On 2.4.5 that is not indicative of the size of your tables. If it was, it would have a different error that says there are too many entries. This error on 2.4.5 means that it didn't have enough memory at that moment to load the table. Generally it's non-fatal, however, as a later filter reload will likely succeed.

Check the table in question and see if it contains the values you expect. If it does, there isn't likely much to worry about.

This can happen on systems with low RAM or many packages running which consume memory (especially kernel memory).

It should be better on 2.4.5-p1, though that particular scenario is more difficult to isolate and test.

@gnichols said in pfblockerng-devel causing browsers security alert:

I've installed pfblockerng-devel but having a problem with browsers throwing an privacy/security alert on google ads and other links tied to google services. It appears that it's breaking HTTP Strict Transport Security. I want to continue using pfblockerng but is there a way to fix this? Any help is appreciated!

That's because you enabled rules that blocks those domains with ad content ... you can go to Firewall > pfBlockerNG > Alerts then scroll down to DNSBL then look for the domain you wanted to visit and click the plus symbol (+) to add to whitelist.

@RonpfS
I tried that, but I'm only able to get an entire interface to bypass DNSBL. The top post shows where they are able to get a single host to bypass DNSBL, while everything else in that /24 is sent DNSBL That part doesn't seem to work for me.

In the IPv4/6 tabs (devel version) you can change the "State" setting to "GeoIP" and use that to create your own combination of ISOCodes as required. The Source field is an autocomplete field, so after a few typed characters, it will show all available matches. Then use the TAB key to auto-populate the Label field.

@n257jy I would add to custom list than ditch the feed ... congrats on the self-learning that brought you more confidence as network administrator.

Hi,

Look at the pfBlockerNG-devel Reports page. Look at the Alerts and DNSBL lists. Look for the IP your device us using, and then a destination that should have a relation with this "sagepay " (whatever that is).

Note : Feeds used by pfBlockerNG are created by humans like you and me - most often 'just for fun and to help the community'. They could be useful for some one, contain IP's that shouldn't be blocked for others. It's NOT an exact science.

@jot thanks for the info. You are right. Though I do not understand why to force whitelist google and yandex subdomains which are used for ads - ads.google.com|adservices.google.com. I just can not block ads if I enable safesearch option

Resolved.
Just an update on the issue if someone ever face the same problem.
I reinstalled PFSense, then PFBlockerNG-DEV.
I didn't create any auto-rules and only uses native aliases. Maybe it's something obvious, but in my case they didn't play well together. I installed ntopng to find out all the required ASN, there are a few more than just netflix/youtube for the APPs. However, I got a second problem from time to time I wouldn't get an IP from the WAN and many dpinger send-to error 65. The problem was my onboard NIC is a RealTek and not Intel. Moving the WAN to an Intel port seem to fix the issue for me. I understand the recommendation is to use Intel.

Thank you John for your time and help!

In the end I disabled tld blocking since it led to many issues allowing certain sites with their own subdomains. I am maintaining a blocklist of individual sites. This is more effort but more reliable for use.

@johnpoz Well, honestly ... I would love to use the pfBlocker, as this seems to me 'easier' solution as it is already implemented and working. The shallalist is available there as well ... the only thing I am not sure is how I split the filtering for:
parents -> DNSBL, Ads, IP
kids -> all the above + categories
But let's see, maybe someone else comes with some other views.
Thank you.

@johnpoz
Actually when some other agency or corporation gets MinMind customer database plus the ISP databases that nowadays you can bet are automatically available... yes then someone could have a complete picture... it amazes me how people don't care about privacy and don't seem to understand that no privacy means no democracy... Do we still value democracy over money or convenience?
You don't know what actually MinMind is... so I suggest updating pfblockerng to use another geolocation database and prepare it to accept more easily other options. There's always the possibility of a fork.

I am having this same Errors. Did you ever get yours fixed? @Ronpfs Just Because you do not use some thing, Does not means he should not ? THATS pretty backwards thinking!

DoH feature disable is absolutely great

Turns out it is the semicolon causing the issue.
In this post, BBcan177 says there is no parser for the semicolon.