PfBlockerNG v2.1 w/TLD

RonpfS

Which Spamhaus URL are you using ?
this https://www.spamhaus.org/statistics/tlds/ is just a web page, not a feed DNSBL can use.

as for the H3X, only one is needed
https://forum.pfsense.org/index.php?topic=115357.msg643896#msg643896

And do a Force Reload after making the modifications.

Heimire

@RonpfS:

Which Spamhouse URL are you using ?
this https://www.spamhaus.org/statistics/tlds/ is just a web page, not a feed DNSBL can use.

as for the H3X, only one is needed
https://forum.pfsense.org/index.php?topic=115357.msg643896#msg643896

And do a Force Reload after making the modifications.

Thank you.
i see my mistake now.
I was certain I had 2 feeds that contained data but I must have misplaced it?

RonpfS

Read the first posts (or more  ;)) of each of these threads:
pfBlockerNG
pfBlockerNG v2.0 w/DNSBL
pfBlockerNG v2.1 w/TLD

You will find some posts about IP and DNSBL Feed.

minority

First of all thank you very much for your hard work and this awesome package!

I was just wondering is it possible to somehow change the Rule Order setting to something like:
pfB_Pass/Match | pfB_Block/Reject | All other Rules | (original format)
so the first IP-list would be the whitelist?

Right now I can't seem to figure out how to make custom LAN IPv4 whitelist (Permit_Outbound) rule to be the first in the rule list of the LAN interface. If I manually move it first. Next list update puts it bellow the blocklists (Deny_Outbound) again. Right now only the default setting | pfB_Block/Reject | All other Rules | (Original format) is partly usable for me (whitelist won't work) and all other rule order settings just mess my original LAN rules.

I use Traffic Shaper queues in the floating rules so prefer not to move pfBlockerNG's rules in there too.

Is this somehow possible or what am I missing, thanks?

RonpfS

Which version are you using ?

with pfBlockerNG 2.1.1_2 I have these choices.

And you can still use the Floating Rules, it won't affect the Traffic Shaper rules.

RonpfS

@Heimire:

@RonpfS:

Which Spamhouse URL are you using ?
this https://www.spamhaus.org/statistics/tlds/ is just a web page, not a feed DNSBL can use.

as for the H3X, only one is needed
https://forum.pfsense.org/index.php?topic=115357.msg643896#msg643896

And do a Force Reload after making the modifications.

Thank you.
i see my mistake now.
I was certain I had 2 feeds that contained data but I must have misplaced it?

The https://www.spamhaus.org/statistics/tlds/ page can be useful to find TLD to put in the TLD Blacklist.

hulleyrob

There were error(s) loading the rules: /tmp/rules.debug:37: cannot define table pfB_Europe_v6: Cannot allocate memory - The line in question reads [37]: table <pfB_Europe_v6> persist file "/var/db/aliastables/pfB_Europe_v6.txt" @ 2016-07-31 14:55:00
There were error(s) loading the rules: /tmp/rules.debug:37: cannot define table pfB_Europe_v6: Cannot allocate memory - The line in question reads [37]: table <pfB_Europe_v6> persist file "/var/db/aliastables/pfB_Europe_v6.txt" @ 2016-07-31 14:55:11
There were error(s) loading the rules: /tmp/rules.debug:37: cannot define table pfB_Europe_v6: Cannot allocate memory - The line in question reads [37]: table <pfB_Europe_v6> persist file "/var/db/aliastables/pfB_Europe_v6.txt" @ 2016-07-31 14:55:20 

Check what is selected in this tab, as i had a similar problem and found since the update that the inverse of what i had previously selected had been selected causing over 1.5M IP's for this section and using up all the available memory.

Rob

RonpfS

PFBlockerNG 2.1.1_2 Memory Errors

coolspot

When I try to add a new TLD Blacklist i.e. "Google.com", I get the following error:

Clearing all DNSBL Feeds…  completed
Executing TLD
Blocking full TLD/Sub-Domain(s)... |google.com| completed
TLD analysis completed
Finalizing TLD... head: 1: No such file or directory
tail: 1: No such file or directory
completed

Original    Matches    Removed    Final

0          0          -1        1

Validating database... completed

DNSBL enabled FAIL - restoring Unbound conf
/var/unbound/pfb_dnsbl.conf:1: error: unknown keyword '.google.com'
/var/unbound/pfb_dnsbl.conf:1: error: unknown keyword '60'
read /var/unbound/unbound.tmp failed: 2 errors in configuration file

Any ideas why DNSBL is failing to add the TLD blacklist entries?

Thanks.

RonpfS

Do you have any DNSBL feeds defined and enabled?
I did put Google.com in the DNSBL TLD Blacklist, ran a Force Reload and things looks ok.

This is the part of pfblockerNG log after the last DNSBL feed

[ BBC_C2 ]		 Reload [ 08/08/16 15:25:16 ] . completed ..
  ----------------------------------------------------------------------
  Orig.    Unique     # Dups     # White    # Alexa    Final                
  ----------------------------------------------------------------------
  332      332        331        0          0          1                    
  ----------------------------------------------------------------------

[ DNSBL_IP ]		 Updating aliastable [ 08/08/16 15:25:22 ]... 
  no changes.
  Total IP count = 280

------------------------------------------
Assembling database... completed
Executing TLD
 Blocking full TLD/Sub-Domain(s)... |google.com| completed
TLD analysis...xxxxxxxxxxx completed
** TLD Domain count exceeded. [ 250000 ] All subsequent Domains listed as-is **
Finalizing TLD...  completed
 ----------------------------------------
 Original    Matches    Removed    Final     
 ----------------------------------------
 1323464     87716      169286     1154178   
 -----------------------------------------
Validating database... completed [ 08/08/16 15:31:20 ]
Reloading Unbound.... completed
DNSBL update [ 1154178 | PASSED  ]... completed [ 08/08/16 15:32:02 ]
------------------------------------------

===[  Continent Process  ]============================================

coolspot

@RonpfS:

Do you have any DNSBL feeds defined and enabled?
I did put Google.com in the DNSBL TLD Blacklist, ran a Force Reload and things looks ok.

No, I only want to block a couple domains and not use any DNSBL lists.

Must I have a DNSBL list for TLD to work?

RonpfS

@coolspot:

@RonpfS:

Do you have any DNSBL feeds defined and enabled?
I did put Google.com in the DNSBL TLD Blacklist, ran a Force Reload and things looks ok.

No, I only want to block a couple domains and not use any DNSBL lists.

I solved the issue by create a dummy feed, the inside the feed add the "Custom Block List" this seems to allow the domains to be blocked.

Is this the expected behaviour?

Well maybe nobody tested a setup without any DNSBL feed. Using a Custom Block List does create a feed and seems to remove the issue.

coolspot

@RonpfS:

Well maybe nobody tested a setup without any DNSBL feed. Using a Custom Block List does create a feed and seems to remove the issue.

BBCan177 got back to me even though he was on vacation (thanks!).

Basically create a dummy DNSBL feed, in the bottom section called Custom Domains, add the subdomains there. This will block the domains correctly.

reg1982

Hello BBcan177 and pfsense users,

Great work on pfblockerng. I have one question. I have DNSBL listening port 8081 and when I type 10.10.10.1:8081 I get the gif image. Now when I try the DNSBL SSL listening port 8443 10.10.10.1:8443 I get the connection was reset. So it doesn't work.

I have been doing some reading on why I was getting the "googleads.g.doubleclick.net" and in one post someone talked about limiters causing problem. I don't have any limiters setup. I think it's because DNSBL SSL isn't working.

Anyone have an idea why DNSBL SSL isn't working for me ?

Thanks

RonpfS

http://10.10.10.1:8443 return a gif

It should be https://10.10.10.1:443 but that doesn't return and doesn't it log to dnsbl.log either.

reg1982

I tried https://10.10.10.1:443 and it returned a gif so that works. Anyone else have the google ads certificate popup? I get the popup in Safari and in Firefox I see the error message where the ads used to be.

It would be nice to have just empty space without the error.

Thanks Ronpfs for your reply.

RonpfS

You have the URL that generate the errors so I can reproduce here?

reg1982

I have been surfing the web to find one. Just cause i'm trying I am having a hard time.

This site did it once on my desktop but didn't do it on my phone.

https://www.instantssl.com/ssl-certificate-products/https.html

BBcan177

@hulleyrob:

Check what is selected in this tab, as i had a similar problem and found since the update that the inverse of what i had previously selected had been selected causing over 1.5M IP's for this section and using up all the available memory.

Rob

Hi Rob,

The memory issue will be fixed with v2.1.1_3, however, you don't want to reverse the "Registered" vs the "Represented" entries.  Please refer to the link in the GeoIP tabs "Whats new in GeoIP2" to help you understand the difference between those two types.

BBcan177

Here is a link to PR # 175 for pfBlockerNG v2.1.1_3      (This PR first needs to be reviewed and merged by the pfSense Devs)

The 2.1 release was beta tested for several months with approx a dozen testers with varying hardware (1GB-16GB, i386-AMD64). The MaxMind database is updated the first Tuesday of each month.

After reviewing the latest MaxMind IPv6 database, you can see below that the IPv6 line count increased 5 fold vs the previous month. This is a significant increase and as such the package required more PHP memory to be able to process the updated MaxMind database. The two Countries that changed significantly are US and DE, so until MaxMind has resolved this issue, you might consider not using those two IPv6 GeoIP lists.

This month:

1,147,813 US_v6.txt
1,137,159 DE_v6.txt

Last Month:

222,937 US_v6.txt
205,571 DE_v6.txt

I have contacted MaxMind support, to get some clarity on this issue, with the following response:

Thank you for contacting support. We did also observe a significant increase in IPv6 mappings, due to more specific blocks being mapped, starting with the 2016-07-05 release, and we are currently investigating what may be causing such an increase in the recent releases.

We do indeed aim to list the IP networks as efficiently as possible to help keep CSV file sizes down, so ideally the file sizes should not continue to increase dramatically once a fix is deployed. However, for the time being, the additional mappings shouldn't adversely affect the lookup results.

Thank you for the additional information; I've passed along your observations to our developers. At this time, we unfortunately do not have an ETA on a fix, but when I do receive any news, I'll be in touch.

I have re-factored the code to be able to handle this change in database size. This will reduce the overall PHP memory required. Its not recommended to "Block the world"; however, should your configuration follow this approach, then you may need to increase the pfSense Advanced "Firewall Maximum Table Entries" to 4M (or higher depending on the other Table entry size).

In my absense (vacation), forum user RonpfS steped up and helped convey some temporary workarounds and help users who were affected by this issue. I would personally like to extend my appreciation for all of his efforts. Its what "Open Source" is all about, and I encourage more people to get involved.

Everyone needs to bump his Karma! Thanks again!

Additional Changes:

• Added a 'placeholder' for undefined MaxMind 'Represented Countries'. This is necessary as month-to-month MaxMind Updates seem to have fluctuations that can cause a list to become undefined/redefined.

• Improved DNSBL Firewall Permit Rule options (Added OpenVPN, IPsec and Interface group options)

• Improved removal of DNSBL VIP address mapping when DNSBL is disabled.

• Added DNSBL parser for Alienvault OTX pulses. This will only collect "Domains". You can add the same feed into the IPv4 tab to collect "IPs".

• Added a "Disabled" option to the CRON update options.

• Additions to the DNSBL TLD suffixes

• Fixed issue with widget not clearing DNSBL packet counts