Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocked Page

    Scheduled Pinned Locked Moved pfBlockerNG
    4 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ghostshellG
      ghostshell
      last edited by ghostshell

      Just started using pfblockerng-devel and love it so far, just having one issue, the blocked page only appears for sites visited on port 80, anything on 443 just gives "ERR_SSL_PROTOCOL_ERROR"

      If I go to a blocked site that is non TLS/SSL the blocked page shows up as wanted, I am blocking porn so if I google porn and go to the first site that shows up pornhub it gives that error, no blocked page. Tried different settings and ports and had no luck. If I try the LAN interface instead of localhost and chose port 8445 I get a cert error that I cannot get past. I am using the unbound python option and have the check for HSTS enabled by default. At first was using just unbound and ran into the same issue. Not sure how to get this fixed. Please let me know if any other info is needed.

      pfsense 2.5.1
      pfBlockerNG-devel 3.1.0

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @ghostshell
        last edited by

        @ghostshell said in Blocked Page:

        pfsense 2.5.1

        There is a fix for this : pfSense 2.5.2 corrected many things.

        @ghostshell said in Blocked Page:

        anything on 443 just gives "ERR_SSL_PROTOCOL_ERROR"

        That is what you want to happen.

        When you visit the site of your bank, but the domain was listed in a DNSBL you use, and you are redirected to some 'pfBlokcerNG-devel' generated page that is not your bank (right ?!!), do you want that site/page to have the certificate stating that it is your bank ?
        Because, if that was possible, it will be the end of secured connections.
        The page that pops up to inform you that the site you wanted to visit is blocked by pfBlockerNG works great for non https connections : it must use port 80.
        And you already knew you don't want this to happens when using https over port 443 as you browser is gona check the host or domain name that the web server returns. And the web page generated by pfBlockerNG can't have the certificate of the site of your bank, or any other https domain name of the Internet.
        This boils down to : it's useless of having a page being popped up to inform the visitor that the site he wanted to visited is 'blocked'. There are no more public sites that use "port 80" as their main entry point. Everything is https these days.
        You can disable the 'web server blocked page' facility of pfBlockertNG. No one will ever repair this functionality.

        So :

        @ghostshell said in Blocked Page:

        Not sure how to get this fixed.

        the day this gets fixed, Internet is self will be gone ;)

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        ghostshellG 1 Reply Last reply Reply Quote 0
        • ghostshellG
          ghostshell @Gertjan
          last edited by

          @gertjan From the developer

          https://www.reddit.com/r/pfBlockerNG/comments/lnczld/is_dnsbl_webserver_for_ssl_https_connections/

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @ghostshell
            last edited by

            @ghostshell said in Blocked Page:

            https://www.reddit.com/r/pfBlockerNG/comments/lnczld/is_dnsbl_webserver_for_ssl_https_connections/

            I don't understand what has been said there.
            pfBlockerNG-devel logging isn't the issue here. The internal unbound (python, or not) or Lighttpd logs are not available to our browsers.
            Our browser see what the web server @10.10.10.10:443 is replying after a page request.
            It doesn't understand the answer.

            What I think ** what is happening :
            Our browser caches web server certificates, as HSTS has become wide spread.
            So, our browsers knows what type of cert it should get back from web server. Because it caches certificates, for days, weeks, or even months (so naughty you, you've visited this site already ones without pfBlockerNG ;) - the cert was loaded and cached ).
            Many encryption types exist, and the self generated (self signed) cert from the web server of pfBlockerNG cert does not have the right 'format'. If it had the right format, the host name would have been verified (and the date and many more aspects) and then a more understandable error would have been shown.

            This issue can not be resolved. Our browsers could show more comprehensible message, true, but it all boils down to :
            You wanted to visit a.tld but b.tld replied.
            That's a MITM situation and that's a no-go

            ** Firefox is open source. So the source code will show the exact conditions of the error.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.