Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlockerNG v2.0 w/DNSBL

    Scheduled Pinned Locked Moved pfBlockerNG
    1.1k Posts 192 Posters 1.7m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      superapan
      last edited by

      Hi, I'm a bit confused as how to configure pfBlockerNG.

      I run a server, just a Mumble and a game server. I only wish them to be port-forwarded for IPs of my country (Sweden).

      For instance, Mumble runs on the default 64738. I have it port-forwarded in firewall NAT. With pfBlockerNG running, I select 'Sweden' under Countries->Europe. Under 'List Action' I select 'Permit Both'. I Force Update.

      Rule order is default pfB_Pass/Match | pfB_Block/Reject | pfSense Pass/Match.

      My UK-based friend has no issues connecting, which is not my intention.  How exactly would I go about to configure this?

      Thanks a bunch in advance.

      1 Reply Last reply Reply Quote 0
      • G
        Gerard64
        last edited by

        Select all countries except Sweden. Set action to deny inbound.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          @Gé:

          Select all countries except Sweden. Set action to deny both.

          Nooooooooooooooooooooooooooooo!!! Here we go again.

          Look. This is absolutely absurd. Use the Sweden as alias for the traffic source on the port-forwarding rule, instead of blocking the entire world. WTF.

          1 Reply Last reply Reply Quote 0
          • G
            Gerard64
            last edited by

            Again?
            Geez  :o

            1 Reply Last reply Reply Quote 0
            • S
              superapan
              last edited by

              @doktornotor:

              @Gé:

              Select all countries except Sweden. Set action to deny both.

              Nooooooooooooooooooooooooooooo!!! Here we go again.

              Look. This is absolutely absurd. Use the Sweden as alias for the traffic source on the port-forwarding rule, instead of blocking the entire world. WTF.

              This much I've realized. It's just that exactly how I would go about doing what you just described? Does it mean 'List Action' be 'Alias'? Do these aliases have anything to do with the aliases in Advanced Inbound Firewall Rule Settings? I apologize for my ignorance, it's just that the one sentence "Use the Sweden as alias for the traffic source on the port-forwarding rule" doesn't explain it enough for me, unforuntately.

              1 Reply Last reply Reply Quote 0
              • dennypageD
                dennypage
                last edited by

                Much as I hate to dip into this, it should be pointed out that high level statements like this should be viewed as guidelines rather than absolute rules. The reason for this guideline is to help keep the number of rules under control. Depending upon the reputation lists you have and your de-dup settings, you may end up with about the name number of rules either way. If you care about efficiency, the appropriate thing to do is to compare the number of resulting rules and choose your approach based on the actual numbers.

                @doktornotor:

                Nooooooooooooooooooooooooooooo!!! Here we go again.

                Look. This is absolutely absurd. Use the Sweden as alias for the traffic source on the port-forwarding rule, instead of blocking the entire world. WTF.

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  @superapan:

                  I run a server, just a Mumble and a game server. I only wish them to be port-forwarded for IPs of my country (Sweden).

                  See the following:
                  https://forum.pfsense.org/index.php?topic=99987.msg572399#msg572399

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned
                    last edited by

                    @dennypage:

                    If you care about efficiency, the appropriate thing to do is to compare the number of resulting rules and choose your approach based on the actual numbers.

                    Sigh… If you care about efficiency, you do NOT ever create a rule containing tens of thousands of huge CIDRs for absolutely no reason, when the same job can be done by a whitelist rule with many many many orders of magnitude lower overhead, not wasting your RAM and CPU for nothing. Only pass/forward traffic that you want, instead of blocking everything else. The rest will be taken care of by the implicit default deny rule. Really take a while and think about what you are doing before creating absurd setups.

                    1 Reply Last reply Reply Quote 0
                    • dennypageD
                      dennypage
                      last edited by

                      My point exactly.

                      @doktornotor:

                      Really take a while and think about what you are doing before creating absurd setups.

                      1 Reply Last reply Reply Quote 0
                      • P
                        pfcode
                        last edited by

                        Hi,

                        I got the second crash report today since upgraded to V2, the first one was at: https://forum.pfsense.org/index.php?topic=102470.msg575377#msg575377

                        PHP Errors:
                        PHP Fatal error:  Maximum execution time of 900 seconds exceeded in /usr/local/pkg/pfblockerng/pfblockerng.inc on line 1663

                        Release: pfSense 2.4.3(amd64)
                        M/B: Supermicro A1SRi-2558F
                        HDD: Intel X25-M 160G
                        RAM: 2x8Gb Kingston ECC ValueRAM
                        AP: Netgear R7000 (XWRT), Unifi AC Pro

                        1 Reply Last reply Reply Quote 0
                        • BBcan177B
                          BBcan177 Moderator
                          last edited by

                          @pfcode:

                          I got the second crash report today since upgraded to V2, the first one was at: https://forum.pfsense.org/index.php?topic=102470.msg575377#msg575377

                          I had one other complain about this, but couldn't track down the issue. Send me an email and I will get some more details from you. Maybe its doing that during a Cron event and timing out on a download as the 900 seconds is the php cURL timeout limit.

                          "Experience is something you don't get until just after you need it."

                          Website: http://pfBlockerNG.com
                          Twitter: @BBcan177  #pfBlockerNG
                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                          1 Reply Last reply Reply Quote 0
                          • P
                            pfcode
                            last edited by

                            @BBcan177:

                            @pfcode:

                            I got the second crash report today since upgraded to V2, the first one was at: https://forum.pfsense.org/index.php?topic=102470.msg575377#msg575377

                            I had one other complain about this, but couldn't track down the issue. Send me an email and I will get some more details from you. Maybe its doing that during a Cron event and timing out on a download as the 900 seconds is the php cURL timeout limit.

                            Dont know what exactly was happening when the crash occurred. I login to the pfSense web GUI, Status: Dashboard, and saw there was a prompt on the top of the page saying there was a crash report and then I just submitted the report….

                            Release: pfSense 2.4.3(amd64)
                            M/B: Supermicro A1SRi-2558F
                            HDD: Intel X25-M 160G
                            RAM: 2x8Gb Kingston ECC ValueRAM
                            AP: Netgear R7000 (XWRT), Unifi AC Pro

                            1 Reply Last reply Reply Quote 0
                            • T
                              torsurfer
                              last edited by

                              Hi

                              I have an issue trying to get Squid to play nice with pfB DNSBL. My DNSBL is configured to use ports 8081 and 8441. And this is also properly reflected under the "NAT: Port Forward" where port 80 is forwarded to 8081 and port 443 to 8441 (for LAN interface).

                              However, Squid just won't seem to respect the Port Forward, hence, when the Resolver returns the IP 10.10.10.1 for an ad domain, Squid still insists to go out to 10.10.10.1:80 instead of 10.10.10.1:8081. The same applies to SSL connections i.e. it will use 443 instead of 8441.

                              I'm already using ports 80 and 443 (pfSense GUI, etc) for other usages. So I rather than not use these ports for DNSBL.

                              Do you have any ideas how I can get around this problem?

                              1 Reply Last reply Reply Quote 0
                              • D
                                doktornotor Banned
                                last edited by

                                @torsurfer:

                                I have an issue trying to get Squid to play nice with pfB DNSBL. My DNSBL is configured to use ports 8081 and 8441. And this is also properly reflected under the "NAT: Port Forward" where port 80 is forwarded to 8081 and port 443 to 8441 (for LAN interface).

                                However, Squid just won't seem to respect the Port Forward, hence, when the Resolver returns the IP 10.10.10.1 for an ad domain, Squid still insists to go out to 10.10.10.1:80 instead of 10.10.10.1:8081. The same applies to SSL connections i.e. it will use 443 instead of 8441.

                                "For LAN interface" is useless when the traffic is from localhost. Perhaps tick and select LAN and loopback under DNSBL - DNS Block List Configuration - DNSBL Firewall Rule.

                                1 Reply Last reply Reply Quote 0
                                • RonpfSR
                                  RonpfS
                                  last edited by

                                  I noticed that when a download fail, the list is removed.

                                  [ PRI3_DangerRulez ]	 Downloading update  . cURL Error: 28
                                  Resolving timed out after 15567 milliseconds Retry in 5 seconds...
                                  . cURL Error: 28
                                  Resolving timed out after 15544 milliseconds Retry in 5 seconds...
                                  . cURL Error: 28
                                  Resolving timed out after 15580 milliseconds Retry in 5 seconds...
                                  .. unknown http status code 
                                  
                                   [ pfB_PRI3 - PRI3_DangerRulez ] Download FAIL [ 12/02/15 19:29:38 ]
                                    Firewall and/or IDS are not blocking download.
                                  
                                  The Following list has been REMOVED [ PRI3_DangerRulez ]
                                  
                                  

                                  If the list existed before the update, it could be useful to have an option to keep and use the previous file until the next update succeed?

                                  2.4.5-RELEASE-p1 (amd64)
                                  Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                  Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                  1 Reply Last reply Reply Quote 0
                                  • BBcan177B
                                    BBcan177 Moderator
                                    last edited by

                                    @RonpfS:

                                    If the list existed before the update, it could be useful to have an option to keep and use the previous file until the next update succeed?

                                    Check the General Tab for that exact option :)  It should default to enable… Will have to check that...

                                    "Experience is something you don't get until just after you need it."

                                    Website: http://pfBlockerNG.com
                                    Twitter: @BBcan177  #pfBlockerNG
                                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                    1 Reply Last reply Reply Quote 0
                                    • RonpfSR
                                      RonpfS
                                      last edited by

                                      It is enabled  ;)

                                      However it is not there at the end of the update.

                                      I did a reload at the end and it uploaded the list fine.

                                      [UpdateLog 20151202.txt](/public/imported_attachments/1/UpdateLog 20151202.txt)

                                      2.4.5-RELEASE-p1 (amd64)
                                      Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                      Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                      1 Reply Last reply Reply Quote 0
                                      • BBcan177B
                                        BBcan177 Moderator
                                        last edited by

                                        @RonpfS:

                                        It is enabled  ;)

                                        I think the DangerRulz "State" needs to be set to "Flex"… If it was never downloaded in the first place, then there is nothing to restore... Some others seem to be failing also. Try those URLs in a browser tab and see if it works from there... If those DNSBL feeds still fail, send me the URLs, as the parser might have to be updated if those lists are formatted differently.

                                        nb- please edit your post and put the log into a code format... There is a "#" icon in the Message editor... It makes reading posts a lot cleaner...

                                        "Experience is something you don't get until just after you need it."

                                        Website: http://pfBlockerNG.com
                                        Twitter: @BBcan177  #pfBlockerNG
                                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                        1 Reply Last reply Reply Quote 0
                                        • RonpfSR
                                          RonpfS
                                          last edited by

                                          I did but I probably copied over the [ /code] end, or 3000 lines was too much  :o
                                          I edited and put a attachment file instead

                                          DangerRulz was downloaded many times before.

                                          2.4.5-RELEASE-p1 (amd64)
                                          Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                          Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                          1 Reply Last reply Reply Quote 0
                                          • T
                                            torsurfer
                                            last edited by

                                            @doktornotor:

                                            "For LAN interface" is useless when the traffic is from localhost. Perhaps tick and select LAN and loopback under DNSBL - DNS Block List Configuration - DNSBL Firewall Rule.

                                            I do have the LAN and loopback selected under the DNSBL Firewall Rule. This only ensures that the firewall doesn't prevent LAN and loopback from accessing the DNSBL VIP. It won't, however, 'make' Squid go to port 8081 for a blacklisted domain.

                                            I think a solution to this problem might be the use of a reverse proxy, which I'd have to look into to see if it's possible. But thanks Doc for your comment.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.