@BBcan177 said in Did pfBlocker break my config.xml?:

pfSense ACB

As I get them upgraded to 2.4.4_3, yes. But these are not. This unit is at 2.3.4-p1. I'm hoping to have all the units upgraded by the end of the year and have ACB configured on them.

After a little research I decided to try using reputation with no whitelist. If I am currently only using the top 20 spammers geoip list, and I am actively blocking 6 of them, then this will keep tabs on the rest without downloading a ton of extra stuff or doing too much extra processing. If I understand how reputation works correctly (and that might be a stretch) then this should be a safe bet to make good use of the top 20 spammers geoip list.

@P3R Yes, and for that little security increase I bet your firewall takes a big performance hit. I noticed that the USA list is massive and to have to check everything against that would take some processing power. Not to mention having to unblock things all the time. I actually tried it then reverted back to my current settings just based on how long the update took, haha.

I was a little confused as it says right on the configuration pages "It's also not recommended to block the 'world', instead consider rules to 'Permit' traffic from selected Countries only". I read that as "deny all/all by default then allow what you need".

Right now I have it set to reject outbound to a few of the top spammer countries and I am looking into the reputation settings. I also DNS blacklist using Pi-hole as I like DNS/DHCP on a seperate box, but I do see that you could just add those lists to DNSBL if you didnt want to do it that way.

@BBcan177 Reading that, it takes my one machine out of DNSBL, but then use squid to block the site?

There is no way to use DNSBL filtering per WAN correct?

I have them load balanced right now.

@BBcan177
Okay, I increased it to every hour...thank you!

@wdupreez said in dnsbl.log - Log file is empty or does not exist:

Should I change the DNSBL > Webserver Interface to GUEST and/or Enable the Permit Firewall Rules and select the GUEST interface?

Yes you will probably need this permit rule to allow the GUEST network to communicate with the DNSBL Webserver. You should be able to ping and browse to the DNSBL VIP and also ping and get a reply to any blocked domain.
Thanks for the feedback!

If you use the devel version, many are built in. I would recommend it.

@dma_pf

Start with which Feeds contain these domains blocking windows updates.

Make sure;

Your clients/workstations behind pfSense are pointing to the pfSense box for DNS (normally the LAN address of your pfSense firewall)

using "nslookup" tool, query the pfSense DNS directly (normally the LAN IP address) and test for domain names that should be blocked

Do you need to check the box TLD under pfBlockerNG so that www.domainname.com and xxx.domainname.com is also blocked?

DNSBL works great, I suspect it's a setup issue on your pfSense and/or network.

i've find a solution, i made an repository on github en load up an txt with the ip's from whatsapp server that a find on the documentation from developer facebook, and make a new ip rule with that link!!

By all means keep the custom openvpn port, I find that practice as reasonable, bots and what not scanning services causes spam, the problem is tho if you get used to seeing that spam, then the one day you have a legit attempt at your security you likely to ignore it as you just used to seeing daily spam. Which is why I use custom ports for non public services a lot of the time.

On the question of things like snort, I wouldnt bother in a situation where the one and only listening service is a private VPN server.

Hello,

I just switched the pfblocker from standard to devel and the problem went away.
Sadly I didn't have time to check the logs :(

That sorted it thanks - now why did I not think of that !

Cheers

See the following thread:
https://forum.netgate.com/topic/125250/firewall-rules-order

@cjbujold
Anything that is blocked is visible in the Reports/Alerts Tab. You can use the "Alerts Filter" to refine the search.

drill @8.8.8.8 intuit.com

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 35702 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; intuit.com. IN A ;; ANSWER SECTION: intuit.com. 1 IN A 199.16.139.15 intuit.com. 1 IN A 12.179.134.145 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 39 msec ;; SERVER: 8.8.8.8 ;; WHEN: Mon Jul 22 00:46:29 2019 ;; MSG SIZE rcvd: 60

@romulusrodent

Yes use any other available port... So don't reuse the same port that pfSense HTTPS is utilizing.

@RonpfS said in YouTube ads coming thru on AppleTV for some time now.:

@lmannyr said in YouTube ads coming thru on AppleTV for some time now.:

How do I add the ip to "manifest.googlevideo.com" to pfblocker? Also how did you apply it. I already have dnsbl running.

DNSBL doesn't operate in the IP space, it operates in the Domain Name space.

You can add the domain name to a DNSBL Custom_List in any DNSBL Group.

You could also create a new DNSBL group and put it in the group DNSBL Custom_List. You need to do a Force Reload DNSBL after.

Hey so I know this is really old but did this work for you on pfsense? How did you apply it? I already have dnsbl running. Was there any drawbacks to blocking it?