• Disable specific email from pfBlocker?

    3
    0 Votes
    3 Posts
    352 Views
    K

    I solved by deleting the relevant rules. (pfB_Top_v4')

  • pfBlockerNG-devel v2.2.5_18

    20
    5 Votes
    20 Posts
    5k Views
    S

    @bbcan177 If I have multiple Vlans configured and I want different rules for different Vlans, How do I do it? How do I create aliases using DNS blacklist atleast via pfblockerNG?

  • Global Logging option

    2
    0 Votes
    2 Posts
    1k Views
    BBcan177B

    @qwerty123 said in Global Logging option:

    In pfblocker, I see a "global logging" option in the settings. I was wondering what this option does.
    Ideally, I'd like to move the alerts from the reports tab (specifically, dnsbl but ideally both) into the firewall logs, so I can see where it's getting blocked. If this is not an option, the other idea I had was trying to get it to send the logs to syslog.

    The "Global Logging" option is used to globally enable Firewall Rule Logging (When using Auto rules). Alternatively, you would enable/disable logging in each IP Alias independently.

    All IP/DNSBL Logs are saved to the Alerts Tab. Its best to use that tab instead of the pfSense Firwewall log. DNSBL logs are not visible in the Firewall logs anyways.

    Also recommend to move to pfBlockerNG-devel.

  • Reputational sources?

    2
    0 Votes
    2 Posts
    470 Views
    BBcan177B

    pfBlockerNG already has all of this functionality... Check out pfBlockerNG-devel.

  • DNSBL Webserver Interface

    2
    0 Votes
    2 Posts
    3k Views
    BBcan177B

    @bhjitsense

    This just defines what interface to bind the DNSBL Webserver to. You can just use LAN.

    If you have VLANs, then select the DNSBL Permit Rule option and select the Interfaces that should be allowed to hit the DNSBL webserver address. This will create a Floating Permit rule with those settings.

  • Best practice solution for a blocked IP

    2
    0 Votes
    2 Posts
    458 Views
    BBcan177B

    @kiekar

    Just create a new Whitelist for the WAN. You can add the IPs to the customlist at the bottom. With pfBlockerNG-devel you can add IPs to the whitelist automatically by clicking on the "+" icon.

    You can use the Adv. Inbound Rule settings, to only allow these specific whitelist IPs to access the mail server LAN IP and its open ports.

  • ACL's support?

    4
    0 Votes
    4 Posts
    849 Views
    BBcan177B

    https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips

  • TOP1M Whitelist configuration

    2
    0 Votes
    2 Posts
    3k Views
    RonpfSR

    The TOP1M feed can be used to whitelist the most popular Domain names to avoid false positives.

    So it is used to remove popular domains from your blocklist. If you inspect pfblockerNG.log you will see that in action:

    [ Phish_OpenPhish ] Downloading update11/24/18 11:20:07 | .11/24/18 11:20:07 | . 200 OK11/24/18 11:20:07 | . TOP1M Whitelist: risechma.weebly.com|tw.screener.finance.yahoo.net| ---------------------------------------------------------------------- Orig. Unique # Dups # White # TOP1M Final ---------------------------------------------------------------------- 1846 742 211 0 2 529 ---------------------------------------------------------------------- 11/24/18 11:20:11 | IPv4 count=13 11/24/18 11:20:11 |

    In this case it removed 2 domain names from the blocklist.

  • How is this site bypassing pfBlocker (and Adblock)

    5
    0 Votes
    5 Posts
    1k Views
    BBcan177B

    @atlan

    Not at the moment; however, when the Unbound Resolver python integration is added, we will be able to do regex blocking amongst many other new features.

    I have been waiting for the devs to add the python integration so that the package could easily integrate with the Resolver without unnecessary backend workarounds.

  • 0 Votes
    2 Posts
    565 Views
    BBcan177B

    Do you have VLANs? If so, make sure that the devices on the vlan can ping and browse to the DNSBL VIP address. There is a "Permit Firewall Rule Option" in the DNSBL Tab which can be used to create a Floating Permit firewall rule to allow your vlan segments to hit the DNSBL VIP address, otherwise the VLANs could timeout when trying to connect to the DNSBL Webserver.

  • Still having classic problem of blocked URLs with 'unknown' feed

    3
    0 Votes
    3 Posts
    940 Views
    BBcan177B

    @talaverde said in Still having classic problem of blocked URLs with 'unknown' feed:

    Even after a completely fresh reinstall, I keep getting unwanted URLs on the DNSBL block list with 'unknown' feed. Here are some examples:
    wsapi.skype.com
    static.asm.skype.com
    consumer.entitlement.skype.com
    in.appcenter.ms

    All of these domains above have a CNAME. Is it possible that these CNAMES are in your Blocklists?

    drill @8.8.8.8 wsapi.skype.com wsapi.skype.com. 2995 IN CNAME client-ws.gateway.messenger.geo.msnmessenger.msn.com.akadns.net. client-ws.gateway.messenger.geo.msnmessenger.msn.com.akadns.net. 59 IN CNAME eus-wsapi.cloudapp.net. eus-wsapi.cloudapp.net. 58 IN A 13.92.27.116 drill @8.8.8.8 static.asm.skype.com static.asm.skype.com. 1657 IN CNAME static-asm-skype.trafficmanager.net. static-asm-skype.trafficmanager.net. 299 IN CNAME nus1-authgw.cloudapp.net. nus1-authgw.cloudapp.net. 52 IN A 40.77.16.143 drill @8.8.8.8 consumer.entitlement.skype.com consumer.entitlement.skype.com. 1969 IN CNAME sconsentit9.trafficmanager.net. sconsentit9.trafficmanager.net. 299 IN CNAME sconsentit903.cloudapp.net. sconsentit903.cloudapp.net. 8 IN A 40.122.44.183 drill @8.8.8.8 in.appcenter.ms in.appcenter.ms. 732 IN CNAME in-secondary-prod-east-us2.prod.avalanch.es. in-secondary-prod-east-us2.prod.avalanch.es. 129 IN CNAME 0e6fa46e-9c94-4256-b449-4f54c1f1e69f.cloudapp.net. 0e6fa46e-9c94-4256-b449-4f54c1f1e69f.cloudapp.net. 47 IN A 13.68.31.193 drill @8.8.8.8 download.windowsupdate.com download.windowsupdate.com. 1303 IN CNAME 2-01-3cf7-0009.cdx.cedexis.net. 2-01-3cf7-0009.cdx.cedexis.net. 239 IN CNAME b1ns.au-msedge.net. b1ns.au-msedge.net. 27 IN CNAME b1ns.c-0001.c-msedge.net. b1ns.c-0001.c-msedge.net. 27 IN CNAME c-0001.c-msedge.net. c-0001.c-msedge.net. 27 IN A 13.107.4.50

    grep -r -l "wsapi.skype.com" /var/db/pfblockerng/*
    When I run this command, these files show up
    /var/db/pfblockerng/dnsbl_cache.sqlite
    /var/db/pfblockerng/pfbalexawhitelist.txt
    /var/db/pfblockerng/top-1m.csv
    Even if I delete those files and run a reload update, they still show up. They won't go away. I figure out how to keep these from being blocked or show up on the list. it seems like every .skype.com subdomain is being blocked. I've added skype.com, .skype.com and even the subdomains themselves to my whitelist. Still, no difference.
    Any thoughts?
    What is dnsbl_cache.sqlite? Is that just a log?

    The dnsbl_cache.sqlite is a database to show the last blocked event. You don't need to delete that file. And definitely don't need to delete the TOP1M Database (Whitelist).

    You need to grep for DNSBL events as:

    grep "example.com" /var/db/pfblockerng/dnsbl/*
  • Website Images won't load

    3
    0 Votes
    3 Posts
    407 Views
    K

    Thanks for the tip. I used the developer tool to see the url path. All is fine now.

  • How do I block visitors by country using IP address ranges?

    Moved
    4
    0 Votes
    4 Posts
    490 Views
    DerelictD

    https://www.youtube.com/watch?v=g0KOcfGicjM

  • pfBlockerNG - DNSBL TLDs -- White list?

    3
    0 Votes
    3 Posts
    849 Views
    B

    Ah, yes, that's what I was understanding.

    I don't know if anyone else would be interested, but I would certainly use TLD blocking with the alternate model (blacklist by default, whitelist desired TLDs, and then process exceptions to the whitelist by adding in specifically blacklisted domains).

    Generally, I think that would give me a more maintainable list. I assume most of the newer .tlds are junk (at this point in time, anyway). Rather than trying to keep up with that list, I'd rather have the option to define the list of known good (and most widely used), and go from there.

    Anyway -- just a thought for the future -- maybe others would use that as well.

    The package is great, thanks for all of the work!

  • Some DNSBL feeds inop

    3
    0 Votes
    3 Posts
    634 Views
    D

    Grimson,

    I did search. Both via google and in forums and did not see it. Thanks for the link

  • 0 Votes
    21 Posts
    3k Views
    R

    @ronpfs said in My new pfBlockerNG is showing 100% on the dashboard. That's not right is it?:

    With DHCP registration checked, unbound restart with every new lease.
    When you save DHCP settings, it also restart unbound. So it "normal" behaviour to see the 100% in the Widget.

    At this point I can live without an accurate % as long as nothing else is happening that would cause negative effects. At this point I am going to leave settings where they are and see what happens. Right now I'm getting an accurate measurement of blocking at 22.36% (4,382 of 19,608), and my dns names are showing up in BandwidthD which I expect will disappear at some point and revert to "configure dns to see names" If/when it does I'll decide which is more important, knowing % blocked or resolving names.

    Roveer

  • pfBlockerNG (devel) and RAM Disk (Good? Bad?)

    4
    0 Votes
    4 Posts
    1k Views
    T

    I agree that the RAID-0 could be considered 'overkill'. This is why I originally was using RAID-1. However, I started to see significant performance degradation. Then I learned that INTEL RAID only supports TRIM on RAID 0, not on RAID 1. So, it was more out of necessity. I suppose I could have had separate non-raid SSDs, but I chose to have a single volume, to keep it simple. The extra performance doesn't help. I'm getting a full 1000 MB/s read/write.

    If I were buying new hardware, I would buy ONE NVMe SSD (non RAID), but I have to work with what I have.

    After a few weeks with this setup, I've been quite happy with the performance and stability.

    Now, I'm trying to fine-tune exactly which feeds I add. The biggest performance hit I see now is when I add too many feeds, or the very large feeds (BBC, hpHosts). I think I'm noticing excessive latency with large lists like those. Since I get very few hits on those lists, I've dropped them for now. I may add them back slowly to see if things change.

  • Does pfBlockerNG work in pure ipv6 environment?

    6
    0 Votes
    6 Posts
    2k Views
    NogBadTheBadN

    @BBcan177 Maybe enable the ability for the web server to also run on IPv6 and add AAAA records.

    @isaacfl said in Does pfBlockerNG work in pure ipv6 environment?:

    @nogbadthebad

    When I nslookup adservice.google.com I get:

    Name: adservice.google.com
    Address: 10.10.10.1

    So there is no AAAA record.

    ping adservice.google.com gives me:
    Ping request could not find host adservice.google.com. Please check the name and try again

    Nothing ever shows in the pfBlockerNg logs though.

    So probably not going to work very well in an ipv6 only environment.
    My prior adblocker would always respond with both an A and an AAAA record for blocked sites.

  • DNSBL enabled fail, SSL handshake failed

    5
    0 Votes
    5 Posts
    2k Views
    T

    I did the steps to no avail.
    I have uploaded my unbound.conf and remotecontrol.conf. hopefully you can help me figure out what setting is wrong.
    0_1542452701420_conf.zip

  • Hostnames bug in DNSBL Alert tab

    2
    0 Votes
    2 Posts
    215 Views
    T

    Running pfSense 2.4.4-RELEASE (amd64) and latest pfBlockerNG devel and can confirm this same issue.

    Example: "192.168.10.10 - blops3 udp port" which appears to be one of my NAT port forward descriptions.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.