That's an awesome List, thank you for sharing it @anttechs
I was just surfing all the way up and down to find sth similar, here it is. Just amazing!

Edit
I really do not know if it should have had been mentioned here but on http://iplists.firehol.org/ there is a comparison of several free accessible Lists.
As it surely needs a little "work-in" imo it got the option to provide a good overview over several lists and even how individual lists overlaps one with an other.

I just found it shortly. As I see it might provide one with a nice and unique overview though it might even need some time to get even this. Anyway, I guess it might be a good addition for any searches.

Try this :

grep "maxmind.com" /var/db/pfblockerng/dnsbl/*.txt /var/db/pfblockerng/dnsblorig/*.orig /var/unbound/pfb_dnsbl.conf /usr/local/pkg/pfblockerng/dnsbl_tld

it provides some more info about pfblockerNG db.

@tac57

I don't use Plex anymore, so no comments, sorry

Change the State to Flex 😉

That must have felt good. Happy holidays.

Exact.
Static ones are ok, they are known - and when the lease is renewed, DNS doesn't restart.
Classic DHCP, if checked, will restart DNS.
This is a known subject (I won't call it an issue, but if unbound has a lot of work to do at startup, like rowing through all these pfBlockerNG 's feeds files; and you have a 'light' system (processor, disk, whatever) then yes, it starts to take time).

Security through obscurity.. (if you believe that..)

Use a different port number. That will keep some of it down.

@bbcan177 I am already using pfBlockerNG-devel, and i read yesterday about this bug with unbound reported after @RonpfS told me.
Pfblocker is doing his job from what i saw,i was just curios about the ram behavior.
Thanks both for the help .

@ronpfs said in Does it really matter????:

A SSD could improve processing, but a decent HD should be ok.

Many thanks that's all I needed to know really.

bless you, my friend, and have a happy xmass and new year ;)

Won't this option work from my previous post:

DNSBL is hardcoded to only use Unbound. However, you can still use Bind but would have to set Binds Outbound Forwarder to point to the pfSense Resolver so that DNSBL could be utilized.

Sure, I've succesfully tried to use unbound as bind's forwarder to allow DNSBL. The downside of this solution is the poor dns performance and the overall complexity of the setup.

The advantages of a setup using pfBlockerNG and bind are:

an autoritative dns server to host local zones DNSBL features in place per view (which can be similiar as defining DNSBL per Interface) the functionalities from bind itsself few dependencies

I found a very nice way to put all the zones from pfBlockerNG into bind using RPZ feature. (http://www.zytrax.com/books/dns/ch9/rpz.html) This way I've added ~300.000 blocklist zones into several views with very low memory footprint :) I'll update the script into my github repo.

@dragoangel

I still don't see this related to the package. It sounds like something is incorrectly configured for the gateways... Check the pfblockerng.log, resolver.log, system.log for more clues to see if you can narrow it down. Best to post this question to the applicable Forum for more traction.

@expert_az
https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips

@razaqad said in disable dnsbl from cron:

Im a noobie to pfSense. Can someone tell me an example script to fulfill the purpose which i can call with cron to start and stop pfBlocker at specified times.

There is no example. Its a custom script that might take some time to code and test. This is something that I want to add to the package at some point, but maybe for next year.

I am really not experienced in this, but looking at the pcap files I see the DNSBL Webserver ends the connection with

DST: HTTP/1.1 200 OK DST: Cache-Control: private, no-store, no-cache, must-revalidate, max-age=0

I guess it does not store any data on pfsense, otherwise the pfsense box would run out of storage in minutes.
I can say that this has no effect on the firewall itself (other than the processing power), however, it could actually saturate the local bandwidth because I've seen that one device uploading around 300MB in a couple of minutes.

Of course I can set up limiters, but why not prevent that client from uploading in the first place?
So, is there a way to allow clients to perform only GET request from the DNSBL webserver? since they shouldn't be uploading anything really (again, I am really not experienced and I even don't know if this is a valid approach).

The VIP address is configured to listen to a LAN interface.

Other than that, the pfBlockerNG is working great and it's awesome.

Thanks!

@jmiller said in How to restrict custom websites with PfBlockerNG-Devel?:

You're referring to the domains people are visiting that are generating the tagged ads not the ads etc. lists right? Because I used the wizard and took all the default settings and no matter what site my users go to it generates the Certificate error. The sight is still reachable but boy do I hear the bitching about all the cert errors and I've been trying to stop that. Thx in advance for any input and keep up the great work. Excellent package for Pfsense!!

Its usually some google domains... but probably just a handful of them at the moment... and yes the domains.