PfBlockerNG v2.0 w/DNSBL
-
How do you become a tester? I would like to sign up if any more are needed! I always love to try bleeding edge/potentially buggy software and assist in the debugging/feedback process. Kind of why I religiously update my pfSense box daily whenever updates are available :)
I sent a PM :)
I'd love to test too.. :) let me know if can include me..
-
Just got caught up on this thread. The only thing I am unclear on is what is the ramifications of having these two options enabled?
1. Register DHCP leases in the DNS Resolver
2. Register Static DHCP static mappings in the DNS ResolverThanks.
-
At every registration, Unbound reloads, so if it takes 1-3 minutes to restart (depending on you domain block list size), you have no DNS service available.
Static mappings are not dynamic, so Unbound will reload only when you save the mappings.
-
Yes, unbound reloading delay makes sense. Look like I will have to limit my DNSBL feeds since I need both features enabled.
Another question for DNSBL is do you normally Deny Both or just Deny Outbound and allow pfSense implicit block to handle the inbound. I am trying to imagine a case for Deny Both in DNSBL. For anything incoming, the session has to be initiated from inside the firewall. So for unwanted ads to come in, they have to be embedded in the response of the original request in the form of actual content and not a URL. In which case, DNSBL would not be able to block it anyway.
-
At every registration, Unbound reloads, so if it takes 1-3 minutes to restart (depending on you domain block list size), you have no DNS service available.
Static mappings are not dynamic, so Unbound will reload only when you save the mappings.
Thanks Ron. This might be added as an explanation in the screen, next to these two options.
-
Another question for DNSBL is do you normally Deny Both or just Deny Outbound and allow pfSense implicit block to handle the inbound. I am trying to imagine a case for Deny Both in DNSBL. For anything incoming, the session has to be initiated from inside the firewall. So for unwanted ads to come in, they have to be embedded in the response of the original request in the form of actual content and not a URL. In which case, DNSBL would not be able to block it anyway.
If you have open WAN ports, then you only need to protect those ports… If so, you can use the "Adv. Inbound" rule settings to add the DST IP(s) and Port(s) so the rules are effective for those events only... The default pfSense block rule on the WAN will handle all other blocking required...
IP Blocking uses the Firewall rules to block/permit/match while DNSBL is blocking based on DNS request by the LAN clients... Don't get the two mixed up :)
-
…
IP Blocking uses the Firewall rules to block/permit/match while DNSBL is blocking based on DNS request by the LAN clients... Don't get the two mixed up :)
Sorry if I sound like a newbie, but I just found out about pfBLockNG a few days ago and have been reading the forums to fully understand the package.
This is where I am confused about is if DNSBL is blocking based on DNS request by the LAN clients, why are there options in DNSBL to block incoming? I am trying to understand a scenario where I would have DNS request coming in through the WAN that I would need blocking. Or is the incoming blocking options in DNSBL is just a way to implement IP Blocking using DNSBL feeds?
I am feeling like I am missing a connection to fully understand the difference between IP blocking and DNSBL "incoming" blocking. By incoming, I am referring to requests originating from the WAN/internet.
-
-I am missing a connection to fully understand the difference between IP blocking and DNSBL "incoming" blocking. My incoming, I am referring to requests originating from the WAN/internet.
Some of the DNSBL Feeds contain IP addresses.. So when IPs are found in DNSBL, they can be added to a "DNSBL_IP" aliastable to be blocked. So the IP settings in DNSBL are just for that part. Typically IP based feeds are entered in the IPv4/6 Tabs and GeoIP.
There is also a "Permit Rule" in DNSBL which is used to allow other Vlans to be able to access the DNSBL VIP address.
Hope that makes it clearer.
-
I have the latest version to date and wondering if there is a way, or if in the future, possible to whitelist IPs from companies like Teamviewer sending email from Germany when all countries are blocked?
I understand it sounds counter productive as pfSense blocks all by default but we want pfBlockerNG blocking all international traffic as we open ports for services and don't need the N. Koreans attempting any crazy stuff. pfBlockerNG has done a marvelous in blocking unwanted international email spam which is an A+++!
-
I have the latest version to date and wondering if there is a way, or if in the future, possible to whitelist IPs from companies like Teamviewer sending email from Germany when all countries are blocked?
I understand it sounds counter productive as pfSense blocks all by default but we want pfBlockerNG blocking all international traffic as we open ports for services and don't need the N. Koreans attempting any crazy stuff. pfBlockerNG has done a marvelous in blocking unwanted international email spam which is an A+++!
To overcome an IP that is blocked by a GeoIP Alias, you can create a "Permit" Alias, and add the IPs to the customlist at the bottom of this new Alias. Then set the appropriate action such as "Permit Outbound". Then ensure that this Permit rule is above the other Block rules by setting the appropriate "Rule Order" setting in the general tab.
You can also use the "Whois" setting in the IPv4 tab to whitelist a particular ASN number. Click on the blue infoblock icons in the IPv4 tab for further details.
-
Hi
The GZ from http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p&archiveformat=gz is not wokring it keeps making Download FAIL, but the link is working just fine?
-
I have the latest version to date and wondering if there is a way, or if in the future, possible to whitelist IPs from companies like Teamviewer sending email from Germany when all countries are blocked?
I understand it sounds counter productive as pfSense blocks all by default but we want pfBlockerNG blocking all international traffic as we open ports for services and don't need the N. Koreans attempting any crazy stuff. pfBlockerNG has done a marvelous in blocking unwanted international email spam which is an A+++!
To overcome an IP that is blocked by a GeoIP Alias, you can create a "Permit" Alias, and add the IPs to the customlist at the bottom of this new Alias. Then set the appropriate action such as "Permit Outbound". Then ensure that this Permit rule is above the other Block rules by setting the appropriate "Rule Order" setting in the general tab.
You can also use the "Whois" setting in the IPv4 tab to whitelist a particular ASN number. Click on the blue infoblock icons in the IPv4 tab for further details.
Are you able to share a screencap of adding a IP and/or domain? I have tried, but those sites are still getting blocked. I use WHOIS and tried the IP's and tried the domain names and tried the ASN names. I used Permit both and also change the rule order. The new rule was added to the top of the WAN rules list, but still no go. So I must be doing something wrong somewhere.
Thanks
-
Hi
The GZ from http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p&archiveformat=gz is not wokring it keeps making Download FAIL, but the link is working just fine?
Check the Alerts tab and see if its being blocked?
-
Are you able to share a screencap of adding a IP and/or domain? I have tried, but those sites are still getting blocked. I use WHOIS and tried the IP's and tried the domain names and tried the ASN names. I used Permit both and also change the rule order. The new rule was added to the top of the WAN rules list, but still no go. So I must be doing something wrong somewhere.
Thanks
Typically you do not want to use "Permit Both" as pfSense is a stateful firewall by design…. So you would want the LAN to make the request outbound which creates a firewall state entry that allows the IP to return back thru on the WAN side.... So when you use "Permit Both", you are allowing those IPs to access your network without a LAN device first making the request for it.... If you have a webserver, then that would be more applicable...
For the IP whitelist, did you add the IP that you want to access to an IPv4 customlist? Did you set the Rule order option in the General Tab to put the Permit rules above the Blocked rules? Rules are processed top to bottom.
-
I am working on the next version of pfBlockerNG v3.0 which will have a Feeds Management Tab for IPv4/v6/DNSBL feeds … plus many other features ...
Currently listing:
-
IPv4: 105 Feeds
-
IPv6: 9 Feeds
-
DNSBL: 71 Feeds
Just working on the last bits … Hope to have it out soon....
I will post some screenshots when I can...Hey BBcan177, first and foremost, thanks for your work on this. It's coming up to 2 years since you launched it here, and you have remained available to chat to all levels of users!
I just wanted to see if v3 was close to launching, or if I could help out with the testing at all?
Cheers
-
-
What do you guys do for a dual stack supported pfsense, ie both IPv6 and IPv4? I can set all the IPv4 stuff up no problem, but most systems will use the IPv6 resolvers, which pretty much bypasses all of this stuff. I could modify systems to use ipv4 first, but would much rather resolve the issue on the DNSBL side.
-
Hello, sorry if this has been addressed before. 69 pages to scan through is a lot.
I am getting this strange certificate error randomly where the certificate issuer is DNSBL. So the browser is correct to issue a warning, however I am curious if this can be avoided.
A good test would be to do a google search for a product and then click the very first link in the search results. I searched for Otterbox for example, and clicked the first link. I was immediately warned of a certificate trust issue for DNSBL.
The only thing I have in DNSBL is the EasyList w/o Elements and EasyPrivacy.
I thought some sites online were telling me to install this certificate. Thats not hard on one machine, but when you have a lot of other machines, or devices, I'm not sure of an easy way to install custom certs on appliances, embedded OS's, different makes and models of android tablets and phones, iphones and ipads, etc…
-
Nevermind, fixed it with a firewall rule on the lan side as first mentioned in this post:
https://forum.pfsense.org/index.php?topic=124945.msg697380#msg697380 -
Hi,
I am wondering why the "easylist w/o elements" + "easy pricacy" is not working when I open this website to test adblock tester: http://simple-adblock.com/faq/testing-your-adblocker/. It works when I install the ABP browser extension though.
I have tried to parse easylist to be able to work with squidguard. But once squidgaurd detects it, the entire page will be affected not the only elements. Not a good idea.
I hope you can enlighten me and the rest here.
Thanks!
Regards,
xChaz -
I am wondering why the "easylist w/o elements" + "easy pricacy" is not working when I open this website to test adblock tester: http://simple-adblock.com/faq/testing-your-adblocker/. It works when I install the ABP browser extension though.
DNS based blockers work differently than Browser based blockers. The best test would be to use the pfBlockerNG log tab and view the EasyList feed and run a:
host -t A example.com
and if it replies back with the DNSBL VIP then its being blocked correctly.