@marc05 yes indeed, if the rule exists it is checked against it, unless you match with a quick rule then it stops matching further at that point. Advantage of floating rules you can make them quick rules. If you want to reduce the checks you would want to prune rules or try consolidate them etc. or structure quick rules for known good traffic.

Anyone? No one? pfSense is allowing stuff to bypass the firewall if it's whitelisted in SquidGuard and no one is alarmed about that?

@ronpfs said in Resolver Live Sync:

@stewart Resolver Live Sync is using unbound-control(8) to modify unbound internal database instead or restarting unbound.

Glad to hear that. Is anything lost or does anything change that we would see? Or is it all back-end and everything presents the same to the users? I assume we check that box and all we see is that Unbound doesn't restart as often.

I have this issue also with pfblocker and the Amazon app (Android). I whitelist the domains that I saw in the report log but I still have the dog screen come up stating "UH-OH Something went wrong on our end." What's odd is that this only happens when searching and it only happens when searching certain terms. Has anyone found the exact domains to whitelist? (aan.amazon.com did not do it for me)

@jegr yes Ive had that checked. been running Pfblocker for the past 3 upgrades on the same pf instance.

i have the same error to after upgrading from 2.5.1 to to 2.5.2

@gertjan Thank You.

Works great!!

If you have nothing running on 80, it shouldn't be a problem - but that alias is every IP on your firewall. For such a rule it would be bad practice to use such an alias.

Would you mind PM the domain your using for acme - curious to see who the SOA is for this domain.

I have made the changes in this thread related to the 2.5.2 upgrade and pfBlockerNG. I think the issue is now fixed

https://forum.netgate.com/topic/165000/error-loading-firewall-rules

@talaverde said in py_error.log after 2.5.2 upgrade:

have to figure out which of many entries

I'll help you.
It's here :

@talaverde said in py_error.log after 2.5.2 upgrade:

2021-07-09 19:49:33,438|ERROR| [pfBlockerNG]: Failed to load: pfb_py_zone.txt: 'ascii' codec can't decode byte 0xe2 in position 1176: ordinal not in range(128)
2021-07-09 19:49:40,059|ERROR| [pfBlockerNG]: Failed to load: pfb_py_whitelist.txt: 'ascii' codec can't decode byte 0xe2 in position 3755: ordinal not in range(128

With an editor like Notepad++ you could fine it easily.

@steveits
Thank you. Indeed this works nicely.
Probably you overwrote that change with the upgrade to 3.0.0_16 ?

If this code change will be added in the next version, I suggest to also add a hint that an empty license key will deactivate all GeoIP auto updates...

Regards
Dennis

@BBcan177 Ohhhhhh I see.

"Alias Deny" doesn't create an alias and set deny rules........ I had to actually tell it to Block instead of create an Alias then it made the rules.

To confirm then, what is the point of "Alias Deny"??? I get it makes the Alias, but what does it deny?

@tdgrant said in Errors after upgrade to 2.5.2:

Thank you, Fireodo!

Glad I could help ...

@rgelfand said in DNSBL Groups not filtering:

nslookup vungle.com resolves to 10.10.10.1.

So, you're fine ;)

As you already know, "10.10.10.1" is what can be considered as a virtual IP(RFC1918) hosted on pfSense.
You can see it using http (not https) access :

06465bc5-a42c-4263-af7a-081ab97b4ee6-image.png

A https access will produce a browser depended error message.

759306e9-fba1-4533-b78d-9ec5fe0f058c-image.png

To understand the 'none' issue, you have to know what https or TLS actually means, and how browsers these days related handle failures.

Short example :

You blacklist (DNSBL) twitter.
For reasons you totally already understand, twister can only be accessed using https, not http.
Open a browser, type www.twitter.com and you see .... a failure and certianly not the first image I showed above.
You were not - and your browser focs you to - visit twitter using http.
It was https.

And now the good one : you can't "break" https. No one can.
So, yes, your browser, upon an initial DNS request, receives 10.10.10.1, the browser connects on that IP, using port 443.
First of all, the browser asked for certificate info.
In this certificate, it has to find that states it's "*.twitter.com". Thats what https (TLS) is all about.

Now, I ask you, does your pfBlockerNG-devel has the certicate that says it's ".twitter.com" ? ;) (Can you have it ??)
Rephrase that.
Are you ".twitter.com". ?
No.

The browser hangs up right away. And this means that all blocked DNSBL will not show you the nice image (see above) but a browser that complains, saying that there are protocol errors.
It will only work for plain old "http" accesses and redirects. And these do not exist any more.
Because, again, if you want to visit https://yourbank.tld you can not get redirected to https://thefakebankurl.tld

Now you understand why I use :

ed983b2c-99e8-4c6a-86ff-927144fb2655-image.png

I'm not redirecting to the "10.10.10.1" nice page - but answer a "0.0.0.0" which will make the browser show a message that the requested site "has no DNS" (or some DNS issue) which is actually true.

The most simple answer : Just forget about :

06465bc5-a42c-4263-af7a-081ab97b4ee6-image.png

@Gertjan - once again, I appreciate your time.

I decided to take the path of least resistance for the moment and I default reset pfBlocker, then reloaded the below, added in my shallalist and UT1. Looks like the redirect IP for sites you can't go to on the lists (10.10.10.1) are working. I'll see how this holds up for the next few days. Unbound python mode because it uses less resources. I think I might enjoy a more robust PC or netgate so I can load up other things like Snort. Are you using a Netgate appliance or a PC of sorts (community pfsense)? Got a recommendation? Franklin

d1c1dff7-7c1c-4406-9dd5-c610d8f4d53b-image.png

5a9966f5-53bb-4ee4-84a1-415144e800ce-image.png

a8ea957b-37ba-40b9-84ec-914458dbf63e-image.png

b413ba95-7388-4dcd-a8e2-df4cca86dd1a-image.png