I think I figured it out...

was using wifi DHCP and that was not letting the DNSBL stats to update properly - even tho firewall was blocking properly.

So once I set the wifi to bridge mode - all started working as expected... basically bad config causing it.

Turns out, the one thing I wasn't doing was a forced reload, only a forced update, which apparently is not good enough. I guess I was under the impression a forced update included reloading the lists, but apparently not.

ipfw shows a perfect match. And local DNS is working perfectly fine. Although I seem to have found the problem in which one of the feeds is blocking the localhost for some reason. For now I disabled localhost being included in the DNS and thing works ok now.
If somewhere breaks again, might be better to just remove that feed.

thnx for the reply.

@Rogerboomhouser FYI;
https://twitter.com/BBcan177/status/1296638315437993984

Got same issue but in my case no error is generated, all I see is after I added to watchdog it is been started every minute in the system log, no errors, just stopping right after started.

If I check logs inside pfblockerng-devel, is no errors.

Any ideas?

What does the service even do? as the actual functionality seems fine otherwise.

2.5-snapshot, on my 2.4.5 unit it is running.

@py sorry for the late reply! You may have already solved this, but perhaps this can help someone else who comes here after trying to reach krebs, or something similar.

I expect the reason why whitelisting krebsonsecurity.com in DNSBL did not solve the problem for you is because DNSBL is not what is blocking you, your IP blocking is. Go to your Reports / Alerts tab, and see where the block is happening.
I expect you may see that an attempt to hit krebsonsecurity.com with a browser results in:
krebsBlock.png
showing the block in the Deny section, and not in the DNSBL section.
If this is the case, instead of whitelisting the domain name in DNSBL Whitelist, try adding 130.211.45.45/32 to the IP / IPv4 Suppression list.
Works for me.

For the record, ipinfo.io confirms that krebsonsecurity.com is among the domain names hosted at 130.211.45.45.
krebsBlockDomains.png

Thanks All I have updated the link in pfsense

@BBcan177 Sorry for necro posting but...I'm finding this annoying. I just went to add in a feed and it gave me these errors about me needing to create inbound and outbound rules, that I shouldn't choose "any", etc. So I had to go setup an alias for web ports like 443 and 80 EVEN THOUGH it's a white list that should allow ANY ports in or out. This is now restricting me and doesn't make things easy. I have to fart around and do source and destination ports. Source ports always change seemingly.

The old versions of PFB didn't do this which is why it seems to "work" until I want to go edit a feed to "permit both". Then I get all kinds of errors about these rules.

Why not just allow "permit both" from any to any port like it used to? I can't move on in life until I fart around with the port source and destination. This seems like you're making it more complicated than it needs to be. When getting the error it doesn't save my stuff.

Can you bring back "simple" functionality? I probably now broke something with my global white list since destination ports can be anything not just port 80 and 443.

Thanks.

@justice41 said in Unable to add feeds - DNSBL:

10.10.10.1 is the default gateway.

Gateway ?
It's the default web server IP that pfBlockerNG-devel is using, among others, for its logging
facilities.

If you use the 10.10.10.0 network somewhere else, you should (have to !!) change this IP setting.

@justice41 said in Unable to add feeds - DNSBL:

UPDATE PROCESS START [ 08/17/20 16:54:42 ]
===[ DNSBL Process ]================================================
[ noTrack ] exists.
===[ Continent Process ]============================================
===[ Aliastables / Rules ]==========================================
No changes to Firewall rules, skipping Filter Reload
No Changes to Aliases, Skipping pfctl Update
UPDATE PROCESS ENDED

You have to force the update, if not, nothing is happening.

@NollipfSense Thank you :)

I wonder if the text
"This will create 'Floating' Firewall permit rules to allow traffic from the Selected Interface(s) to access the DNSBL Webserver (ICMP and Webserver ports only)."
has become out of date in the latest release, or maybe it only applies to use cases involving CARP.

In my (multi-LAN (via VLANs), non-CARP) use cases at least, all traffic that I've seen redirected by pfBlockerNG-devel DNSBL gets addressed to the virtual IP on ports 80 and 443 (not ports 8081 and 8443). This traffic NATs via port forward to 127.0.0.1 ports 8081 and 8443, and gets a pass via 'associated rule=pass' directly from the NAT port forwards.

The only way that I have been able to generate any traffic that hits the pfB_DNSBL_Permit rule is by deliberately (you could say unnaturally) targeting the following URLs (where $vip is the DNSBL Webserver's Virtual IP address):
http://$vip:8081/
https://$vip:8443/
Maybe being able to reach these forced addresses could be useful for testing, but that doesn't seem to warrant the checkbox on the UI.

If anyone can describe a use case where access to the DNSBL Webserver via $vip:8081 or $vip:8443 is necessary, please help to satisfy my curiosity and perhaps save some newbs from confusion :) There are pages on the internet for basic configurations that instruct folks to enable this, and the UI certainly suggests it, to me at least.

In the meantime, I will follow NollipfSense's lead and disable DNSBL Configuration, Permit Firewall Rules. It's always nice to eliminate code!
Thanks!
Bill

Look at this : https://forum.netgate.com/topic/145533/frr-0-6-3-ospf-seems-to-break-with-ip-aliases/2?_=1597236629603

I'm running 2.4.5-RELEASE-p1

I don't know if these are the specs you were asking about:
ARM Cortex-A9 r4p1 (ECO: 0x00000000)
Multiprocessing, Thumb2, Security, VMSAv7, Coherent Walk
2 CPUs:
SOC: Marvell 88F6820, TClock 250MHz, Frequency 1600MHz
Crypto: Marvell Cryptographic Engine and Security Accelerator

I'm running bare metal

No I haven't noticed anything odd at all in the logs

I don't see anything maxing out cpu

Here is the OISD light version: https://dbl.oisd.nl/light/

-Rico

@mtarbox said in Ant-techs.is/ip-blocklists:

There is a better way to block youtube ads.

http://jasonhill.co.uk/pfsense/ytadblock.txt

YMMV

I have been using this list in pfBlockerNG almost since it was posted... the list is still there but it fails quite regularly since the owner put some cloudflare anti-ddos measures in place. The list still seems to be updated... it's still is under a pfSense directory... it's still accessible via a browser with patient human at the keyboard.
I've talked to Anthony and we've both tried to contact "Jason Hill" but with no joy.

Is Jason on the Forum? Does anyone know Jason? Does anyone have viable contact information?

Thanks in advance if you can help.

@chrcoluk said in How to force MaxMind update right now?:

So basically by mistake I just put my account ID in the license ID box and as a result have had no updates since Dec 2019.

This is now fixed, but does this mean I need to wait 3 weeks or I can I force an update?

To update Maxmind.com, enter the following at command prompt: php /usr/local/www/pfblockerng/pfblockerng.php dc

@viktor_g

Thanks - that helped.

I also uninstalled and reinstalled pfBlockerNG, and the feeds that were previously not updating (apart from the ones listed in the post that you linked to) are now updating. So problem solved for now I guess.

@johnpoz said in Streaming is being blocked on Roku:

You have no name on your views.. so yeah can see why it would balk at that.

access-control-view: <IP netblock> <view name> Set view for given access control element.

And you shouldn't have that 2nd server: in there either.

Wouldn't it be just easier to assign your roku a different dns, say 8.8.8.8 - not sure why your roku would need to resolve anything on your local network anyway.

Thank you all for the responses.

EDIT: I had to go back and edit my original reply. I realized I am forcing DNS requests over CloudFlare 1.1.1.2 and 1.1.1.1. I also have two NICs and two different LANS, 192.168.1.0 and 10.1.1.1

I changed the Resolver code:

server: access-control-view: 192.168.1.0/24 dnsbl #All devices on this subnet run through pfBlockerNG DNSBL access-control-view: 192.168.1.121/32 bypass #Roku IP is bypassing pfBlockerNG DNSBL view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf

However, I am noticing that ads are allowed for everything on 10.1.1.1 unless I add

access-control-view: 10.1.1.1/24 dnsbl

and the full code looks like this:

server: #All devices on this subnet run through pfBlockerNG DNSBL access-control-view: 192.168.1.0/24 dnsbl access-control-view: 10.1.1.1/24 dnsbl #Roku IP is bypassing access-control-view: 192.168.1.121/32 bypass pfBlockerNG DNSBL view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf

Apologies for the delay in responding, I never got any email notifications that I received responses to my original post. Weird.