Not trolling - have no idea version user is using. And I was gone for the whole month of June.. And just back last week or so.. So have not really kept up with "everything" while gone.

Glad to see such a fix finally.. Thanks!

So, Not really sure why this happened as it seemed to be working fine.
But, uninstalled then reinstalled pfB.
Deleted all pfB rules on all interfaces that had not been working and set them up one by one.

Now all seems to be working

So a question..
Is there any problem setting up a rule for pfB and then coping to another interface without causing a problem? (Even if copying from a WAN rule to a LAN interface)
I don't think there has been a problem before doing this, but want to verify.
This time around we changed the description on each rule to include the interface name and did not copy rules.

Not sure if this "was" really the fix.

doh...forgot I manually entered DNS on my computer to use a smart DNS....all works fine.

If you are not using pfBlockerNG-devel, please switch to that version.

@JeGr Thank you for your time and response. What if I use any one of them , then will it be possible to achieve the task I'm looking for ? To allow single website to a single user and rest of the site should be blocked for him as per policy. If yes then please share me guide line or steps.

Regards

@RonpfS

Found the issue. The IP address was already listed at https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt

@BBcan177 Thank you issue has been solved.

@BBcan177 said in Pfblocker ports:

@mikekoke said in Pfblocker ports:

@BBcan177 said in Pfblocker ports:

In the DNSBL tab. there is an option to create a Permit rule to allow VLANs to hit the DNSBL VIP on the open ports.

I have already used that setting to select the two VLANs, but randomly the udp 443 and the tcp 4070 are also requested

Not by DNSBL. Maybe the device that has domains being blocked tries to hit those ports?

https://www.speedguide.net/port.php?port=4070

The device that continues to connect to udp port 443 is a Sony Android smartphone but it is not possible to specify which one.
It appears that the connection to port 443 udp is linked to a warning in DNSBL.

@JeGr I shouted 'victory' to soon, or I'm missing something.

I assumed, I would simply select no interfaces in 'General Settings' / 'Interface/Rules configuration, but it appears you have to select at least one interface. What am I missing.

Thanks a lot for your help.

edit
never mind / found it: List action: Alias Native, Looks like the rule isn't created with this option, only the alias
/edit

@cjbujold said in Whitelisting dnsbl does not work:

a force reload(cron job)

You should do a Force Reload DNSBL or ALL. Cron will only process the Whitelist if the Feed that contain it is downloaded.

I guess I should have tested more thoroughly. I have pfBlockerNG and Suricata running on it. If I disable either of these services, then the device doesn't lock up...though with just Suricata, it struggles to fully saturate a 400Mb pipe.

You can drag the rules to suit, they are only re ordered when you add new rules or modify.

Also you can define how they're added:-

Screenshot 2019-06-19 at 08.22.28.png

Or you could use pfBlockerNG to create aliases then roll your own firewall rules.

@BBcan177 Everything looked good and had the appropriate check box checked. I saved the existing DNS Resolver settings and that seemed to correct the issue. Didn't see anything in the logs that stood out.

Saving DNSBL database... completed Reloading Unbound Resolver..... completed [ 06/18/19 20:40:10 ] DNSBL update [ 515852 | PASSED ]... completed Adding to existing Unbound custom options

I'll consider this issue closed. Thank you for the support.

@BBcan177

Thank you for the update! It looks nice. Keep up the good work!

Just out of curiosity is not possible to place NAT/Port Forwarded rules to be placed in Floating Rules automatically or moved to floating rules?

@arian_0098 said in Download/Update Feeds Error:

cURL Error: 28

Something is causing the timeout on your box... In the pfSense Resolver increase the "Log Level" to "2", and then review the "resolver.log" for the timestamp of the next updates, and see if you see any clues... also check the pfSense system.log for the same timestamps...

@guardian said in Does anyone know what these threat alerts are in list BBcan177/MS-1?:

It's pretty rare that I see anything from the list BBcan177/MS-1, but I saw a couple of alerts today.
According to the source on github:
https://gist.github.com/BBcan177/bf29d47ea04391cb3eb0/
the list was last active Apr 23, 2019, so maybe it's no longer current.
The alerts were: (I added the whois below)
192.0.78.25:443
unknown
(OrgName: Automattic, Inc)
205.185.216.10:443
map2.hwcdn.net
(OrgName: Highwinds Network Group, Inc.)
192.0.78.25 was under a section headed by:
https://twitter.com/benkow_
and 205.185.216.10 was under a section headed by:
https://twitter.com/pancak3lullz
but neither twitter feed showed anything obvious.
I know this is one of BBCAN177's manually curated lists, so I'm hoping either @BBcan177 or someone else here on the forum can advise.

From the Reports/Alerts Tab, click on the blue infoblock icon for Threat Source Lookups:
https://dnslytics.com/ip/192.0.78.25
https://pulsedive.com/indicator/?iid=34202&ioc=MTkyLjAuNzguMjU=

Some passive DNS Resolution for that IP:
https://www.virustotal.com/gui/ip-address/192.0.78.25/relations

This IP will be removed from the Feed.

Also note, in the MS_? Feeds, when the source was from a tweet, the Tweet ID is listed as a comment. Some of the older entries didn't have this reference.

For this IP: 205.185.216.10, it has a tweet reference:
https://twitter.com/pancak3lullz/status/746040971675131906

https://dnslytics.com/ip/205.185.216.10
https://pulsedive.com/indicator/?iid=34167&ioc=MjA1LjE4NS4yMTYuMTA=

Some passive DNS Resolution for that IP:
https://www.virustotal.com/gui/ip-address/205.185.216.10/relations
https://securitytrails.com/list/ip/205.185.216.10?page=1

@provels said in How to selectively bypass DNSBL:

@guardian Blind squirrel finds nut!
Pictures at 11!

Sorry, but that one went over my head.

Thanks Sir BBcan177 for wonderful sharing and creation.
This concern is now resolve.
For those newbie like me, please see below answer from Sir BBcan:

"BBcan177
Its in the DNSBL Category Page... Enable Shallalist, and then click the checkboxes for the categories that you want to enable. Best to enable "TLD" option in the DNSBL Tab so that it wildcard blocks all domains/subdomains. Click on the blue infoblock icons for some more details for each option. Hope that helps get you started!

A good tutorial:

https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

https://mitky.com/pfblockerng-pfsense-filter-specific-clients-computers-network/

Also check out Reddit:

https://www.reddit.com/r/pfBlockerNG/"

Thanks