Hi,

No way.
Just keep the default ports (8081 and 8083).
Same thing for the Virtual IP default 10.10.10. - except if this IP falls into one of your LAN's or other networks.

Removing the '53' from unbound and be ready to 'break everything' ;)

@PaulMon123 said in DNSBL deny all except whitelisted:

All I want to do is to block any DNS requests (except ones to specific services) to prevent data leaks using DNS tunneling.

It seems that most of what I shared geared to accomplishing this, especially when an IPS/IDS is added to the mix. I take it others has physical access to the "secure environment" or it's a server.

This data leaks using DNS tunneling is a hot topic, a potential headache, and I am hoping a package with DNS quarantine coming soon.

@tman222 Well, I think it would be pfSense that provided pfBlockerNG widget the packet info.

Make sure you are using pfBlockerNG-devel which is much improved over the release version.

OK thanks, I think I get it now. The ' IPv4 Suppression list' is a white list ? (clicking the '+' in the deny list)

Just for clarity, I can see in /var/db/pfblockerng/deny the lists

2019-10-16 19_38_24-deny - XCP-NG DQ77KB - WinSCP.jpg

and under pfBlockerNG > IP > IPv4 I can see the corresponding lists created from 'feeds'

2019-10-16 19_43_51-pfSense.localdomain - Firewall_ pfBlockerNG_ IP_ IPv4.jpg

But I still don't get where the pfB_DNSBLIP_v4 (DNSBLIP_v4.txt) is created from 😕

@William-Barni said in pfSense pfBlocker and mobile phones apps:

@pfSenseTest Hum... ok. Thanks for the answer.

I need to learn a ton of new tools and to develop rules for them, understand their behavior, just to block youtube.

YouTube does not want to be blocked ... 😉 . So they make sure it is somewhere between difficult and impossible to block their traffic. Google has gotta have that ad revenue you know ... 😀 .

@iTestAndroid said in i7 4GHz CPU + 128GB RAM, still slow when I load a large list in DNSBL:

@tman222

Yes. Actually, with pfBlocker and list of around 400-500k, it works flawlessly, its super fast and blocks most ads. When I turn on all lists I have, the total count adds up to ~1.4M and that's when things start to go south. Otherwise both DNS resolver and pfBlocker works fine. So when 1.4M entry is added to pfBlocker, things get slow and some DNS requests hangs.

DNS Query Forwarding -> Enabled
Use SSL/TLS for outgoing DNS queries -> Enabled
Custom Options:
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 9.9.9.9@853

server:include: /var/unbound/pfb_dnsbl.*conf

These are the DNS server addresses listed there
1.1.1.1
1.0.0.1
9.9.9.9

I have gigabit internet, RTT is acceptable:
ping cloudflare.net
PING cloudflare.net (104.16.208.90) 56(84) bytes of data.
64 bytes from 104.16.208.90 (104.16.208.90): icmp_seq=1 ttl=57 time=2.73 ms
64 bytes from 104.16.208.90 (104.16.208.90): icmp_seq=2 ttl=57 time=2.60 ms
64 bytes from 104.16.208.90 (104.16.208.90): icmp_seq=3 ttl=57 time=2.43 ms
64 bytes from 104.16.208.90 (104.16.208.90): icmp_seq=4 ttl=57 time=2.37 ms
64 bytes from 104.16.208.90 (104.16.208.90): icmp_seq=5 ttl=57 time=2.53 ms

@provels
Yes, I have both enabled and each of them have size of 4096MB (4GB)

Hi @iTestAndroid - do you see any difference if you take out 9.9.9.9 and just use Cloudflare's 1.1.1.1 and 1.0.0.1 servers? Do you have DNSSEC checked or unchecked? I'm still not quite convinced this is a pfBlockerNG issue -- 1.4M is really not that big and you have got some pretty powerful hardware too.

Hope this helps.

@RonpfS said in Embeeded youtube clips won't work. Firefox detected a potential security threat and did not continue to www.youtube-nocookie.com:

Remove your Whitelisting of the domain, Force Reload All, then whitelist it using the Alert Tabs to see what pfblockerNG will whitelist. www.youtube-nocookie.com is a CNAME : youtube-ui.l.google.com that need to be whitelisted as well.

Thank you now it works! It added the following to the whitelist:

.www.youtube-nocookie.com .youtube-ui.l.google.com # CNAME for (www.youtube-nocookie.com)

pfBlockerNG-devel already has ASN support in the IP State setting. Also Radb registry isn't very accurate. The package is using bppview.io instead.

https://api.bgpview.io/ip/<IP>

Your local device could have had the entry cached. Normally I will also disconnect my device from the network, and back on to force the device to flush local cache. Sometime a /flushdns on windows helps too.

@NasKar said in Access to my VPN and Plex Server while abroad:

I would like to access my VPN to make changes to my firewall just in case and my Plex Server.

Trust me, it's not a good idea to change your firewall through VPN. Make the changes before you go.

@Koent said in curl error 7 on all downloads:

analyse the FW daily

Me neither.
But I do check 'basic' operations when changing 'major' things like interfaces that deal with outgoing traffic.
In this case : because the NIC called WAN (actually : PPPoE) now faces the Internet directly. Before, pfSense was probably hidden behind another router (no standard, but normal for a DHCP client mode). Now, it's time to re check and double check your WAN rules : typically none should be there exception NAT rules.

I tried to add

/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php update >> /var/log/pfblockerng/pfblockerng.log

as a shellcmd, but it still ran too early. I don't know how to make it sleep for a couple minutes.

Thank you both for sharing...I learned about Shodan for the first time.

So their servers or cluster at each pop can handle 65k users - yeah find that unlikely ;) This just a perfect example of how misuse of ipv4 space ran us into a shortage of ipv4 way before it should of ever happened..

Network space should be assigned appropriately for the amount of devices that will be using that space.. Even when inside rfc1918 space (which has limits as well) Sure you allow for growth and such.. But come on their 8 core 10ge box could handle anywhere close to even 8k users? That would leave you at most 1.25mbps each user ;) Let alone 64k users ;)

@provels They can be used as whitelists instead