v6";jq -r '.regions[].servers.ovpntcp[].ip,.regions[].servers.ovpnudp[].ip' /tmp/PIA.json | sort -n | uniq | iprange > /var/db/pfblockerng/PIA_v4.txt;setenv PIAdate `date "+%Y-%m-%dT%H:%M:%S"`;sed -i '' -e "1s/^/#$PIAdate\n/g" /var/db/pfblockerng/PIA_v4.txt

@manishdixitajm said in Attackers_delivering_fake_DomainBlock (1635762191): I am sure pfng blocker is blocking So why asking : The error is "Attackers_delivering_fake_DomainBlock (1635762191)". Even when i am passing this traffic its still not work. If you block something, it's blocked = no access. Btw : it's not an error. Just a log line telling you a firewall rule was 'hit' by a packet and it matched : the rule was applied = blocking. By default, pfSense blocks nothing. You as a admin with your rules - with pfBlockerNG, are able to block. @manishdixitajm said in Attackers_delivering_fake_DomainBlock (1635762191): telnet on 443 Really ? telnet ? On a TLS port ? Let me guess : only rubbish came back ;) Trying to ping "zerion.io" and telnet on 443 , its giving blocking error in "System logs" tab. So, you can't connect ? i am able to login that website and also ping is working. So you can connect ? What is it ?