Uh...Base64 is not a number base. It is a method for encoding binary values as text strings. See Wikipedia here: https://en.wikipedia.org/wiki/Base64.

you can add list from DNSBL / DNSBL groups and press ADD, insert that link save and enable it

for the regex stuff i found this on redmine
https://www.reddit.com/r/pfBlockerNG/comments/d01qod/can_pfblocker_block_urls_by_regex/ez56ta3/
This will be available in the next major release as it will utilize the Unbound python integration.

it's 6 months old idk how are things going on about it

update here https://www.reddit.com/r/PFSENSE/comments/fj1ks8/migrating_from_pihole_to_pfblockerng/

Will be in the next pfBlockerNG-devel release when pfSense 2.4.5 is released.

@techman2005 I just looked up scan.nextcloud.com and it resolved to 95.217.53.149, so you may need to actually edit the file /var/log/pfblockerng/ip_blocklog and remove the IP. I don't understand why it didn't adjust the data when you added the domain, saved, and reload. You could scroll to the right of that log file to see the list it belong to and try adding the IP to the custom list I think...maybe @BBcan177 can step in.

Spent more time reviewing the changes I made. If I am not mistaken the pfB_Top_v4 alias is made by enabling GeoIP blocking (any of the lists there). In my case I enabled Top Spammers list and with action 'deny outbound'.

After disabling 'GeoIP Top Spammers' the ubuntu updates began working.

Hello All.

I would like to ask about the following. I have some IPs bundled in an ALIAS and these IPs should bypass pfBlockerNG. When I unselect these IPs by their dedicated VPN-Interface in "Select Outbound Firewall Interface", these IPs are still get filtered by pfBlocker. Is this the reason for for this because of checking the option for floating rules (Open VPN) in DNSBL firewall rules?

Nevertheless, I found wesfox's link for bypassing single IPs. Would this be the right way to bypass pfBlockerNG for some LAN IPs?

Thx for your support in advance.

@A-Former-User said in TLD white list not working:

@wolfsden3 said in TLD white list not working:

Well thanks for the discussion, I learned a few things that I'll implement at other locations. Looks like they have 760k DNS queries per day on that FW. I'm not sure if that's a lot or not.

Minimizing DNS queries is my next project although the FW is doing it's job and fairly well I think.

I'll fart around with this. I'm not sure if other sites are experiencing this too. They might very well be.

Thanks again.

last thing i promise.

below i have screenshot and posted my firewall rules:

Floating:
float.png

WAN:
wan.png

LAN:
lan.png

GUESTVLAN:
guest.png

blacked out information is just rules for my openvpn

I just got to say I like your firewall arrangement...bravo!

Managed to choke pfSense with 4GB ram and pfBlockerNG to not answer to icmp echo anymore.

So my theory stands: Add more memory.

I’ll try less feeds. It’s a sg-1100 appliance so I can’t add memory

@timboau-0 said in pfBlockerNG and Suricata (IPS) interaction:

OK, I'm thinking that makes sense - so unless there was an attack against the actual firewall - any traffic that did make it through malicious or not would be 'seen' traversing through to the LAN.

Yes, this is correct. The LAN is the best place to put an IDS/IPS 99% of the time. A major reason is so, when using NAT, the IP addresses you see in alerts will be the actual LAN host addresses instead of the NAT IP. When you put the IDS/IPS on the WAN, all internal host traffic shows up under the WAN public IP due to NAT. So finding what internal host generated an alert is very difficult.

I stopped using chrome and switched to the Brave browser (Download from the official site- https://brave.com). I forgot about advertising on YouTube.
Brave was created by Brendan Eich, one of the founders of the JavaScript programming language, using the Blink engine (developed by Google). All popular browsers are created on this engine - Opera, FireFox and Chrome itself.

@Stewart said in Unable to edit GeoIP Links:

Maybe not. I was just checking the lists to edit but if I run an update I get:

MaxMind Database downloading and processing ( approx 4MB ) ... Please wait ... Download Process Starting [ 02/25/20 14:34:14 ] /usr/local/share/GeoIP/GeoLite2-Country.tar.gz 401 Unauthorized Failed to Download GeoLite2-Country.mmdb /usr/local/share/GeoIP/GeoLite2-Country-CSV.zip 200 OK Download Process Ended [ 02/25/20 14:34:16 ]

Is that right? It lets me edit the lists now but I'm only authorized for 1 of the 2?

When you view the pfBlockerNG box in the pfsense Dashboard, does it show that MaxMind has updated? If not, you may not have any list downloaded. If it doesn't show that MaxMind has updated, issue the following command from Diagnostics, Command Prompt without the quotes: "php /usr/local/www/pfblockerng/pfblockerng.php DC". This should force an update MaxMind since it is only set to update once a month by the default cron.

@RonpfS said in 2 Questions: Whitelist and UT1:

@NollipfSense Your Whitlelist should have only domain names, no URLs or http://

That's what I have...see second post...WAIT, I see the mistake...thanks!

@BBcan177 Ah...that makes sense...I'll patiently wait for the updated d3pie.

@jeffvogelsang

The pfBlockerNG-devel package has an existing Feeds tab. It would probably be more efficient to request changes to the feeds or submit a PR against the database here:

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/www/pfblockerng/pfblockerng_feeds.json

Keep in mind that I typically do not add feeds that are compilations of other Original Feeds. Best to go directly to the source. There are changes to be made to the json already as some feeds are now discontinued. That will happen in the next release.

From your FW rule, it looks like there is no Firewall 'Auto' Rule Suffix' in the description.

Your Firewall 'Auto' Rule Suffix is set to "AR" and that doesn't show in the Description of the FW Rule.

I guess you changed that setting it at some point. Did you disable pfblockerNG when you changed the settings ?

Select 'Auto Rule' description suffix for auto defined rules. pfBlockerNG must be disabled to modify suffix.

@NollipfSense Thanks for the suggestion of increasing states/table entries. I will give it a try.

Although, as described in my initial post, my system seems to use a disproportionately low amount of memory about two hours after reload, it seems to apply TLD filtering adequately, as far as I can discern from looking at my Reports/Alerts/DNSBL log... Still puzzled...

EDIT: Of course, I might not know about packets escaping filtering and thus logging, yet the log appears to be populated in a plausible manner.

Solved it guys, did some googling on that SSL error and found another post here:

In
/var/unbound

Delete
dnsbl_cert.pem
unbound_control.key
unbound_control.pem
unbound_server.key
unbound_server.pem

Reboot and run force update/reload.

DNSBL now up and running. Thanks for the help in diagnosing guys.