pfBlockerNG v3.2.0_9

TheNarc

@BBcan177 Thank you! Out of curiosity, will this update include support for AdBlock style feeds now needed for OISD and referenced here?

Edit: Never mind, I found the PR and see that this update is specific to the MaxMind changes.

keyser

@BBcan177 Does that mean the -Devel track will start seeing new changes?

Builtin syslog support for logging?
Proper rotation of logfiles (so they dont get fully picked up again @ rotation by syslog-ng/telegraf and other logfile monitors?
Perhaps full wildcard no AAAA filtering (top level or even intire “no AAAA”)

Excellent package you are maintaining. Thank you for the great job you are doing

-Keyser

Unoptanio

@keyser

I received the communication via email from MaxMind.

The change starts from May 1, 2024

fireodo

Hi,

until today 04.04.2024 no update to 3.2.0_9 available ... :-(

Regards and thanks,
fireodo

mcury

@fireodo said in pfBlockerNG v3.2.0_9:

Hi,

until today 04.04.2024 no update to 3.2.0_9 available ... :-(

Regards and thanks,
fireodo

3.2.0_8 just released for 23.09.1

BBcan177

@mcury yes for that pfSense version is _8

MarinSNB

Just updated to the _8 version and updated the Maxmind account number & license key (appreciate the heads up warning during initial reload progress logs and on the IP tab). Force reloaded IP/DNSBL afterwards and everything went smoothly. Thank you so much @BBcan177 for your efforts and hard work!

fireodo

@mcury said in pfBlockerNG v3.2.0_9:

3.2.0_8 just released for 23.09.1

Updated the CE 2.7.2 to 3.2.0_8 too and everything fine.

Thanks again @BBcan177
regards, fireodo

Unoptanio

@fireodo
pfSense 2.7.2. CE:

Before update:

After Update to pfBlockerNG v3.2.0_8

fireodo

@Unoptanio said in pfBlockerNG v3.2.0_9:

After Update to pfBlockerNG v3.2.0_8

Yes here you have to put your Maxmind Account ID (six numbers in my case). Look in your Maxmind account and you will find there your account ID.
Or do you want to ask something else?

Unoptanio

@fireodo
OK done.
I entered the account id. Also in my case 6 digit number

Unoptanio

@fireodo

Excuse me,
Can you tell me why some sites are blocked by viewing this screen with the reason and other sites are blocked by displaying a totally black page with a dot in the center?

Can the black screen with the dot in the center be customized?

fireodo

@Unoptanio said in pfBlockerNG v3.2.0_9:

Can you tell me why some sites are blocked by viewing this screen with the reason and other sites are blocked by displaying a totally black page with a dot in the center?

Here is the explanation offered by BBcan177 some years ago:
"This is only displayed when a full Domain is blocked and not for an ADvert on a page! You can also create your own page to display any customizations. "

When a ADvert is blocked you see only that 1x1 pixel image.

Gertjan

@Unoptanio said in pfBlockerNG v3.2.0_9:

Can the black screen with the dot in the center be customized?

Long story short : you can not and you will not break TLS == https.

In the good old days, it was ok if a site http://www.some-site.tld redirected the visitor to http://www.another-site.tld. It was great, and everybody trusted everybody and we were all happy.

Later on, for obvious reasons, https was introduced. For example : this site, the forum :

Your visiting https://forum.netgate.com/...... and your browser received a certificate from that server that says :

so all is well.

Now, back to pfBlockerng.
If a browser want to visit http://www.google.com and the host name google.com is listed in a DNSBL, pfBlockerng and you've selected "DNSBL Webserver" then pfBlockerng, by the bias of the resolver, will send to the browser the pfSense pfBlockerng web server IP to show you that the page was blocked.
Nice.
But wait ...... does your pfBlockerng has the certificate that says it is "google.com" ?
Do you think you can get one ? Do you own google.com ?
Noop to all this.
So, these days, modern browsers won't show the black pfBlockerng page (the one you've showed) at all. Just a big huge ugly error page.
The solution is :

so the pfBlockerng won't show any informative pages anymore.
After all : you can't and don't want to break TLS = https.

If you have users on your network that actually visit crappy host names and still us http (port 80) then pfBlockerng is actually useful.
But also means you've a huge security issue : you've people on your network (LAN !!) using ancient technology. Things will go bad fast, have a talk with them, and if needed, throw them of your network.
Or block port 80 TCP all together.

Unoptanio

@Gertjan

my config:

Do I change everything to: Null Block (logging) ?

I'm trying...

when I do SAVE it doesn't save the changes in the combo lists and shows me DNSBL webserver/VIP (global)

going inside the tab it seems to have saved.

SteveITS

@BBcan177 As per https://forum.netgate.com/topic/179060/pfblockerng-sync-not-working/54 (and https://redmine.pfsense.org/issues/14189) the account ID doesn't sync to the HA backup without adding the one line fix "pfblockerng_sync_on_changes();" to pfblockerng.php (and waiting for cron to run).