Hi @BBcan177 any updates on this?
I could add also a small bounty on it if needed..

Thanks!

It would be cool to have a temporary list for sites that may be on a DNSBL for some reason, and one would like a one-time quarantine exception for 15mins period instead of whitelist permanently. Hoping that @BBcan177 will see this if there isn't a way to do it or share how to do it.

The solution I took was to go to a coffee shop instead of adding to whitelist ... a little inconvenient.

@mlines said in One way logging possible?:

I figured it out for those who are interested after reading other posts. Modify the existing auto rules across all interfaces to change the descriptions from "pfB" to "pfb" and modify the logging as I wish. Then change the lists in pfblockerng from Deny Both to Alias Native. Reload and the modified rules are now retained.

Not exactly right. You are using pfB to generate an alias for the PRI1 lists, right?

So if you want to create your firewall rules yourself and don't want pfB to mess with it, switch it to "Alias Deny" as that way you can profit from dedup and other mechanism of multiple lists combined. You can also use "Alias Native" if you want but you can read up in the help, what the difference is.

Anyway renaming anything in the description is not necessary! Just switch it to "Alias xy" and pfBlocker won't create rules itself so you can design, modify and place your rules yourself without interference. That's my recommendation anyway to use pfB to manage and download thoses lists, GeoIPs or DNSBLs but only let it create the aliases and use them in your own rules yourself.

As @provels states correctly, if you don't have inbound traffic, blocking PRI1 per se doesn't increase security a bit. If you have say a DMZ with multiple servers/services or running a VPN, you can use it to filter traffic before the pass rules allow traffic to hit your services, that's right. If all you have e.g. are a rule for allowing OpenVPN inbound, you can easily modify that pass rule with a "source NOT pfb_PRI1_v4" to block out IPs from the PRI1 alias without needing a second block rule or anything. Explicitly blocking traffic for PRI1 alias is only needed/wanted, if you want to see how much hits/traffic that actually accounts for or if you want to log it for any reasons :)

Otherwise having PRI1 blocked on the LAN side (or WAN outbound) - or some other lists like malware or bot control net - makes perfect sense. Just watch out that your alias doesn't include the RFC1918 (private nets) IP ranges or you might be wondering why you can't access other LAN/VLAN subnets anymore ;)

Greets

@scorpoin :

With checking the 'manual', a certain pattern can be observed :

First, in the server part, 'groups' or 'classes' are defined : called 'bypass' and 'dnsbl'. They have a 'network(s).
Then for each group or view (network), option are listed.
One of them - called 'dnsbl' includes our pfb_dnsbl file.

Note : I guess we can have the "views" called 'limited' or 'restricted' or whatever.

Create an alias using pfBlocker and craft your own firewall rules.

Screenshot 2020-07-01 at 16.06.10.png

Screenshot 2020-07-01 at 16.06.33.png

With the aliases the deny, permit & match only defines where the info in the report tab goes.

Screenshot 2020-07-01 at 16.08.44.png

How can you ask :

@mperez0000 said in pfBlockerNG-Devel blocking on mobile devices but not laptop:

I don't know why its querying other DNS servers.

and then showing this image :

84b5ddcb-24f5-49e9-9bde-3ded510f5a69-image.png

without seeing the relation between your question and your => answer<= to it.
Read the description text.

You don't need the first, as DHCP will hand out the IP of pfSense as the 'local DNS cache resolver'. So network (DHCP) clients know to who they have to ask for DNS requests.
See also the DNS servers fields description of the DHCP server setting page.

The other two IPs : so you list two other IP,'s which are also used by DHCP = communicated to your network DHCP clients ..... which means they could use OpenDNS instead of the pfSense Resolver ... which uses pfBlocker ....

So, you set up the opportunity to bypass pfBlockerNG - and ask why it's bypassed ... ☺

Really, consider this : the default settings were just perfect ;)
If you want to add something there add :

05c2b518-6ff0-4caa-8037-ef6dfc1b3a8b-image.png

Note : your 'wireshark' also showed something else : your LAN doesn't reply on ICMP (ping) ? Why ? (can't see if it's the source or destination - your PC is in "undercover" mode ?)
Tip of the day : use the default LAN rule as proposed by Netgate.

@mlines

Hi,
The operation is certainly not correct in this respect.
PfBlockerNG must work with the resolver (Unbound) for DNS query.

f9ec3f32-30b6-4155-8558-9572161e6f2f-image.png

You wrote that you made your own list, we use this for DoH:
https://heuristicsecurity.com/dohservers.txt

@Artes

thanks for the information

it seems like a whole new thing....
yesterday, I was alerted by a colleague from one of the our UK sites

It looks like another google scandal will be..... and Israeli participation
if I have time this weekend I'll sort the list and upload it to one of our web servers and test it

@Cool_Corona said in PfblockerNG widget dashboard??:

So youre not answering my question....

I was presuming you would 'read between the lines'.

If the functionality doesn't exist right now, code it up yourself. It's PHP after all.
Or : see the Bountier forum.
Or : as said : contact @BB.
Can't think of anything else.

@NogBadTheBad

Thanks, that's what I was thinking but my googleFu did not show anything other than newtrend something or other so it had me worried.

pfblockerNG settings are in the config.xml on each firewall.

@RadicalEntity Firewall > pfBlockerNG > IP, then scroll down the page, then check this box ... see image. You'll need to reboot.

Screen Shot 2020-06-21 at 9.36.05 AM.png

@RonpfS Moved to pfblockerng and it seems to be working fine.

@Ramosel said in Upgrade hangs:

@Qinn

Did reinstalling pfSense fix your issue?

Yes, I installed 2.4.5-p1 and restored config and all is well.

@ChristianG solved :) Missconfiguration from my side was the problem.