Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    A feed in pfBlockerNG blocking access to Ubuntu.com, keepasssc.org, etc?

    pfBlockerNG
    3
    5
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hda55
      last edited by hda55

      This morning, I noticed I could not access several sites - ubuntu.com, canonical.com, and Keepassxc.org as examples. Noticed I could access them via the Tor network (proxy bypassing pfSense). Started looking at my pfSense box - 2.4.5-RELEASE, pfBlockerNG, Suricata, all up-to-date. Haven't yet found the specific reason for the blocks but have found that if I disable pfBlockerNG, I can reach those sites. Re-enabling - I cannot. Attempting adding an alias of allowed sites to the firewall - errors out with "A valid URL must be provided. Could not fetch usable data from 'ubuntu.com'." However, I can ping from the pfSense box and reach from internal machines when pfBlockerNG is disabled (all are using the same DNS settings). I obviously don't want to move forward without pfBlockerNG and will start by limiting feeds- any thoughts on which may be listing very common sites?

      Thanks!

      1 Reply Last reply Reply Quote 1
      • GertjanG
        Gertjan
        last edited by

        pfBlockerNG - that is pfBlockerNG-devel- doesn't block anything by default.

        You should know why you activated a feed in pfBlockerNG-devel.
        These feeds are collected by humans. Some of them are very well maintained, other are less been taken care of.

        Also, IPv4 addresses are bought and sold daily. Thus an URL could point to one IP today, and another IP tomorrow, whioch was know as a spammer IP .....

        If pfBlockerNG-devel is blocking, it will list this event in Firewall > pfBlockerNG > Alerts > DENY and/or DNSBL. Up to you check out this list as soon as you think something 'is wrong', and whitelist a domain if needed.
        Or, delete the feed that references the falsely blocked domain.

        pfBlockerNG-devel is a tool that needs to be taken care off. It's a never ending story.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        H 1 Reply Last reply Reply Quote 1
        • H
          hda55 @Gertjan
          last edited by hda55

          @Gertjan said in A feed in pfBlockerNG blocking access to Ubuntu.com, keepasssc.org, etc?:

          lockerNG-devel is blocking, it

          Thanks for the reply, Gertjan. Completely understand. Didn't say anything was wrong, once I realized it was pfBlockerNG, I knew it was from a feed. Was just asking if anyone else had seen this and knew offhand which feed may be blocking. I activated feeds based off of testing and recommendations from trusted sources - have had few false positives until recently. Understand care and feeding :) of most any security software, OS, etc. (updating Ubuntu is what first caused me to notice this particular issue) Have attempted whitelisting, doesn't seem to make a difference. Haven't yet had time to fully troubleshoot as this is on a home environment and work takes precedence :) so have left current feeds in place and disabled pfBlocker for the short times I've needed to access any blocked sites and then re-enabled. Hope to fully track down this weekend.

          1 Reply Last reply Reply Quote 0
          • H
            hda55
            last edited by hda55

            mostly RESOLVED

            Eventually bothered me enough today that I finally sifted through the logs - thanks for pushing me Gertjan :) - I should have just done the work initially :). I was focused on the DNSBL feeds but it wasn't those at all. Turned out the be the Top Spammers selection of GeoIP that was blocking lots of sites that I consider useful - ubuntu.com, keepassxc.org, winscp.net, etc. Disabling Top Spammers resolved access to those sites. Added an alias for allowed sites, created a rule to allow above this particular pfBlokerNG rule, and then re-enabled Top Spammers - still blocks. Will leave Top Spammers disabled for now until I have more time to fine tune.

            1 Reply Last reply Reply Quote 1
            • P
              pfsenseoropnsense
              last edited by

              I found this answer elsewhere that will allow maintaining a proper whitelist instead of disabling the entire Top Spammers feed . "You can add Canonical, Inc's ASN to the IPv4 source list and permit outbound. It's AS41231.

              In the IPv4 category, click the green Add button at the bottom. Click the Format pulldown and select ASN. Click the State pulldown and select ON. In Source, type in AS41231.

              Under Settings, click the Action pulldown and select Permit Outbound. Under Update Frequency, select Weekly.

              After you save it, force an Update or wait for it to run at the next scheduled time.

              Many enterprises have at least one ASN, so I think it's a pretty good tool to use to automatically maintain an IP whitelist for each organization.

              You can use https://bgp.he.net/ to search for ASNs.", /user/ontheroadtonull

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.