Browser is probably using DNS over Https, DNS over TLS and QUIC protocol.

@mikej-0 said in Pfblocker not working (not blocking ads or sites):

DNSBL_ADs_Basic 916,133 0 Jul 28 17:37:53

If that was true, a list with "916,133" (which means 916133 host names !!)
and
your using unbound "file mode" :

93d2b694-bc3d-4efb-b30f-cb3265caf352-image.png

which means that the files will get 'included" by unbounded == read into memory when unbound start, you could create a situation where
unbound needs a very long time to start.
unbounds uses loads of memory, if not all
unbound comes very slow, as for nearly every DNS request, it needs to parse all the DNSBL lists.

I just checked this "DNSBL_ADs_Basic" and it's has only 93000 lines = a bit less then 93000 hosts.
Here it is : https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

I advice you to use the Python mode, not unbound mode.
The unbound mode will phase out in the future.

Also : This is what I consider the most optimal settings :

Update Frequency : Weekly : don't stress the download server ( !! )- and big list are not updated every hour or day anyway.
Logging / Blocking Mode : Null Blocking (logging) as http sites don't exist any more - the build in "DNSBL WebServer" will be discreded any way in the future.
TOP1M Whitelist : Optimal , but I enable this option.

Has pfBlocker been running continually since then?

@msf2000

I just found this:
https://rodneylab.com/firewall-block-lists-compared/

So, I guess I'll have to look into each list and decide what's important for my network.

@steveits said in Any pfBlocker issues with Upgrade from 2.4.5 to 2.5.x?:

Netgate recommends removing packages

I like to add :
When all packages are removed, reassure that basic firewall operations are good. Add a 24 hours cool down and one or two reboots are also advisable. Issues that are present before an upgrade will pop up, and have to be dealt with before the upgrade.

@johnpoz said in Deny all except a country:

will then see it normal pfse

Thanks you very much, it is very clear and there are not post that explain it as well

I will keep an eye out for it - maybe you have some app trying to use it?

Just took a look at my log for dot.. Only my shield TV is hitting it now and then.. Seems to try once an hour ;)

dot.png

And good thing is - its trying it to the dns I have set it to use.

@gertjan said in py_error.log errors: maxmindb and _sqlite3 modules not found:

But sometimes I (re) discover that the GUI does have it's advantages.

I agree with this, pfS GUI is sophisticated, but there are some things it can't even do... 😉

@steveits

I disabled many things of pfBlocker NG (which is the latest version)

I think my guess was right, the rules were not correctly (re-)loaded because of the IPv4 + IPv6 Alias which pfBlockerNG (DNSBL) automatically generates.

Editing these aliases is evil (and does not really work permanently) so I disabled the DNSBL feature and now everything (re-)loads fine....

Cheers

4920441

@marc05 yes indeed, if the rule exists it is checked against it, unless you match with a quick rule then it stops matching further at that point. Advantage of floating rules you can make them quick rules. If you want to reduce the checks you would want to prune rules or try consolidate them etc. or structure quick rules for known good traffic.

Anyone? No one? pfSense is allowing stuff to bypass the firewall if it's whitelisted in SquidGuard and no one is alarmed about that?

@ronpfs said in Resolver Live Sync:

@stewart Resolver Live Sync is using unbound-control(8) to modify unbound internal database instead or restarting unbound.

Glad to hear that. Is anything lost or does anything change that we would see? Or is it all back-end and everything presents the same to the users? I assume we check that box and all we see is that Unbound doesn't restart as often.