@JeGr said in pfBlocker locked me out of my pfSense web-managment !!!:

I'm more in agreement when it comes to DNSBL - that feature set I can easily see being cloned by Pihole or Adguard. But the IP stuff is way more useful than many realize.

although i generally agree, having pfblocker be granular enough to dnbl based on networks is way more useful than the way its implemented today. Deploy pfsense in a SOHO or school that doesn't want to purchase a separate DNS server but wants filtering, you need granularity which pfblocker doesn't support. So that would be a use case for the extensibility.

@Vatreni

Just thinking out loud : what about getting an ISO from 'whatever' open source project ? FreeBSD or Debian etc.
Copy what you find under /etc/ssl/.

edit : forgot about the most obvious one : get the latest pfSense !!!!!
( as you need it even when you don't install it !!)

and get the latest ca-root certs out of it.

Btw: having troubles with expired certs if the top of the ice-berg(problem).

@mattch it downloads the alias for each rule I think. Or at least processes it.

There’s one trick we found, at least for our purposes …instead of using the alias as a NAT source, allow any and control the access using one firewall rule for all applicable ports. So, disable the automatic rule creation and create your own. That way the alias is not on the NAT tab and is listed once on the interface tab.

@Gertjan
I get pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL

but this started to take place only recently.

@geoffdh

My guess is that not whitelisting the 'ad' URLS can break functionality on some apps. I've had this happen to certain apps where I had to whitelist 'firebase settings' that was blocked by my ad lists in order for the app to work correctly.

@jrey For the next few weeks, I am just going to be using pfBlockerNG for IP blocks and not DNSBL. I am testing out the similar functionally with Cloudflare Zero Trust. It adds the ability to inspect SSL traffic on devices where I've added the certificate.

Here's a very small example of blocks for the last hour with Cloudlfare Zero Trust:

0367d76f-566f-4ca3-b669-411c033a22e7-image.png

@VMlabman said in pfBlocker error in pfSense: There were error(s) loading the rules: /tmp/rules.debug:56::

Could it be that I have too many lists enabled

yes,

Could also be that the default "Firewall Maximum Table Entries" setting is too low.
You will find this entry here: System -> Advanced -> Firewall & Nat

A lot of people select far too many lists - generally not needed.
the setting should generally be twice the value actually required. When the lists are processed to the firewall, the entire new set is created, then swapped into place.

Look for this log entry in the pfbockerng.log. That will give you some guidance to the setting best suited for your case. In my case it is deliberately higher than the 2x referenced.

pfSense Table Stats ------------------- table-entries hard limit 600000 Table Usage Count 135911

Just above that in the log you should see the summary, like this:

Alias table IP Counts ----------------------------- 134581 total 107656 /var/db/aliastables/pfB_???_v4.txt 11244 /var/db/aliastables/pfB_???_v4.txt 6505 /var/db/aliastables/pfB_???_v4.txt 6208 /var/db/aliastables/pfB_???_v4.txt 2608 /var/db/aliastables/pfB_???_v4.txt 228 /var/db/aliastables/pfB_???_v4.txt 132 /var/db/aliastables/pfB_???_v4.txt

the ??? will be the name of the list

I changed the feeds to be once daily, but just like clockwork, at 20 or so seconds after the hour, every hour - for 90 seconds the floating rules are ignored. Continuing to see what could cause this. Open to ideas.

@mcury Muito interessante isso!

Vou considerar um teste sim.

Obrigado meu amigo!

@areckethennu
Yes what @SteveITS said

_8 was 23.09.1
_9 was installed with the update 24.03
_10 was then released to correct the category edit issue that has been discussed

@Gertjan I did a liitle bit different)))

New Text Document.txt

@pslinn Not a specific answer for you but I have seen it before.
https://forum.netgate.com/topic/185383/suricata-php-fatal-error-str_ireplace-cannot-use-output-buffering-in-output-buffering-display-handlers-in-usr-local-www-csrf-csrf-magic-php-on-line-165

https://redmine.pfsense.org/issues/14778

https://redmine.pfsense.org/issues/14498

@Gertjan
Thanks, I'll try

@kuschi I now received feedback from Spamhaus that the list is now realably available again.

@anishkgt said in Blocking YouTube Shorts with Regex:

Since it was done in the link mentioned here ->(https://forum.netgate.com/topic/164732/python-regex-list)

That link shows you you can block 'anything that contains "yahoo" in the host name".
Fasten your seat belts now.
Example :
https://www.youtube.com/shorts/wEVVhumRrHI is an URL
youtube.com is a host name
www.youtube.com is a sub domain of that host name.

pfBlockerng has access - can see in the clear - the domain name, "youtube.com" and the sub domain name, www.youtube.com. So it can 'filter' these. The the app or web browser on the device gets an A (IPv4) or AAAA (IPv4) as an asnwer, and it connects to this (the "youtube") server.
TLS is established first.
Only now the browser gets the actual 'page' : the video : with this command "GET /shorts/wEVVhumRrHI/".
The thing is : you can't get 'into' this TLS stream. Its encrypted. You want it be encrypted. You don't want to have access to this data stream. Like never.

There is one possibilities left : use a proxy, and do MITM. Be warned : this is pure rocket science.

So, as @SteveITS said : you need a proxy.

If the shorts where accessible by the usage of a sub domain name, then it would be easy :
shorts.youtube.com can be filtered at a DNS request level, as the link shown above already shows.

But Youtube (Google) etc are doing there best so nobody can filter there content. They are hiring the "best" for doing just that. So, part of the mission is : you have to be better as these couple of thousands of network engineers they employ.

edit : It's youtube that has given us a partial solution. Youtube, without a premium access, is ... well ... IHMO, its just not possible. If I had to wade through the publicity to see these 'shorts' I presume I have a problem way bigger as 'watching shorts'. But hey, its a free world. Smoking is also bad. And I should drink (not water) less.

@SteveITS said in List of problems/bugs in HA/CARP setups:

@JeGr said in List of problems/bugs in HA/CARP setups:

Syncing only by Cron or by "force run cron/update all":

That's a known issue, https://redmine.pfsense.org/issues/14189#note-16 links to https://forum.netgate.com/topic/179060/pfblockerng-sync-not-working/55 which has a one-line workaround/fix.

@JeGr said in List of problems/bugs in HA/CARP setups:

can't save the settings when selecting "Sync to system configured backup server"

That has a redmine also: https://redmine.pfsense.org/issues/15159

Not sure about the others offhand.

Sure :) I know some of the things listed are already known or in case of the sync are "working as documented" - the update handling is documented in the notices and package infos. Just wanted to provide a list to tackle together to make the package itself more stable and better to work in a clustered environment. My main criticism refers to it being the "standout" of all core and additional packages as every package syncs normally by saving settings etc. and only pfBNG is behaving differently. I'm all for reading documentation, release notes and changelogs :) But I'm really asking myself if that has to be the way it's done at the core of it. Normally in UX/UI you'd advertise to go the route of least surprises to do things and that's a prime example. If any component does X and only one does Y it's bound to cause friction :)

@SteveITS said in List of problems/bugs in HA/CARP setups:

Let me throw out what I believe is another symptom...I've seen a few cases in the past year or so where the backup router sees an alias error during the sync/cron period:

Yeah, me too. Couldn't exactly pinpoint it to a specific occurence yet so I didn't list it but sometimes you have the "unknown alias" messages popping up on the standby node with pfB running, updating and working fine and if you check the state tables or aliases you find the pfB_aliases working just fine. So yes, there's another bug slightly hidden in the stack here :)

Cheers
\jens

@milindhvijay Are you using it for firewall rules or DNS block list?

https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html

For DNS, devices would need to use pfSense for DNS.