pfBlockerNG-devel v2.2.5_18

tagit446

I just updated an existing install of 2.2.5_17 to the new version and I to am having the same issue now. The previous version was working great.

I am also seeing the "Unable to apply rules. Outbound interface option not configured.". I checked and found the outbound interface options are still set correctly. All of my pfb aliases are now gone.

No errors in the logs that I can see.

BBcan177

@tagit446 said in pfBlockerNG-devel v2.2.5_18:

I just updated an existing install of 2.2.5_17 to the new version and I to am having the same issue now. The previous version was working great.
I am also seeing the "Unable to apply rules. Outbound interface option not configured.". I checked and found the outbound interface options are still set correctly. All of my pfb aliases are now gone.
No errors in the logs that I can see.

I submitted a PR which is waiting on approval:
https://github.com/pfsense/FreeBSD-ports/pull/586

Run this command to download a patched file:

fetch -o /usr/local/pkg/pfblockerng/pfblockerng.inc "https://gist.githubusercontent.com/BBcan177/15383a6b67b0b24154997a7ad5c3c66a/raw"

tagit446

@bbcan177 said in pfBlockerNG-devel v2.2.5_18:

fetch -o /usr/local/pkg/pfblockerng/pfblockerng.inc "https://gist.githubusercontent.com/BBcan177/15383a6b67b0b24154997a7ad5c3c66a/raw"

This appears to have fixed the issue.

It's seriously only been a few minutes since i posted, thanks so much for the speedy reply and fix!

BBcan177

@tagit446 said in pfBlockerNG-devel v2.2.5_18:

It's seriously only been a few minutes since i posted, thanks so much for the speedy reply and fix!

Your welcome!

TECHEDGE59

I need to change the "CN_DNSBL" default self signed certificate by a one coming from my own internal certificate authority on lan network. Is it possible ? And how to do it ? By the GUI it looks impossible, so by entering console commands ? If you can help, thanks a lot !
I would also like to congratulate you on your excellent work on Pfblockerng !

Grimson

@techedge59 said in pfBlockerNG-devel v2.2.5_18:

I need to change the "CN_DNSBL" default self signed certificate by a one coming from my own internal certificate authority on lan network. Is it possible ?

Yes, but what do you hope to accomplish with that? This will not prevent certificate errors on filtered https urls, if that is what you intend to do.

TECHEDGE59

@grimson Know that... But my goals are:
1/ That all navigators in the lan, and especially Chrome, do not always ''alert'' the users cause of a self signed certificate. It's very important for us.
2/ Of course, then, if possible, remove the certificate error.

Grimson

@techedge59 said in pfBlockerNG-devel v2.2.5_18:

@grimson Know that... But my goals are:
1/ That all navigators in the lan, and especially Chrome, do not always ''alert'' the users cause of a self signed certificate. It's very important for us.

They will then alert the users that the certificate doesn't match the requested domain name.

2/ Of course, then, if possible, remove the certificate error.

https://forum.netgate.com/topic/137053/how-to-restrict-custom-websites-with-pfblockerng-devel/5

periko

Hi, just wondering.
Does pfblockerNG have the option to setup ACL and say, this IP's alias from my LAN can have this blacklist more restricted and have other less restricted?
Like a proxy thing.
I will give a try this package, I use pi-hole but if pfsense do the job, why to have another machine in the network.
Thanks.

BBcan177

@periko said in pfBlockerNG-devel v2.2.5_18:

Does pfblockerNG have the option to setup ACL and say, this IP's alias from my LAN can have this blacklist more restricted and have other less restricted?

For DNSBL, you can define "views" in the Resolver (Unbound) settings to allow some devices to bypass DNSBL.
https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips

For IP Blocking, you can define the "Advanced In/Outbound" Firewall rule settings at the bottom of each Alias to configure how these Firewall rules apply to your network.

BBcan177

@techedge59 said in pfBlockerNG-devel v2.2.5_18:

@grimson Know that... But my goals are:
1/ That all navigators in the lan, and especially Chrome, do not always ''alert'' the users cause of a self signed certificate. It's very important for us.
2/ Of course, then, if possible, remove the certificate error.

DNSBL is not going to MITM these blocked domain and serve a false certificate. See the link as indicated by @Grimson, by setting DNSBL Logging as disabled for these particular domains.

talaverde

Wasn't sure if you wanted feedback here or on the original thread. Anyway. One thing to note. I've been using the CARP feature. It's been working fine, the best I can see EXCEPT one blaring issue. "Failing over" to the 2nd node is fine, but when the main node takes over again and is 'master', the Carp Interface for pfB (LAN@1, 10.10.10.1) is still master on the backup node. All other connections fail back to the main node as they are supposed to but the pfB one does not. The quick work around is to disable carp on the 2nd node for a moment, then turn it back on. That forces the interface to switch back to the main node. It seems the pfB Carp interface requires a true 'disconnection' to trigger the switch. It will not auto-switch back to the main node on it's own. Not the end of the world. I can deal with it for now, but something you may want to look into for the next version. Thanks for all the hard work!

Su30MKI

@bbcan177 If I have multiple Vlans configured and I want different rules for different Vlans, How do I do it? How do I create aliases using DNS blacklist atleast via pfblockerNG?