@code4food23 said in Recommended staple IPv4, IPv6, DNSBL lists:

why not use both? and how can tell if they show up in rulesets

There's no point in scanning for DROP packets in Snort if they were blocked by the firewall. Category emerging-drop.rules is the Spamhaus DROP list. Click the category name to open the file and it usually has a note explaining what it is.

Alright, thanks for the help, @keyser!

@gertjan said in 'Catch 22' with fresh install, pfBlockerNG 3.0.0.16 and Python enabled:

A solution was posted https://redmine.pfsense.org/issues/12274.

The 'patch' should be installed with the pfSense patch package.

Thank you! Done.

Can't really test it, as I have to re install pfSense, something I've never had to to (for the last 10 years), I just upgraded .....

Lucky You! 😀

Regards,
fireodo

@tomtheone said in pfblockerng ssl interception:

My goal would be to prevent the SSL warning

You can't. I can't. An the day some one manages to do so, we can all power down our pfSense and do other thing, as the final judgement day had arrived.

See here why you can't - the browser will always show an error.

True, browsers could show a more "friendlier" message.

And true, with a proxy solution, you could make all involved browser (all your local LAN devices) trust the cert of the DNSBL pfBlokcerNG web server. But that means you control every device involved and in that case you could simply tell every user involved : "If a site doesn't seem to show up, don't worry - you didn't want to look at it anyway".

Btw : all this isn't related to pfSense, as pfSense doesn't care about encryption protocols etc. https, or TLS. It's about how and why web servers and web browsers allow secured connections.
Install Youtube, ask for some "TLS" videos' and a couple of instances later you will become aware of how it all works.

@focheur91300 Unfortunately I can’t. I’m on a SG-2100 with a 8Gb eMMC that would be worn out in a year by using python mode, so I’m using Unbound Mode like you.

But there are several posts here on how to configure python mode, and it’s very easy.

Doesn't have to be on floating, but that would be one way to put it before a rule on interface. It needs to be above the rule your using for pfblocker.

@naveen7355 said in pfBlockerNG-devel net:

https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw

Why would you show that one ?
Of course it works.

You should test the urls in YOUR setup - not mine.

@naveen7355 said in pfBlockerNG-devel net:

its updated now but still website is not blocking

?+?+?

And again, You do not mention details about your setup.
Neither that you tried to visit hosts that are blocked (== list in the DNSBL feeds).

What about this test :

dc519cea-556e-453c-85e3-43e29270a59e-image.png

From any of these 3 lists, take some domain names listed in these feeds (again : do not use my example feeds I use, use YOUR DNSBL lists) and test them in your browser.
The counters should start to increment.
The Firewallpf > BlockerNG > Alerts should show that that domain name was blocked and reference the feed you got it from.

@yorke

PfBlockerNG hooks into unbound, being a resolver.
All it sees are DNS requests, going and coming from some DNS servers.

@fireodo said in Talos BL Download Fail:

@kiekar

That means the trouble is not on your site - you probably collide with some site maintenance ...

OK Thanks!

I think I finally figured out why this kept happening.... and god dang I am a dork for not having figured this out sooner.... In my efforts to block domains that kept seeming to sneak through/past all of my blocks between pfsense and my piholes, I had set up domain overrides in dns-resolver....and I no more than took those out, and it seems that has been the bane of my issues this entire time, so far, only thing to pop up in the dnsbl blocks now, is a domain that I just validated is NOT actually yet being blocked, and that was after I cleared out the logs of old data, and started new with empty logs to make sure it was not old info I was reading into without realizing such.

I had over-riden them to directly point to the pfblocker VIP addres of 10.10.10.1, and it seems that was the issue I was having and just never realized it.

Well, I dont advise (at least in a SG-3100 with pfsense 2.4.5-p1) to change that value!

After changing Firewall Maximum Table Entries from default value of 2000000 to 2500000, it showed one popup to reboot to apply changes, and I choose to reboot.

Doing this, all services running in this unit, didnt start (not even one), so I checked that Firewall Maximum Table Entries again, and notice that the default value detected was 0, but there was 2500000 in the field above:

b3984ce4-f571-4e79-8d3a-149b484e9d88-image.png

So I tried to change that value to lower values like 2300000, 2100000 and then 2000000 (doing all asked reboots between changes), but still nothing, so I notice that this unit was not rebooting at all.

To recover, I went in "Backup and restore" and restored last stable config, and tried to halt system, but nothing again. So I power it off, and power on again, and it came back again with that last stable config.

Not sure how it was before with other firmware versions, but with 2.4.5-p1 ... dont recommend at all to mess around with it.

Also this is all I have running in this unit:

d109a327-3456-478f-9021-6a6b47d70af8-image.png