@rgelfand said in DNSBL Groups not filtering:

nslookup vungle.com resolves to 10.10.10.1.

So, you're fine ;)

As you already know, "10.10.10.1" is what can be considered as a virtual IP(RFC1918) hosted on pfSense.
You can see it using http (not https) access :

06465bc5-a42c-4263-af7a-081ab97b4ee6-image.png

A https access will produce a browser depended error message.

759306e9-fba1-4533-b78d-9ec5fe0f058c-image.png

To understand the 'none' issue, you have to know what https or TLS actually means, and how browsers these days related handle failures.

Short example :

You blacklist (DNSBL) twitter.
For reasons you totally already understand, twister can only be accessed using https, not http.
Open a browser, type www.twitter.com and you see .... a failure and certianly not the first image I showed above.
You were not - and your browser focs you to - visit twitter using http.
It was https.

And now the good one : you can't "break" https. No one can.
So, yes, your browser, upon an initial DNS request, receives 10.10.10.1, the browser connects on that IP, using port 443.
First of all, the browser asked for certificate info.
In this certificate, it has to find that states it's "*.twitter.com". Thats what https (TLS) is all about.

Now, I ask you, does your pfBlockerNG-devel has the certicate that says it's ".twitter.com" ? ;) (Can you have it ??)
Rephrase that.
Are you ".twitter.com". ?
No.

The browser hangs up right away. And this means that all blocked DNSBL will not show you the nice image (see above) but a browser that complains, saying that there are protocol errors.
It will only work for plain old "http" accesses and redirects. And these do not exist any more.
Because, again, if you want to visit https://yourbank.tld you can not get redirected to https://thefakebankurl.tld

Now you understand why I use :

ed983b2c-99e8-4c6a-86ff-927144fb2655-image.png

I'm not redirecting to the "10.10.10.1" nice page - but answer a "0.0.0.0" which will make the browser show a message that the requested site "has no DNS" (or some DNS issue) which is actually true.

The most simple answer : Just forget about :

06465bc5-a42c-4263-af7a-081ab97b4ee6-image.png

@Gertjan - once again, I appreciate your time.

I decided to take the path of least resistance for the moment and I default reset pfBlocker, then reloaded the below, added in my shallalist and UT1. Looks like the redirect IP for sites you can't go to on the lists (10.10.10.1) are working. I'll see how this holds up for the next few days. Unbound python mode because it uses less resources. I think I might enjoy a more robust PC or netgate so I can load up other things like Snort. Are you using a Netgate appliance or a PC of sorts (community pfsense)? Got a recommendation? Franklin

d1c1dff7-7c1c-4406-9dd5-c610d8f4d53b-image.png

5a9966f5-53bb-4ee4-84a1-415144e800ce-image.png

a8ea957b-37ba-40b9-84ec-914458dbf63e-image.png

b413ba95-7388-4dcd-a8e2-df4cca86dd1a-image.png

Bueller... bueller?

Noticed that when I add a domain to the whitelist, that unbound process spikes up to some crazy CPU utilization until, I am assuming, it's done syncing. Is there any way to speed the process? This is an 8 core ATOM system with a C2758 processor... perhaps there's a way to just sync whats beed added as opposed to go through everything in the list...?

I can now also confirm the filling filesystem issue is gone once pfBlockerNG is changed to "Unbound Mode" instead of python mode.

So this will serve as workaround until the issue with Python mode filling the filesystem is solved:

NOTE: It seems my pfBlockerNG stopped logging DNSBL hits once I changed to Unbound mode.
The counters in the widget no longer increases, and no hits are registered in the DNSBL report.
But DNSBL is still active and working

https://forum.netgate.com/topic/164796/php-warning-filesize-stat-failed-for-tmp-dnsbl_add_data

Hello? Anyone?

Hi @reza3sw ,
This is very old post but I want to ask in anyway.
Please could you decribe little bit more about your process?

Regards,
Mucip:)

@jegr Yep, I thought whatever I do there in pfBlocker wouldn't affect my unbound config, but that is not the case. So it works as intended it seems. That was the question in my first post.

@jrn77478 @BBcan177

Hello,

I got this answer from Talos (via Twitter):

"It moved to: https://snort.org/downloads/ip-block-list about a year ago"

Hope that helps all who need it.

Regards,
fireodo

@jdeloach I posted that message in May 2020.

Deleted reply.

@gertjan I skipped over "unchecked" apparently, sorry costanzo. Unbound was reverted to an earlier version in 21.05 but he has that already.

@ik2189 said in pfBockerNG, ads and trackers:

What are the best URLs for ads or trackers ?

The 'quality' ones, the ones that contain all the domains and IP's that block all the adds etc ?
If it exists, it isn't probably for free.

What you can do :
Take some domains that feeds pages with adds.
Try out all the feeds listed on Firewall > pfBlockerNG > Feeds one by one.
Check if the domain(s) that you've noted are listed. if so, keep that list as a candidate for your pfBlockerNG

Or : create your own feed, and add domains to it while you keep new ones. Don't forget to maintain and publish it ... for free of course ^^

@juanchozn11 said in pfBlockerNG - error accessing GeoIP settings:

I'm on 2.3.5-RELEASE-p2

That's most way to old.
2.3.5 is not just EOL, it has entered the "don't use it" phase.

Several things happened the last couple of years :

@juanchozn11 said in pfBlockerNG - error accessing GeoIP settings:

Firewall -> pfBlockerNG > GeoIP

The access is now Firewall > pfBlockerNG > IP > GeoIP
So you're using the ancient version. As no one uses it any more, getting help is difficult. You might find some old forum posts ?!?

Also, the MaxMind GeoIP database needs a (free !) subscription. Dono if that's implemented into the old pfBlockerNG version.

Take note : only 'experts' keep old version up and running, because they have the knowledge *** to do so.
For the rest of us : make your live easy on you,, and keep your system up to date.

** but they don't, as no one really likes to deal with old bugs and errors that were solved ages ago already.

Thanks Bob! However, I do not exactly know how to do that without exposing my pfSense update traffic on the internet. I'm not sure I want that. Is there a way by which the Talos traffic IS the only one moving out to WAN aside from my vpn traffic? I think there is. I'll try to solve this later. Again Bob, thanks for replying quickly.