• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PfBlockerNG v2.0 w/DNSBL

Scheduled Pinned Locked Moved pfBlockerNG
1.1k Posts 192 Posters 1.7m Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    BBcan177 Moderator
    last edited by Jun 9, 2017, 6:35 PM

    @mifronte:

    -I am missing a connection to fully understand the difference between IP blocking and DNSBL "incoming" blocking.  My incoming, I am referring to requests originating from the WAN/internet.

    Some of the DNSBL Feeds contain IP addresses.. So when IPs are found in DNSBL, they can be added to a "DNSBL_IP" aliastable to be blocked. So the IP settings in DNSBL are just for that part. Typically IP based feeds are entered in the IPv4/6 Tabs and GeoIP.

    There is also a "Permit Rule" in DNSBL which is used to allow other Vlans to be able to access the DNSBL VIP address.

    Hope that makes it clearer.

    "Experience is something you don't get until just after you need it."

    Website: http://pfBlockerNG.com
    Twitter: @BBcan177  #pfBlockerNG
    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

    1 Reply Last reply Reply Quote 0
    • M
      mgc6288
      last edited by Jun 15, 2017, 3:24 AM

      I have the latest version to date and wondering if there is a way, or if in the future, possible to whitelist IPs from companies like Teamviewer sending email from Germany when all countries are blocked?

      I understand it sounds counter productive as pfSense blocks all by default but we want pfBlockerNG blocking all international traffic as we open ports for services and don't need the N. Koreans attempting any crazy stuff.  pfBlockerNG has done a marvelous in blocking unwanted international email spam which is an A+++!

      1 Reply Last reply Reply Quote 0
      • B
        BBcan177 Moderator
        last edited by Jun 15, 2017, 3:30 AM

        @mgc6288:

        I have the latest version to date and wondering if there is a way, or if in the future, possible to whitelist IPs from companies like Teamviewer sending email from Germany when all countries are blocked?

        I understand it sounds counter productive as pfSense blocks all by default but we want pfBlockerNG blocking all international traffic as we open ports for services and don't need the N. Koreans attempting any crazy stuff.  pfBlockerNG has done a marvelous in blocking unwanted international email spam which is an A+++!

        To overcome an IP that is blocked by a GeoIP Alias, you can create a "Permit" Alias, and add the IPs to the customlist at the bottom of this new Alias. Then set the appropriate action such as "Permit Outbound". Then ensure that this Permit rule is above the other Block rules by setting the appropriate "Rule Order" setting in the general tab.

        You can also use the "Whois" setting in the IPv4 tab to whitelist a particular ASN number.  Click on the blue infoblock icons in the IPv4 tab for further details.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • M
          Mikki-10
          last edited by Jun 24, 2017, 5:51 PM

          Hi

          The GZ from http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p&archiveformat=gz  is not wokring it keeps making Download FAIL, but the link is working just fine?

          1 Reply Last reply Reply Quote 0
          • I
            iculookn
            last edited by Jul 24, 2017, 8:48 AM

            @BBcan177:

            @mgc6288:

            I have the latest version to date and wondering if there is a way, or if in the future, possible to whitelist IPs from companies like Teamviewer sending email from Germany when all countries are blocked?

            I understand it sounds counter productive as pfSense blocks all by default but we want pfBlockerNG blocking all international traffic as we open ports for services and don't need the N. Koreans attempting any crazy stuff.  pfBlockerNG has done a marvelous in blocking unwanted international email spam which is an A+++!

            To overcome an IP that is blocked by a GeoIP Alias, you can create a "Permit" Alias, and add the IPs to the customlist at the bottom of this new Alias. Then set the appropriate action such as "Permit Outbound". Then ensure that this Permit rule is above the other Block rules by setting the appropriate "Rule Order" setting in the general tab.

            You can also use the "Whois" setting in the IPv4 tab to whitelist a particular ASN number.  Click on the blue infoblock icons in the IPv4 tab for further details.

            Are you able to share a screencap of adding a IP and/or domain? I have tried, but those sites are still getting blocked. I use WHOIS and tried the IP's and tried the domain names and tried the ASN names. I used Permit both and also change the rule order. The new rule was added to the top of the WAN rules list, but still no go. So I must be doing something wrong somewhere.

            Thanks

            1 Reply Last reply Reply Quote 0
            • B
              BBcan177 Moderator
              last edited by Jul 28, 2017, 1:13 AM

              @Mikki-10:

              Hi

              The GZ from http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p&archiveformat=gz  is not wokring it keeps making Download FAIL, but the link is working just fine?

              Check the Alerts tab and see if its being blocked?

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • B
                BBcan177 Moderator
                last edited by Jul 28, 2017, 1:19 AM

                @iculookn:

                Are you able to share a screencap of adding a IP and/or domain? I have tried, but those sites are still getting blocked. I use WHOIS and tried the IP's and tried the domain names and tried the ASN names. I used Permit both and also change the rule order. The new rule was added to the top of the WAN rules list, but still no go. So I must be doing something wrong somewhere.

                Thanks

                Typically you do not want to use "Permit Both" as pfSense is a stateful firewall by design…. So you would want the LAN to make the request outbound which creates a firewall state entry that allows the IP to return back thru on the WAN side.... So when you use "Permit Both", you are allowing those IPs to access your network without a LAN device first making the request for it....  If you have a webserver, then that would be more applicable...

                For the IP whitelist, did you add the IP that you want to access to an IPv4 customlist? Did you set the Rule order option in the General Tab to put the Permit rules above the Blocked rules? Rules are processed top to bottom.

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                1 Reply Last reply Reply Quote 0
                • B
                  BluBoy
                  last edited by Aug 12, 2017, 1:51 PM

                  @BBcan177:

                  I am working on the next version of pfBlockerNG v3.0 which will have a Feeds Management Tab for IPv4/v6/DNSBL feeds … plus many other features ...

                  Currently listing:

                  • IPv4:  105 Feeds

                  • IPv6:      9 Feeds

                  • DNSBL: 71 Feeds

                  Just working on the last bits … Hope to have it out soon....
                  I will post some screenshots when I can...

                  Hey BBcan177, first and foremost, thanks for your work on this. It's coming up to 2 years since you launched it here, and you have remained available to chat to all levels of users!

                  I just wanted to see if v3 was close to launching, or if I could help out with the testing at all?

                  Cheers

                  1 Reply Last reply Reply Quote 0
                  • P
                    presence
                    last edited by Aug 22, 2017, 4:34 AM

                    What do you guys do for a dual stack supported pfsense, ie both IPv6 and IPv4?  I can set all the IPv4 stuff up no problem, but most systems will use the IPv6 resolvers, which pretty much bypasses all of this stuff.  I could modify systems to use ipv4 first, but would much rather resolve the issue on the DNSBL side.

                    1 Reply Last reply Reply Quote 0
                    • K
                      kjstech
                      last edited by Sep 8, 2017, 12:27 AM

                      Hello, sorry if this has been addressed before.  69 pages to scan through is a lot.

                      I am getting this strange certificate error randomly where the certificate issuer is DNSBL.  So the browser is correct to issue a warning, however I am curious if this can be avoided.

                      A good test would be to do a google search for a product and then click the very first link in the search results.  I searched for Otterbox for example, and clicked the first link.  I was immediately warned of a certificate trust issue for DNSBL.

                      The only thing I have in DNSBL is the EasyList w/o Elements and EasyPrivacy.

                      I thought some sites online were telling me to install this certificate.  Thats not hard on one machine, but when you have a lot of other machines, or devices, I'm not sure of an easy way to install custom certs on appliances, embedded OS's, different makes and models of android tablets and phones, iphones and ipads, etc…

                      1 Reply Last reply Reply Quote 0
                      • K
                        kjstech
                        last edited by Sep 8, 2017, 12:42 AM

                        Nevermind, fixed it with a firewall rule on the lan side as first mentioned in this post:
                        https://forum.pfsense.org/index.php?topic=124945.msg697380#msg697380

                        1 Reply Last reply Reply Quote 0
                        • X
                          xchaz
                          last edited by Sep 10, 2017, 11:15 AM

                          Hi,

                          I am wondering why the "easylist w/o elements" + "easy pricacy" is not working when I open this website to test adblock tester: http://simple-adblock.com/faq/testing-your-adblocker/. It works when I install the ABP browser extension though.

                          I have tried to parse easylist to be able to work with squidguard. But once squidgaurd detects it, the entire page will be affected not the only elements. Not a good idea.

                          I hope you can enlighten me and the rest here.

                          Thanks!

                          Regards,
                          xChaz

                          1 Reply Last reply Reply Quote 0
                          • B
                            BBcan177 Moderator
                            last edited by Sep 12, 2017, 11:09 AM

                            @xchaz:

                            I am wondering why the "easylist w/o elements" + "easy pricacy" is not working when I open this website to test adblock tester: http://simple-adblock.com/faq/testing-your-adblocker/. It works when I install the ABP browser extension though.

                            DNS based blockers work differently than Browser based blockers. The best test would be to use the pfBlockerNG log tab and view the EasyList feed and run a:

                            host -t A example.com
                            

                            and if it replies back with the DNSBL VIP then its being blocked correctly.

                            "Experience is something you don't get until just after you need it."

                            Website: http://pfBlockerNG.com
                            Twitter: @BBcan177  #pfBlockerNG
                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                            1 Reply Last reply Reply Quote 0
                            • X
                              xchaz
                              last edited by Sep 23, 2017, 2:09 AM

                              Thanks for the reply. Its working. I want to block youtube ads. When this will be available?

                              IMG_3251.PNG
                              IMG_3251.PNG_thumb

                              1 Reply Last reply Reply Quote 0
                              • B
                                BBcan177 Moderator
                                last edited by Sep 27, 2017, 2:33 AM

                                @xchaz:

                                I want to block youtube ads. When this will be available?

                                Blocking via DNS is difficult with Domain based blocking, as Youtube/Google mix the webpages and ADs together, so blocking ADs may also block other webpages…

                                There are some Youtube based Feeds but YMMV on how well it performs.

                                "Experience is something you don't get until just after you need it."

                                Website: http://pfBlockerNG.com
                                Twitter: @BBcan177  #pfBlockerNG
                                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                1 Reply Last reply Reply Quote 0
                                • X
                                  xchaz
                                  last edited by Sep 27, 2017, 11:14 AM

                                  @BBcan177:

                                  Blocking via DNS is difficult with Domain based blocking, as Youtube/Google mix the webpages and ADs together, so blocking ADs may also block other webpages…

                                  Agree. It's a challenge on how to make this work without affecting the entire/other webpages. I think its time to add an unofficial 3rd party package, E2******. Well see how the content-control software do.

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    ASM_COPE
                                    last edited by Sep 27, 2017, 12:41 PM Sep 27, 2017, 11:21 AM

                                    I've been trying to emulate the same configuration as this poster outlines, for the same reasons.  However the rule order preference that BBCan suggests doesn't seem to be followed, with the pfB alias_permit rule ("pfB AllowEmails") getting moved under the pfb block rules when the PFB cron update occurs.

                                    I should probably first state that I'm not using the DNSBL option.

                                    @BBcan177:

                                    @mgc6288:

                                    I have the latest version to date and wondering if there is a way, or if in the future, possible to whitelist IPs from companies like Teamviewer sending email from Germany when all countries are blocked?

                                    I understand it sounds counter productive as pfSense blocks all by default but we want pfBlockerNG blocking all international traffic as we open ports for services and don't need the N. Koreans attempting any crazy stuff.  pfBlockerNG has done a marvelous in blocking unwanted international email spam which is an A+++!

                                    To overcome an IP that is blocked by a GeoIP Alias, you can create a "Permit" Alias, and add the IPs to the customlist at the bottom of this new Alias. Then set the appropriate action such as "Permit Outbound". Then ensure that this Permit rule is above the other Block rules by setting the appropriate "Rule Order" setting in the general tab.

                                    You can also use the "Whois" setting in the IPv4 tab to whitelist a particular ASN number.  Click on the blue infoblock icons in the IPv4 tab for further details.

                                    I've attached image of rules as I would expect them to stay, given the selected PFB rule selection (image also attached).

                                    I've struggled with this system due to lack of concrete documentation (possibly also lack of brain power!!) and trying to peg together info from many sources, many of which conflict in the approach.  I found this reddit post to be the most helpful so far: https://www.reddit.com/r/PFSENSE/comments/48iiq4/pfblockerng_exceptionswhitelist/

                                    We host servers behind the pfSense box, so we have allow rules to forward specific service ports/virtual-IP's to those systems.  We now also need to block large attack volumes from countries/continents we have no business connection to - in particular people trying to hack into email accounts (causing account lockouts) and the VoIP server (which luckily provides its own blacklisting, but at penalty of additional network load).

                                    I have tried using the main suggestion of "allowed countries" (rather than "block the world") - but this doesn't seem to provide enough protection, as with that approach we still see connections to our internal servers from countries that we don't want/need.  So the "block the world" approach and then allowing our own country (UK), plus adding some whitelisted addresses for known customer email sources (using services such as Messagelabs which use server presences across Europe) seems to be the configuration that works as we want.

                                    I fully accept this whitelisting approach is not easy with need to keep our manual list updated - but once we get the main sources in the list it shouldn't need changing very often.

                                    But I'm worried that the PFB rule priority setting seems to be ignored (or that the whitelist is not seen as a Pass/Match rule) - or simply I've not understood how to keep the Alias_Permit definition at the top of the rules.  I can't spend time resetting the rule several times a day.

                                    So just in the time taken to write this, the PFB cron job has occurred and the rule order changed again (attachment "Rule order after PFB cron update.png)", once again moving our whitelist rule under the block rules.

                                    Any ideas what I am doing wrong?  Could it be that using the Alias_Permit instead of "Allow Inbound" for the IPv4 custom list is the problem?

                                    We are on pfSense version 2.3.4-p1, with PFB 2.1.1_10.  We also use SNORT (just updated from 3.2.9.3 to 3.2.9.5_1) and OpenVPN.

                                    Thanks.

                                    EDIT I experimented with changing the IPv4 alias list setting from "Alias_Permit" to "Permit_Inbound".  That then uses the PFB rule priority setting to place the whitelist at the top of the PFB "auto rules", as its now set by PFB itself.  My manually added rule was still present (but again had been moved below the PFB reject rules), so I've deleted it.

                                    While it seems I've got things working, I'd still like to know if there is any better config I can define that still matches the desired protection as described above.

                                    ![manually set allow rule.png](/public/imported_attachments/1/manually set allow rule.png)
                                    ![manually set allow rule.png_thumb](/public/imported_attachments/1/manually set allow rule.png_thumb)
                                    ![pfBlockerNG rule priority setting.png](/public/imported_attachments/1/pfBlockerNG rule priority setting.png)
                                    ![pfBlockerNG rule priority setting.png_thumb](/public/imported_attachments/1/pfBlockerNG rule priority setting.png_thumb)
                                    ![Rule order after PFB cron update.png](/public/imported_attachments/1/Rule order after PFB cron update.png)
                                    ![Rule order after PFB cron update.png_thumb](/public/imported_attachments/1/Rule order after PFB cron update.png_thumb)
                                    ![pfBlockerNG IPv4 Alias List setting changed to Allow Inbound.png](/public/imported_attachments/1/pfBlockerNG IPv4 Alias List setting changed to Allow Inbound.png)
                                    ![pfBlockerNG IPv4 Alias List setting changed to Allow Inbound.png_thumb](/public/imported_attachments/1/pfBlockerNG IPv4 Alias List setting changed to Allow Inbound.png_thumb)

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      Riftcore34
                                      last edited by Nov 11, 2017, 12:39 AM

                                      @webtyro:

                                      @BBcan177
                                      First I wanted to thank you for the work you have put into this and as usual no real problems. I just wanted to ask about the gif image being pushed to the browser. When I browse to the VIP address I get a 1x1 pixel image.  Is this image a placecard holder that would be populated with info or should it be in a different scale. I run my browser locked down as much as possible so not having seen the image is not on my priority list. I can ping and browse to it but was wondering about the single pixel size. If this is normal unpopulated size no worries but if not where do you hide it and what size is the default.

                                      Where is this 1x1 Pixel option? I don't see it anywhere.

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        BBcan177 Moderator
                                        last edited by Nov 12, 2017, 11:36 PM

                                        @Riftcore34:

                                        @webtyro:

                                        @BBcan177
                                        First I wanted to thank you for the work you have put into this and as usual no real problems. I just wanted to ask about the gif image being pushed to the browser. When I browse to the VIP address I get a 1x1 pixel image.  Is this image a placecard holder that would be populated with info or should it be in a different scale. I run my browser locked down as much as possible so not having seen the image is not on my priority list. I can ping and browse to it but was wondering about the single pixel size. If this is normal unpopulated size no worries but if not where do you hide it and what size is the default.

                                        Where is this 1x1 Pixel option? I don't see it anywhere.

                                        Some details here:
                                          https://forum.pfsense.org/index.php?topic=120253.msg665063#msg665063

                                        With the current version its not practical since you will get this image instead of the 1x1 for blocked ADs also…

                                        The next version has functionality to push a blocked page if the blocked page was say www.example.com... And if the blocked page was an AD, then it gets the 1x1 pixel instead...

                                        The Blocked page is also customizable to what ever you want to add to it...

                                        "Experience is something you don't get until just after you need it."

                                        Website: http://pfBlockerNG.com
                                        Twitter: @BBcan177  #pfBlockerNG
                                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          Cardnyl
                                          last edited by Nov 13, 2017, 4:41 AM

                                          I set up pfBlockerNG using this guide https://www.tecmint.com/install-configure-pfblockerng-dns-black-listing-in-pfsense/. I saw it mentioned (somewhere around page 45ish) that one of the reasons why I might not be see any sort of output on the alerts or blocking in general was because I am running Squid (transparent mode, wpad, ssl filtering (splice all)) on LAN and loopback interfaces. Do I need to adjust Squid to also filter on WAN interface as well to get these two packages to play with one another or is it something else entirely?

                                          I'm able to browse and ping the VIP address with no problems. I attempted to ping and nslookup something off of the yoyo list which I have added on my feeds and both went through okay.

                                          1 Reply Last reply Reply Quote 1
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received