pfBlockerNG-devel feedback

lordbob75

@ronpfs Ok, that's what I figured but wanted to confirm. I appreciate the help!

Edit: removing the duplicate entry did indeed fix it, awesome.

anttechs

I have tried it and loved it and I can't wait for it to come out :)

occamsrazor

I just took the plunge and moved to -devel....... It's fantastic. Having all the preset feeds and their organization into groups makes everything so much easier.

One question though.... I'm confused where to put individual IP addresses and domains that I want to whitelist from ALL the IPV4 feeds.

For DNSBL, I put domains in the DNSBL Whitelist box and that seems to work.

For IPV4 on the previous version I had two custom Permit lists, which have got carrried over to the -devel version:

For domains that I want converted to IPs and then whitelisted, I put "Whois" in the source box and the domains in IPv4 Custom_List and this seems to work:

But for IPs that I want whitelisted I put the IPs in IPv4 Custom_List but I don't know what to put for Source and when I leave it blank I get this error:

Am I doing this all wrong or where should I be putting these?

RonpfS

@occamsrazor said in pfBlockerNG-devel feedback:

For domains that I want converted to IPs and then whitelisted, I put "Whois" in the source box and the domains in IPv4 Custom_List and this seems to work:

You have to change the Format to Whois, then you type a Domain Name in the Source Field.

RonpfS

@occamsrazor said in pfBlockerNG-devel feedback:

But for IPs that I want whitelisted I put the IPs in IPv4 Custom_List but I don't know what to put for Source and when I leave it blank I get this error:

Change the State to Off

occamsrazor

@ronpfs said in pfBlockerNG-devel feedback:

@occamsrazor said in pfBlockerNG-devel feedback:

But for IPs that I want whitelisted I put the IPs in IPv4 Custom_List but I don't know what to put for Source and when I leave it blank I get this error:

Change the State to Off

Ah OK. So if I put State to Off but sill have a list of IPs in the IPv4 Custom_List text entry box they will still get added?

@ronpfs said in pfBlockerNG-devel feedback:

@occamsrazor said in pfBlockerNG-devel feedback:

For domains that I want converted to IPs and then whitelisted, I put "Whois" in the source box and the domains in IPv4 Custom_List and this seems to work:

You have to change the Format to Whois, then you type a Domain Name in the Source Field.

If I do that I'd have to create a new "Format, State, Source, Header/Label" for each individual domain. Can I not have a list of domains in the IPv4 Custom_List box and check the "Enable Domain/AS" box", perhaps setting the State to OFF as suggested for the above?

Thanks....

RonpfS

@occamsrazor said in pfBlockerNG-devel feedback:

Ah OK. So if I put State to Off but sill have a list of IPs in the IPv4 Custom_List text entry box they will still get added?

Yes.

@occamsrazor said in pfBlockerNG-devel feedback:

Can I not have a list of domains in the IPv4 Custom_List box and check the "Enable Domain/AS" box", perhaps setting the State to OFF as suggested for the above?

Yes you can do that as well.

You should also inspect the content of the tables in the Logs tab.

occamsrazor

@ronpfs said in pfBlockerNG-devel feedback:

Yes you can do that as well.
You should also inspect the content of the tables in the Logs tab.

Nice. Thanks a lot for clearing that up. When I go to the top two items in the dropdown seen here I can see all the IPs including the ones converted from domains, so I think that is all working correctly....

One final (I hope) question. Is there a way to keep one single domain whitelist that gets used for both:
a) Conversion to IPs for IPV4 whitelisting
b) Use in DNSBL whitelisting
I get the impression the IPV4 and DNSBL functions operate very separately..... and that you would have to keep domain whitelist in the two places to be sure.

RonpfS

@occamsrazor
IPV4 operates in the IP space. It can take domain names and convert them to IPs before building the tables.

DNSBL operates in the DNS space, that is only with domain names.

Instead of using Whitelist, why don't you suppress IPs instead?

occamsrazor

@ronpfs said in pfBlockerNG-devel feedback:

Instead of using Whitelist, why don't you suppress IPs instead?

What would be the advantage of that way vs whitelist? In the IPV4 Suppression box I thought you could only enter ranges not individual IPs. But I guess you can enter them with /32 netmask, right?

JeGr

@BBcan177 just a quick question: I checked on pfBlockerNG devel on a 2.4.4 snapshot system. Still shows php56-5.6.34 as dependency. As 2.4.4 runs on php7.2 I'm wondering, why pfBNG requires usage of the old PHP version (in package manager listing)?

BBcan177

@jegr said in pfBlockerNG-devel feedback:

I checked on pfBlockerNG devel on a 2.4.4 snapshot system. Still shows php56-5.6.34 as dependency. As 2.4.4 runs on php7.2 I'm wondering, why pfBNG requires usage of the old PHP version (in package manager listing)?

The pfSense devs manage that integration. Here is the commit to the makefile:
https://github.com/pfsense/FreeBSD-ports/commit/54dd3d529ac6a55cd0c1e05f0c3956fb668d7cbd

There seem to be some hiccups with this but I believe it to be part of the base pfSense code.

JeGr

@bbcan177 no problem, just wanted to ask as that drew my attention :)

Edit: My mistake, I set the system to "stable" after updating to 2.4.4-snapshots, to get it to 2.4.4-Release without any further snapshot. That switched Packages back to displaying 2.4.3 info, so the PHP version was old. Switching it back to snaps shows a correct 7.2.9 - my bad!

BBcan177

@jegr said in pfBlockerNG-devel feedback:

@bbcan177 no problem, just wanted to ask as that drew my attention :)

I did some tests and the only way I could get the PHP version to be out of sync was to set the 2.4.4 machine to use the pfSense 2.3.x branch ?

EDIT: Haha... yes, I was typing as you made your edit !! :)

JeGr

@bbcan177 said in pfBlockerNG-devel feedback:

@jegr said in pfBlockerNG-devel feedback:

@bbcan177 no problem, just wanted to ask as that drew my attention :)

I did some tests and the only way I could get the PHP version to be out of sync was to set the 2.4.4 machine to use the pfSense 2.3.x branch ?

EDIT: Haha... yes, I was typing as you made your edit !! :)

Haha I was curious, too, as I read through the GIT intel so I backtracked and facepalmed over my own stupidity. Serves me right, better double check my facts before calling bugs

occamsrazor

No big deal but just to let you know these feeds have been getting download errors for the last few days..... at least for me.

bartkowski

@BBcan177 Can you see my post https://forum.netgate.com/topic/135362/geoip-policy-based-routing-not-working-with-pfblockerng-devel
To me it appears as an issue with the new version.

BBcan177

@occamsrazor

Blutmagie needs to have the State set to "flex" since the TLS settings or the certificates of the site are poor.

For the Dan.me feed, they have rate-limiting. You can move that feed into its own Alias "TOR2" and set it update every 4 hours... I might have to adjust the Feeds Tab to account for this issue. I have been after Dan.me for several months to try to improve this issue. Part of the problem is that pfBlockerNG checks the last-time-stamp of the Feed and Dan.me is counting this as a download attempt which causes the rate-limiting issue.

un1que

Since some days I have some troubles using pfBlockerNG. From time to time there appears a notification:

There were error(s) loading the rules: /tmp/rules.debug:52: cannot define table pfB_Level4_v4: Cannot allocate memory - The line in question reads [52]: table <pfB_Level4_v4> persist file "/var/db/aliastables/pfB_Level4_v4.txt"
@ 2018-09-16 00:38:28

Has anyone an idea what the solution might be?

BBcan177

@un1que said in pfBlockerNG-devel feedback:

Cannot allocate memory

Need to increase the pfSense > System > Advanced > Firewall & NAT > Firewall Maximum Table Entries
The package defaults it to "2000000", but you might need to increase that value depending on how many Aliastable entries you have.