@bose301s said in pfBlocker only on specific ports:

would like to use the GeoIP lists to block bad traffic from my two open ports

At the bottom of all GeoIP and IPv4/6 pages for each Alias/Group is "Advanced Inbound/Outbound Firewall Rule Settings" which you can use to refine the Auto Type rules to add Ports/Destination IPs etc.... or follow the other recommendations to use "Alias type" and manually create the rules as required.

@sjtorrie

I managed to add a SWAP to my install and this has seemed to of fixed my issues. I know this is a dated post but this may resolve your/others issues of locking up and the potential of using more DNSBLs.

Regards

@BBcan177

Same Issue ... No solution? 😑

@isolatedvirus said in Fixing PfBlocker-NG weak cipher and DH Strength Vulnerabilities:

people doing this without knowing the implications

Dude - heheheehheh you have no freaking IDEA!!! heheheeheh that is a freaking given!!

@BBcan177 Even better. ;-)

Thankss

So you know you are not alone https://forum.netgate.com/topic/143959/i-got-the-wrong-default-server

@Chasire said in I got the wrong default server:

I got one from google (8.8.8.8).

edit => you figured it out already : good 👍
Still, read on, for some tips to enforce pfSense DNS usage.

Easy solution : You should install DNSBL on Google DNS systems ;)

Better solution : When you assign "8.8.8.8" to some PC, it will "8.8.8.8" as it's DNS, thus completely bypassing pfSense. Makes sense, right ?
nslookup tells you what DNS server it's using.

Your PC's should do have "pfSense" as your it's only DNS "server".
It should receive the DNS requests, and handle upon them. Using DNSBL if yo have that installed.

So, yet another example of "use the default values and you would have been good".

Btw : you could even place firewall rules on LAN(s) that permit TCP & UDP port 53 requests, destination "pfSense" - and block right after that rule any other DNS request to "anywhere". As discussed in the manual. That would force every device to use pfSense - and the DNS filtering - or : the device wouldn't have DNS anymore.

IMHO : if you think that you have to filter your DNS, I would strongly advice you to take "8.8.8.8" out of the equation right away. Your situation is like this : "something happens that you don't like, and now world's biggest company is also aware of that".

And who is 192.168.123.2 ?

@NogBadTheBad I did, I have update reloaded my DNSBL and still got the same result. I run squid in pfsense. My webbrowser is in the proxy. I think that has something to do with the problem.

7cf0c40c-7977-4594-9490-829e359fc320-image.png

what ever list you added your domain to, make it primary in the settings. so it will be applied first.
and mybe you can post this on reddit r/pfBlockerNG
bbcan will reply to pretty fast.

@BBcan177 @RonpfSI was able to trace it down to an open source firmware(gargoyle router firmware) on my wireless router that was not playing nice with my pfsense box. I do not know exactly how, or why, but the domain information that is used to get the blocks on the report page was not being forwarded correctly(or something else equally weird) to the pfsense box. When I reverted to the stock firmware on the router, it immediately began to report the domain blocks on the reports tab in pfblocker. Was strange, and unexpected.

I have to thank BBcan177 so much for taking time out of his busy schedule to teamviewer with me today to continue to troubleshoot this issue. Thank you RonpfS as well for helping me in this matter.

@BBcan177 said in PfBlockerNG Not Blocking Porn:

Blocking porn is really difficult with DNSBL… There are millions of domains ....

This you can do:

Enable the TLD option, and add "xxx" to the TLD Blacklist customlist.... Then it will block any domain in the "xxx" TLD...

In EasyList, there are Adult Popups that are blocked, but that just removes the Adult AD popups, and not the Adult sites themselves...

A Proxy will be the best option to filter that type of content... SquidBlacklist/UT1 have some Adult categories which list quite a few Adult domains... Its not foolproof either.... Just be careful about MITM SSL issues...
I would recommend OpenDNS. By the way, on Google you can do this: http://www.google.com/preferences.

@RonpfS Thanks for that. Looking good!

forgot to mention im using the devel release and i have tld enabled. found another thread that mentioned pinging the site should return the dnsbl vip address. when i ping www.pornhub.com i get back their actual address. when i ping pornhub.com i get back 0.0.0.0 . this is not the dnsbl vip address.

any help would be great . thanks

Well yes, ofcourse it works if I disable DNSBL, and it also works if I whitelist e1151.e12.akamaiedge.net (which is my current workaround).
I know pfb_dnsbl.conf is created at update time, but currently the akamai entry is included in the config because it is present in the SBL_ADs feed (Hence my need to whitelist it).
So I still don’t quite get what you are reffering to - as far as I can tell it is an Apple issue because iOS the second time around decides to lookup the original A record (akamai) for which www.anandtech.com is a CNAME. It seems my PC continues to lookup www.anandtech.com.

@BBcan177 thanks for your reply.

I solved the resolving of clients myself, when the pfSense appliance is not inline (e.g. router/firewall), you have to specifically allow access to the DNS Resolver to allow for DNS requests from outside (menu: Services \ DNS Resolver \ Access Lists).

You might be right for the redirection page (I am on 2.4.4-p3), it does not show a page. The client webbrowser just hangs. As @zonda describes the reporting of DNSBL stats does not work either.

So there is still some work to do. Anyone got reporting to work on a pfSense appliance that is not inline, but installed locally on the network with one interface (LAN) only?

@BBcan177 Fantastic thank you!

Anything that is blocked is visible in the Alerts Tab. You will need to view the reports tab while browsing to see what is getting blocked. You can whitelist from the Reports Tab. Also in pfBlockerNG-devel there is a lock/unlock icon that you can use to temporarily whitelist a domain to help determine if that domain is causing your issue. Keep in mind that you might need to clear the OS/Browser cache to remove any existing blocked domains.

@fvultee When you created PRI2-4, Alias did you enable the individual Feeds? and set the "Action" setting?