@bartkus05 said in DNSBL Top1M TLD Inclusions not Saving / Restoring: Got it fully working now My files also got auto updated after I've left work. [image: 1739358609092-f3940fb8-86dc-4761-9931-3dbc5cdb0cb6-image.png] Be ware that "Alexo" might be gone soon, as it isnt' maintained anymore. I guess this "TOP1M Whitelist" option isn't used a lot .... so not well tested against "all possible usage modes".

@fenichelar said in Null blocking SERVFAIL: So just to confirm, you have null blocking with logging? well .. you got me there. I did use, since yesterday 11/02, switch my two DNSBL feeds to : [image: 1739355677289-5c7ae6be-e1c5-45f8-af95-0b3a3aa2acb8-image.png] as I wanted to test with these settings for a while. And of course forgot about it already. Btw : I didn't saw the pfBlockerng Blocked DNSBL page. I nearly never visit web sites that are loaded with adds and stuff like that. So, pfBlockerng has nothing to do if it was just. I'm also sharing my connection with an entire hotel, loaded with clients (they are the real testers ^^) . Dono what they do, what they saw. If things went bad, they would have come to the reception to complain about the free service ^^ I know they do, as they also yell that there is nothing worth watching on the TV in their room (the 30 or so national channels - it's all publicity 24/24h and I don't block that (yet)). I'm back at : [image: 1739355746486-7dc95f9a-79d6-4a6c-9b62-7598cd9c01c9-image.png] @fenichelar said in Null blocking SERVFAIL: but it is an option that should work It does. It woks well for we browser requests that are made with "http". It can't - and you don't want to - work for https requests. Added to what I've said above : let's do the test, and I propose this fact check method : a new LAN pass rule : [image: 1739355022585-85dd531f-1830-49ad-8e04-5049d72ca15d-image.png] Now I can see over time how often port 80 is used. I'm curious .... If most web server requests are https, which presume, then the "DNSBL-Webserver-log" can't work. It won't show up. At best, an browser error page shows up : as the "DNSBL-Webserver-log" certificate wasn't the one that the browser was waiting for. Nothing is broken, imho, all is by design ^^ TLS (=https) behavior can't be patched easily.

One note for the difference between Alias Deny and Alias Native is that, IIRC, if deduplication is enabled, pfB will dedupe across lists, which may give unexpected results if one has overlaps.

Here’s some baseline settings that I use with our IP phones that you can use for comparison. No complaints about call quality. I’m going to bring it up because things are in transition, but we are using ISC as the backend. Running PF blocker 3.2.0_16 in python mode with all IP phones listed in python group policy to bypass DNSBL. All IP phones are given a static IP address along with static ports. Currently, we are running firewall optimization on normal, but if you’re still having problems, you may need to change that to conservative.

@Gertjan i'm aware of all of that, thanks. the thread was about a bug in the pfB, not about the right usage

@Gertjan Thanks got it

@JHplusUser Does it still let you rerun the upgrade? I believe it’s possible to do so via command line but an actual reinstall is arguably cleaner.

@Waqar-UK I would just copy paste into custom [image: 1737813240392-custom.jpg]

You can always do the kludge and put a copy into /var/db/pfblockerng.

@SteveITS Thanks. I meant to put in the original post that I forced an update after I made the change. A couple of days later, the white list appears to be working. Thanks, Dave

My only concern was that I generated a lot of entries during testing and I wanted to clean them up. However, the idea with the SSD is good to reduce the load on the system. I'll find out the best way to do this.

@jrey turns out i also had to update , i feel so silly thx for the troubleshoot

@Gertjan Belated thank you. He'd probably just VPN around it anyway. Sigh...

@milonic Running processes, like syslog, don't keep their own time. The use a system call to get the exact time when needed. That time, you can see it on the command line, just type date That is the "time stamp" syslog uses when it writes a log line. The time is normally counted by a real time clock on the system motherboard. This chip, or the power (remember the famous BIOS RAM battery - it's the same ?) Added to that, pfSense processes a ntp = a real time service, so even if the local real time facilities is bad or worse, the system will will get synced every minute or so so it compensates for the loss ( normally less then some nano seconds ) You have the ntp service activated, right ? By default, it is. Just checking : Status > NTP : [image: 1737039284183-3ac5ce55-f1a7-491f-b828-6768ee125630-image.png] The NTP is normally configured with host or pool name - I use [image: 1737039349873-a9428efe-3b28-4b96-b6b7-8493eeaf70b3-image.png] and this host name points to a pool with mixed IPv4 and IPv6 IPs. One is chosen, and the others are backups. If you managed to find a pfBlockerng IP list that has these (time server) IPs on the list, and you use the list to block for outgoing connection, then yeah, you've aligned the nearly impossible : Using a device with a bad real time clock - this happens more often nthen you thing, stuff just dies .... that's normal. Adding extra software (pfBLockerng), and use it to block IP that you actually need : the time server your NTP has selected... now the system time will derail. And yes, a good accurate time isn't that important for syslogging (that is, I would consider it a security issue), but becomes very important for simple DNS requests (DNSSEC)à ... or just TLS, also used by pfSense itself. So : pfBlockerng : check your IP feeds you've chosen. You should always do this. Just think about it : what happens if you start to use that list that contains all the windows update IP's of Microsoft - and you use this list for blocking outbound connection ? Your PC will not receive any updates anymore, as it can't contact to 'Microsoft' anymore. That's ... dono, not great ?! Or you got the list that contains all the IPs of the servers that contain the lists of all the other IP lists and DNSBL (yes, that has been done already) : pfBlocker can't download (update) the other lists anymore ... also great ... So, to make a long story short, sorry to say, but do not trust anything that comes from the internet. Use it, and check it. If doubts, don't use it. With pfBlockerng taken care of, your NTP server should now sync up your real time.