Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlockerNG v2.0 w/DNSBL

    Scheduled Pinned Locked Moved pfBlockerNG
    1.1k Posts 192 Posters 1.7m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Harvy66
      last edited by

      @reggie14:

      @Harvy66:

      I manually set ad domains to 127.0.0.1, which results in a "Non-existent domain" response from Unbound. No waiting for timeouts. A website or app that breaks if ads can't be reached is a site or app I don't care about. Others may not be able to say that.

      Every website that has annoying ads, I've been blackholing DNS for over a year without issues. Results may vary.

      Truth be told, I suspect blackholing undesirable traffic along those lines should work for most things.  I haven't tried it myself to see what could go wrong.  But, that kind of blackholing would kill the logging system pfBlockerNG uses for the Alerts page.  For non-HTTPS traffic, pfBlockerNG logs blocked traffic when an endpoint pulls down the php page that its redirected to.  This logging method has the advantage of logging blocked traffic even when DNS entries are cached by an endpoint, and also captures other useful diagnostic information, such as the referrer URL, which tells you what page you were looking at that had the blocked traffic.

      Redirection doesn't work for HTTPS traffic, as the browser won't complete a TLS handshake with the DNSBL webserver due to the certificate issue.  So, BBcan177 came up with a workaround that basically logs the failed HTTPS connection.  But, while alerts are still logged, this method doesn't provide the same amount of information.

      Getting the Alerts working reliably is very important.  The common DNS blocklists include things that definitely will break stuff.  Many include various AWS domains, which breaks all kinds of things.  Separate from that, I found that the Amazon and HBO Go apps did not work properly until I unblocked a few domains.  I'm sure those aren't the only examples.

      My guess is my limited list doesn't cause issues, but when you feed a list of 1k+ records, one of those may break a page. In general, web pages should function on their own, except when referencing CDN resources.

      The only time I care about logging is when debugging an issue. Being a home user, I have the convenience of debugging after the fact instead of digging through logs for a one-off that needs to be solved.

      What I really don't want is yet another service listening to a port on my firewall. But if there is a high enough risk of breaking popular sites, then I guess I'd rather not blackhole. I'd be interested to know what that risk is. How many of the top 1000 sites completely break when blackholing DNS instead of redirecting?

      There is also the issue that Chrome and others are looking at making self-signed certs virtually useless in the near future. I'd rather not have to install a self-signed CA to every device on my network, especially when visitors come over.

      "Hey bro, I have this ad block on my network, you'll need to add my self-signed root-CA to your computer, otherwise your browser is going to throw a tantrum on every site you visit"

      Just saying.

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        @Harvy66:

        "Hey bro, I have this ad block on my network, you'll need to add my self-signed root-CA to your computer, otherwise your browser is going to throw a tantrum on every site you visit"

        Hi Harvey, there is nothing in the Instructions to require adding any self-signed CAs to any browser? As reggie14 has stated, adding a Self-Signed CA to a browser will not achieve anything either.

        There is a self-signed CA for DNSBL but that is only there so that the Browser will terminate the connection when it sees that it is not a valid cert for HTTPs. Without a DNSBL Cert, the Browser will take more time to terminate the session. DNSBL then uses the Lighttpd error.conditional log to find the Domains that failed and log those requests to the Alerts Tab.

        I think its best not to base everything on a few exceptions that break browsing, or cause some nuisance alerts. Most of those seem to be on Safari anyways. Suppressing those domains is also easy to accomplish.

        And if you have a Guest network, and you wanted to bypass DNSBL, then you would just assign a different DNS server (ISP or Google) for that LAN segment via DHCP and the issue is moot.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • R
          reggie14
          last edited by

          Getting back to the main issue, I'd be curious to see some examples of websites that generate a HTTPS/TLS warning/error message.  I haven't had any recently, except for when I click on a link that redirects me through tracking domains (SlickDeals.net are a good example of this).  I haven't gotten any error messages when there's simply an ad on a page that gets blocked.

          1 Reply Last reply Reply Quote 0
          • S
            superapan
            last edited by

            Hi, I'm a bit confused as how to configure pfBlockerNG.

            I run a server, just a Mumble and a game server. I only wish them to be port-forwarded for IPs of my country (Sweden).

            For instance, Mumble runs on the default 64738. I have it port-forwarded in firewall NAT. With pfBlockerNG running, I select 'Sweden' under Countries->Europe. Under 'List Action' I select 'Permit Both'. I Force Update.

            Rule order is default pfB_Pass/Match | pfB_Block/Reject | pfSense Pass/Match.

            My UK-based friend has no issues connecting, which is not my intention.  How exactly would I go about to configure this?

            Thanks a bunch in advance.

            1 Reply Last reply Reply Quote 0
            • G
              Gerard64
              last edited by

              Select all countries except Sweden. Set action to deny inbound.

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                @Gé:

                Select all countries except Sweden. Set action to deny both.

                Nooooooooooooooooooooooooooooo!!! Here we go again.

                Look. This is absolutely absurd. Use the Sweden as alias for the traffic source on the port-forwarding rule, instead of blocking the entire world. WTF.

                1 Reply Last reply Reply Quote 0
                • G
                  Gerard64
                  last edited by

                  Again?
                  Geez  :o

                  1 Reply Last reply Reply Quote 0
                  • S
                    superapan
                    last edited by

                    @doktornotor:

                    @Gé:

                    Select all countries except Sweden. Set action to deny both.

                    Nooooooooooooooooooooooooooooo!!! Here we go again.

                    Look. This is absolutely absurd. Use the Sweden as alias for the traffic source on the port-forwarding rule, instead of blocking the entire world. WTF.

                    This much I've realized. It's just that exactly how I would go about doing what you just described? Does it mean 'List Action' be 'Alias'? Do these aliases have anything to do with the aliases in Advanced Inbound Firewall Rule Settings? I apologize for my ignorance, it's just that the one sentence "Use the Sweden as alias for the traffic source on the port-forwarding rule" doesn't explain it enough for me, unforuntately.

                    1 Reply Last reply Reply Quote 0
                    • dennypageD
                      dennypage
                      last edited by

                      Much as I hate to dip into this, it should be pointed out that high level statements like this should be viewed as guidelines rather than absolute rules. The reason for this guideline is to help keep the number of rules under control. Depending upon the reputation lists you have and your de-dup settings, you may end up with about the name number of rules either way. If you care about efficiency, the appropriate thing to do is to compare the number of resulting rules and choose your approach based on the actual numbers.

                      @doktornotor:

                      Nooooooooooooooooooooooooooooo!!! Here we go again.

                      Look. This is absolutely absurd. Use the Sweden as alias for the traffic source on the port-forwarding rule, instead of blocking the entire world. WTF.

                      1 Reply Last reply Reply Quote 0
                      • BBcan177B
                        BBcan177 Moderator
                        last edited by

                        @superapan:

                        I run a server, just a Mumble and a game server. I only wish them to be port-forwarded for IPs of my country (Sweden).

                        See the following:
                        https://forum.pfsense.org/index.php?topic=99987.msg572399#msg572399

                        "Experience is something you don't get until just after you need it."

                        Website: http://pfBlockerNG.com
                        Twitter: @BBcan177  #pfBlockerNG
                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned
                          last edited by

                          @dennypage:

                          If you care about efficiency, the appropriate thing to do is to compare the number of resulting rules and choose your approach based on the actual numbers.

                          Sigh… If you care about efficiency, you do NOT ever create a rule containing tens of thousands of huge CIDRs for absolutely no reason, when the same job can be done by a whitelist rule with many many many orders of magnitude lower overhead, not wasting your RAM and CPU for nothing. Only pass/forward traffic that you want, instead of blocking everything else. The rest will be taken care of by the implicit default deny rule. Really take a while and think about what you are doing before creating absurd setups.

                          1 Reply Last reply Reply Quote 0
                          • dennypageD
                            dennypage
                            last edited by

                            My point exactly.

                            @doktornotor:

                            Really take a while and think about what you are doing before creating absurd setups.

                            1 Reply Last reply Reply Quote 0
                            • P
                              pfcode
                              last edited by

                              Hi,

                              I got the second crash report today since upgraded to V2, the first one was at: https://forum.pfsense.org/index.php?topic=102470.msg575377#msg575377

                              PHP Errors:
                              PHP Fatal error:  Maximum execution time of 900 seconds exceeded in /usr/local/pkg/pfblockerng/pfblockerng.inc on line 1663

                              Release: pfSense 2.4.3(amd64)
                              M/B: Supermicro A1SRi-2558F
                              HDD: Intel X25-M 160G
                              RAM: 2x8Gb Kingston ECC ValueRAM
                              AP: Netgear R7000 (XWRT), Unifi AC Pro

                              1 Reply Last reply Reply Quote 0
                              • BBcan177B
                                BBcan177 Moderator
                                last edited by

                                @pfcode:

                                I got the second crash report today since upgraded to V2, the first one was at: https://forum.pfsense.org/index.php?topic=102470.msg575377#msg575377

                                I had one other complain about this, but couldn't track down the issue. Send me an email and I will get some more details from you. Maybe its doing that during a Cron event and timing out on a download as the 900 seconds is the php cURL timeout limit.

                                "Experience is something you don't get until just after you need it."

                                Website: http://pfBlockerNG.com
                                Twitter: @BBcan177  #pfBlockerNG
                                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pfcode
                                  last edited by

                                  @BBcan177:

                                  @pfcode:

                                  I got the second crash report today since upgraded to V2, the first one was at: https://forum.pfsense.org/index.php?topic=102470.msg575377#msg575377

                                  I had one other complain about this, but couldn't track down the issue. Send me an email and I will get some more details from you. Maybe its doing that during a Cron event and timing out on a download as the 900 seconds is the php cURL timeout limit.

                                  Dont know what exactly was happening when the crash occurred. I login to the pfSense web GUI, Status: Dashboard, and saw there was a prompt on the top of the page saying there was a crash report and then I just submitted the report….

                                  Release: pfSense 2.4.3(amd64)
                                  M/B: Supermicro A1SRi-2558F
                                  HDD: Intel X25-M 160G
                                  RAM: 2x8Gb Kingston ECC ValueRAM
                                  AP: Netgear R7000 (XWRT), Unifi AC Pro

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    torsurfer
                                    last edited by

                                    Hi

                                    I have an issue trying to get Squid to play nice with pfB DNSBL. My DNSBL is configured to use ports 8081 and 8441. And this is also properly reflected under the "NAT: Port Forward" where port 80 is forwarded to 8081 and port 443 to 8441 (for LAN interface).

                                    However, Squid just won't seem to respect the Port Forward, hence, when the Resolver returns the IP 10.10.10.1 for an ad domain, Squid still insists to go out to 10.10.10.1:80 instead of 10.10.10.1:8081. The same applies to SSL connections i.e. it will use 443 instead of 8441.

                                    I'm already using ports 80 and 443 (pfSense GUI, etc) for other usages. So I rather than not use these ports for DNSBL.

                                    Do you have any ideas how I can get around this problem?

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      doktornotor Banned
                                      last edited by

                                      @torsurfer:

                                      I have an issue trying to get Squid to play nice with pfB DNSBL. My DNSBL is configured to use ports 8081 and 8441. And this is also properly reflected under the "NAT: Port Forward" where port 80 is forwarded to 8081 and port 443 to 8441 (for LAN interface).

                                      However, Squid just won't seem to respect the Port Forward, hence, when the Resolver returns the IP 10.10.10.1 for an ad domain, Squid still insists to go out to 10.10.10.1:80 instead of 10.10.10.1:8081. The same applies to SSL connections i.e. it will use 443 instead of 8441.

                                      "For LAN interface" is useless when the traffic is from localhost. Perhaps tick and select LAN and loopback under DNSBL - DNS Block List Configuration - DNSBL Firewall Rule.

                                      1 Reply Last reply Reply Quote 0
                                      • RonpfSR
                                        RonpfS
                                        last edited by

                                        I noticed that when a download fail, the list is removed.

                                        [ PRI3_DangerRulez ]	 Downloading update  . cURL Error: 28
                                        Resolving timed out after 15567 milliseconds Retry in 5 seconds...
                                        . cURL Error: 28
                                        Resolving timed out after 15544 milliseconds Retry in 5 seconds...
                                        . cURL Error: 28
                                        Resolving timed out after 15580 milliseconds Retry in 5 seconds...
                                        .. unknown http status code 
                                        
                                         [ pfB_PRI3 - PRI3_DangerRulez ] Download FAIL [ 12/02/15 19:29:38 ]
                                          Firewall and/or IDS are not blocking download.
                                        
                                        The Following list has been REMOVED [ PRI3_DangerRulez ]
                                        
                                        

                                        If the list existed before the update, it could be useful to have an option to keep and use the previous file until the next update succeed?

                                        2.4.5-RELEASE-p1 (amd64)
                                        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                        1 Reply Last reply Reply Quote 0
                                        • BBcan177B
                                          BBcan177 Moderator
                                          last edited by

                                          @RonpfS:

                                          If the list existed before the update, it could be useful to have an option to keep and use the previous file until the next update succeed?

                                          Check the General Tab for that exact option :)  It should default to enable… Will have to check that...

                                          "Experience is something you don't get until just after you need it."

                                          Website: http://pfBlockerNG.com
                                          Twitter: @BBcan177  #pfBlockerNG
                                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                          1 Reply Last reply Reply Quote 0
                                          • RonpfSR
                                            RonpfS
                                            last edited by

                                            It is enabled  ;)

                                            However it is not there at the end of the update.

                                            I did a reload at the end and it uploaded the list fine.

                                            [UpdateLog 20151202.txt](/public/imported_attachments/1/UpdateLog 20151202.txt)

                                            2.4.5-RELEASE-p1 (amd64)
                                            Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                            Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.