Getting stranger, they are blocked again. According to the rule it should be suppressed but clearly it was blocked.

I now manually added the ips to the alias and did a "update - reload -all) and now it is working again.

===[ Suppression Stats ]=================================== List Pre Suppress Master ----------------------------------------------------------- BinaryDefence_IPs_v4 1445 1445 67583 Suppression ET_Block_IP_Ranges_v4: 1.1.1.0/24 (Excluding: 1.1.1.1/32) ET_Block_IP_Ranges_v4 995 994 67837 ET_Compromised_IPs_v4 450 450 67837 ISC_1000_30_v4 451 450 67836

So the alias "pfBlockerNGSuppress" was apparently the right place to add them, only when I added it from the reports it did not show up there and was not working again a little later

Got added to CINS army as well. I added all IPs to the suppression list

1.1.1.1/32 1.0.0.1/32 1.1.1.2/32 1.0.0.2/32 1.1.1.3/32 1.0.0.3/32

Forced Reload and got this:

CINS_army_v4 15000 15000 19434   Suppression ET_Block_v4: 1.1.1.0/24 (Excluding: 1.1.1.1/32)  Suppression ET_Block_v4: 1.1.1.0/24 (Excluding: 1.1.1.2/32)  Suppression ET_Block_v4: 1.1.1.0/24 (Excluding: 1.1.1.3/32)

Everything working again. Until all the lists are clean just add the IPs to your suppression list.

This duplicate to this
https://forum.netgate.com/topic/156300/strange-issue-with-1-1-1-1

See my answer there.

I think I figured it out...

was using wifi DHCP and that was not letting the DNSBL stats to update properly - even tho firewall was blocking properly.

So once I set the wifi to bridge mode - all started working as expected... basically bad config causing it.

Turns out, the one thing I wasn't doing was a forced reload, only a forced update, which apparently is not good enough. I guess I was under the impression a forced update included reloading the lists, but apparently not.

ipfw shows a perfect match. And local DNS is working perfectly fine. Although I seem to have found the problem in which one of the feeds is blocking the localhost for some reason. For now I disabled localhost being included in the DNS and thing works ok now.
If somewhere breaks again, might be better to just remove that feed.

thnx for the reply.

@Rogerboomhouser FYI;
https://twitter.com/BBcan177/status/1296638315437993984

Got same issue but in my case no error is generated, all I see is after I added to watchdog it is been started every minute in the system log, no errors, just stopping right after started.

If I check logs inside pfblockerng-devel, is no errors.

Any ideas?

What does the service even do? as the actual functionality seems fine otherwise.

2.5-snapshot, on my 2.4.5 unit it is running.

@py sorry for the late reply! You may have already solved this, but perhaps this can help someone else who comes here after trying to reach krebs, or something similar.

I expect the reason why whitelisting krebsonsecurity.com in DNSBL did not solve the problem for you is because DNSBL is not what is blocking you, your IP blocking is. Go to your Reports / Alerts tab, and see where the block is happening.
I expect you may see that an attempt to hit krebsonsecurity.com with a browser results in:
krebsBlock.png
showing the block in the Deny section, and not in the DNSBL section.
If this is the case, instead of whitelisting the domain name in DNSBL Whitelist, try adding 130.211.45.45/32 to the IP / IPv4 Suppression list.
Works for me.

For the record, ipinfo.io confirms that krebsonsecurity.com is among the domain names hosted at 130.211.45.45.
krebsBlockDomains.png

Thanks All I have updated the link in pfsense

@BBcan177 Sorry for necro posting but...I'm finding this annoying. I just went to add in a feed and it gave me these errors about me needing to create inbound and outbound rules, that I shouldn't choose "any", etc. So I had to go setup an alias for web ports like 443 and 80 EVEN THOUGH it's a white list that should allow ANY ports in or out. This is now restricting me and doesn't make things easy. I have to fart around and do source and destination ports. Source ports always change seemingly.

The old versions of PFB didn't do this which is why it seems to "work" until I want to go edit a feed to "permit both". Then I get all kinds of errors about these rules.

Why not just allow "permit both" from any to any port like it used to? I can't move on in life until I fart around with the port source and destination. This seems like you're making it more complicated than it needs to be. When getting the error it doesn't save my stuff.

Can you bring back "simple" functionality? I probably now broke something with my global white list since destination ports can be anything not just port 80 and 443.

Thanks.

@justice41 said in Unable to add feeds - DNSBL:

10.10.10.1 is the default gateway.

Gateway ?
It's the default web server IP that pfBlockerNG-devel is using, among others, for its logging
facilities.

If you use the 10.10.10.0 network somewhere else, you should (have to !!) change this IP setting.

@justice41 said in Unable to add feeds - DNSBL:

UPDATE PROCESS START [ 08/17/20 16:54:42 ]
===[ DNSBL Process ]================================================
[ noTrack ] exists.
===[ Continent Process ]============================================
===[ Aliastables / Rules ]==========================================
No changes to Firewall rules, skipping Filter Reload
No Changes to Aliases, Skipping pfctl Update
UPDATE PROCESS ENDED

You have to force the update, if not, nothing is happening.

@NollipfSense Thank you :)

I wonder if the text
"This will create 'Floating' Firewall permit rules to allow traffic from the Selected Interface(s) to access the DNSBL Webserver (ICMP and Webserver ports only)."
has become out of date in the latest release, or maybe it only applies to use cases involving CARP.

In my (multi-LAN (via VLANs), non-CARP) use cases at least, all traffic that I've seen redirected by pfBlockerNG-devel DNSBL gets addressed to the virtual IP on ports 80 and 443 (not ports 8081 and 8443). This traffic NATs via port forward to 127.0.0.1 ports 8081 and 8443, and gets a pass via 'associated rule=pass' directly from the NAT port forwards.

The only way that I have been able to generate any traffic that hits the pfB_DNSBL_Permit rule is by deliberately (you could say unnaturally) targeting the following URLs (where $vip is the DNSBL Webserver's Virtual IP address):
http://$vip:8081/
https://$vip:8443/
Maybe being able to reach these forced addresses could be useful for testing, but that doesn't seem to warrant the checkbox on the UI.

If anyone can describe a use case where access to the DNSBL Webserver via $vip:8081 or $vip:8443 is necessary, please help to satisfy my curiosity and perhaps save some newbs from confusion :) There are pages on the internet for basic configurations that instruct folks to enable this, and the UI certainly suggests it, to me at least.

In the meantime, I will follow NollipfSense's lead and disable DNSBL Configuration, Permit Firewall Rules. It's always nice to eliminate code!
Thanks!
Bill

Look at this : https://forum.netgate.com/topic/145533/frr-0-6-3-ospf-seems-to-break-with-ip-aliases/2?_=1597236629603

I'm running 2.4.5-RELEASE-p1

I don't know if these are the specs you were asking about:
ARM Cortex-A9 r4p1 (ECO: 0x00000000)
Multiprocessing, Thumb2, Security, VMSAv7, Coherent Walk
2 CPUs:
SOC: Marvell 88F6820, TClock 250MHz, Frequency 1600MHz
Crypto: Marvell Cryptographic Engine and Security Accelerator

I'm running bare metal

No I haven't noticed anything odd at all in the logs

I don't see anything maxing out cpu

Here is the OISD light version: https://dbl.oisd.nl/light/

-Rico

@mtarbox said in Ant-techs.is/ip-blocklists:

There is a better way to block youtube ads.

http://jasonhill.co.uk/pfsense/ytadblock.txt

YMMV

I have been using this list in pfBlockerNG almost since it was posted... the list is still there but it fails quite regularly since the owner put some cloudflare anti-ddos measures in place. The list still seems to be updated... it's still is under a pfSense directory... it's still accessible via a browser with patient human at the keyboard.
I've talked to Anthony and we've both tried to contact "Jason Hill" but with no joy.

Is Jason on the Forum? Does anyone know Jason? Does anyone have viable contact information?

Thanks in advance if you can help.