@KKIT Is it when an pfBlocker update happens?

I agree it is bad as well. I had to reinstall again and restore my config. I'm going to run it on ufs this time instead of ZFS and see if that has any impact on it.

@floppypen

Ok, nice, so it's more then probable that Firefox uses the resolver to resolves stuff.
Did you test ?

I'll give an example :

My settings :

ffb980da-263d-4148-926f-5d593404e7da-image.png

This is dnsbl file :

cf9a1ef2-64be-4163-8a94-aa8ae2f482d6-image.png

Let's pick one :

0f71f2fd-819c-44cc-a2b8-08a08cf9a599-image.png

So, I set up a tailer : (SSH or console mode - No (never) GUI command line please):

[24.03-RELEASE][root@pfSense.bhf.tld]/root: tail -f /var/unbound/var/log/pfblockerng/dns_reply.log | grep 'americanskinheads.com'

This command 'tails' de main dns_reply.log log file : every DNS request thatw as parsed by pfBlockerng (the python (!) mode parser).
Now I visit this site - and no surprise :

67b0a7d9-ef70-4604-93ed-38b2be236c62-image.png

and the logs showes me :

DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,2a01:cb19:907:dead::c7,ServFail,unk DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,192.168.1.6,ServFail,unk DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,2a01:cb19:907:dead::c7,ServFail,unk DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,192.168.1.6,ServFail,unk

Btw : 192.168.1.6 and ,2a01:cb19:907:dead::c7 are the IPs my PC with the web browser is using.

Recap :
My wanted to visit a site using a host name.
The local PC DNS cache didn't have that hostname / IP in it's cache, it was asking unbound (pfSense).
Unbound filtres everything trough the pfBlockerng python loop, that uses a big DNSBL database : it found a match (no surprise) and unbound answered back to my PC : my browser : the the IP that stands for "don't know that IP so here you have 10.10.10.1" which points to the pfBklockerng web server that showed me in turn : that domain you wanted to visit is blocked.

@Bob-Dig Got it, THX, i tried for IPv6 always de_rep, but i had to choose only de.
Now it works, it was a littlebit confused, but it works now, exactly as i want.

THX for the Tip and Photo!

@jc1976 running Snort or Suricata by chance?

@Gertjan yeah.... but I'm 57 now and my late nights of coding or sysadmin work are behind me.

(former 4.2BSD user, 4.3BSD... SunOS 3.2... BSD/OS..... FreeBSD-3.2 and onwards) :)

@roveer said in pfBlockerNG v3.2.0.8 giving This Connection Is Not Private on all apple devices, but not PC's:

Is there a solution to this?

There never will be, as its not a problem.

For example : your browser found a host called "ad.doubleclick.net" on a web page and this host name was 'blocked' by pfBlockerng.
What happened is : your browser asks the local DNS (pfSense) : what is the IP address of ad.doubleclick.net ? And your local DNS, the resolver will use pfBlockerng to test every DNS request. pfBlockerng will compare the requested host name "ad.doubleclick.net" with a list of 'forbidden' host names, the DNSBL feeds you've installed into pfBlockerng.
And guess what : there was a match ! 'ad.doubleclick.net' was present on some DNSBL list, so the resolver stops doing it work (resolving 'ad.doubleclick.net') and it will return to the browser the IP : (pfBlockerng default) "10.10.10.1".
Ok, the browser is happy, now it will connect to that IP, and show the user what it has to 'say'.

Meanwhile, the way how browsers connect to web servers has changed since the last century.

Entering TLS, or what is "https" ?
https is http, with and s added to it. It's the http protocol, encrypted (secured) with TLS.

Before : the browser would connection to the server IP, and ask on port '80' : "gime the page" - and done.
These days : the same thing but over a secured communication link. This means that the browser gets a certificate from the web server first.

Lets take the example of the certificate of this web site 'forum.netgate.com' : embedded in the certificate (check for yourself) you can find :

ce574356-2a73-4988-824a-8e4f47bec1da-image.png

Your browser, before accepting the connection with 'forum.netgate.com', will compare what it found in the certificate from the forum.netgate.com web server, with what it tries to contact : does 'forum.netgate.com' match '*.netgate.com' ? And it does !! so the connection has a pad lock, and the browser is happy. All is well. Many children, Bright future. etc.

Now, wind back to our our 'ad.doubleclick.net ' and 10.10.10.1 answering. Will '10.10.10.1' be able to produce a certificat to the browser that says "'I am 'ad.doubleclick.net' " ? Of course not.
Now your browser will yell at you .... as it want to connect to a server called 'ad.doubleclick.net' and it got an answer back from an other server called (I don't know, but not 'ad.doubleclick.net') ... that is bad ! Massive errors will show up. Users are panicking. "Internet is broken again"

To make the long story short : and @dave14305 is right, forget about the pfBlockerng build in web server that will show the user a pfBlockerng web page if he's trying to visit a web site that is blocked.
It is impossible to redirect https traffic - period. The pfBlockerng web server was nice to have when web sites were 'http' only (last century). And that doesn't exist anymore.

Set up the “Null Block (no logging)” option, and be done with it. Some day, our browser will make the 'error' shown more 'clear' to the end user. Maybe ....

Btw : I've a load of "apple products ipad & iphone" in use here, I'm even using one right now to write this post.
I didn't saw any "This Connection is not private" issues.
That is, it is still complaining that my Wifi isn't encrypted but I don't care ???!! Everything (mostly) is already flowing over the Wifi (radio waves) using TLS so what is the risk ?
I could of course activate WPA2 for my wifi (and now I have to deal with the passwords).
I could, as soon as the wifi is activated, fire up a VPN.
And now I have a secured connection in a secured connection in a secured connection.
Now I buy safely my new thin foiled hat.

@johnpoz

I'm running pfblockerNG 3.2.0_10 on pfsense 24.03. I have been doing the updates through a vpn, which has been working without a problem. I changed it to force the update out the wan, which worked.

Taking a look at the vpn logs, it has started showing some udp write errors, although the vpn channel would come up and appear to function properly. Since it works through the WAN, it must be the vpn causing the problem. Will have to take a closer look at that.

I appreciate your help! I wouldn't have suspected the vpn, if you hadn't asked the question.

@Gertjan I have the secure shell server enabled and the correct port set and WinSCP is working just fine.

As far as pfBlocker, I've had an ID and license key in pfBlocker for quite some time and it has worked just fine. From you previous comment I didn't know if there was something else I needed to do.

pfBlocker is running just fine now and MaxMind is reporting it is happy with successful download. I ended up uninstalling pfBlockerNG-devel and reinstalling pfBlockerNG, and getting a brand new MaxMind license. I'm really not sure why things are now working.

In addition to pfBlockerNG working I can also get a listing of available packages from the package manager. Previously this wouldn't list anything.

What version of pfBlocker are you running -devel?

Thanks,
-TAC

@JeGr said in pfBlocker locked me out of my pfSense web-managment !!!:

I'm more in agreement when it comes to DNSBL - that feature set I can easily see being cloned by Pihole or Adguard. But the IP stuff is way more useful than many realize.

although i generally agree, having pfblocker be granular enough to dnbl based on networks is way more useful than the way its implemented today. Deploy pfsense in a SOHO or school that doesn't want to purchase a separate DNS server but wants filtering, you need granularity which pfblocker doesn't support. So that would be a use case for the extensibility.

@Vatreni

Just thinking out loud : what about getting an ISO from 'whatever' open source project ? FreeBSD or Debian etc.
Copy what you find under /etc/ssl/.

edit : forgot about the most obvious one : get the latest pfSense !!!!!
( as you need it even when you don't install it !!)

and get the latest ca-root certs out of it.

Btw: having troubles with expired certs if the top of the ice-berg(problem).

@mattch it downloads the alias for each rule I think. Or at least processes it.

There’s one trick we found, at least for our purposes …instead of using the alias as a NAT source, allow any and control the access using one firewall rule for all applicable ports. So, disable the automatic rule creation and create your own. That way the alias is not on the NAT tab and is listed once on the interface tab.

@Gertjan
I get pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL

but this started to take place only recently.

@geoffdh

My guess is that not whitelisting the 'ad' URLS can break functionality on some apps. I've had this happen to certain apps where I had to whitelist 'firebase settings' that was blocked by my ad lists in order for the app to work correctly.

@jrey For the next few weeks, I am just going to be using pfBlockerNG for IP blocks and not DNSBL. I am testing out the similar functionally with Cloudflare Zero Trust. It adds the ability to inspect SSL traffic on devices where I've added the certificate.

Here's a very small example of blocks for the last hour with Cloudlfare Zero Trust:

0367d76f-566f-4ca3-b669-411c033a22e7-image.png

@VMlabman said in pfBlocker error in pfSense: There were error(s) loading the rules: /tmp/rules.debug:56::

Could it be that I have too many lists enabled

yes,

Could also be that the default "Firewall Maximum Table Entries" setting is too low.
You will find this entry here: System -> Advanced -> Firewall & Nat

A lot of people select far too many lists - generally not needed.
the setting should generally be twice the value actually required. When the lists are processed to the firewall, the entire new set is created, then swapped into place.

Look for this log entry in the pfbockerng.log. That will give you some guidance to the setting best suited for your case. In my case it is deliberately higher than the 2x referenced.

pfSense Table Stats ------------------- table-entries hard limit 600000 Table Usage Count 135911

Just above that in the log you should see the summary, like this:

Alias table IP Counts ----------------------------- 134581 total 107656 /var/db/aliastables/pfB_???_v4.txt 11244 /var/db/aliastables/pfB_???_v4.txt 6505 /var/db/aliastables/pfB_???_v4.txt 6208 /var/db/aliastables/pfB_???_v4.txt 2608 /var/db/aliastables/pfB_???_v4.txt 228 /var/db/aliastables/pfB_???_v4.txt 132 /var/db/aliastables/pfB_???_v4.txt

the ??? will be the name of the list