@motivio said in Rest DNSBL Block Stats:

Hi,
How can I rest the "DNSBL Block Stats" of the pfBlockerNG?
Thanks!

There are two ways you can do this.

Go to Firewall / pfBlockerNG and then click on Logs tab. In dropdown menu under Log/File selection select dnsbl.log and click on a trash can to remove.

2750dc31-42f8-4348-991d-87bccd753836-image.png

Go to Diagnostics / Command Prompt and type this into Execute Shell Command field: rm -rf /var/log/pfblockerng/dnsbl.log

Click on yellow execute button and thats it.

880a2ea4-af7f-47f1-861e-13b3206be784-image.png

@steveits said in Geoblocking the world except for home:

@nogbadthebad Since you showed "alias permit" just be aware that reportedly de-dupes across other permit or deny lists. There was a thread last year sometime where someone pointed out IPs were being removed. Alias Native will leave the lists unchanged.

Cheers I've changed them :)

@bob-dig
I tryed to disabled all lists but Wa still not working.
And yes, no logging about the call blocks.
So you're disconnect from wifi every time you make or receive a call? I hope in a solution.

@marco-42 Welcome

@rvjr On pfSense unbound generally restarts. See
https://redmine.pfsense.org/issues/5413

@the-other said in DNSBL Stops DNS Service (Solved):

pfblockerng_dev (do not know about the other one) does NOT reload a list from servers if there are noch changes.
It seems "smart" enough to recognize a change in the list.
No changed list > no download (at least that's what the log says...

I hope so, I'm not so sure.

File attributes, size, last modified time stamp etc are needed before the file gets downloaded again.
But :
/usr/local/pkg/pfblockerng/pfblockerng.inc line 3373 :

if (($fhandle = @fopen("{$file_dwn}.raw", 'w')) !== FALSE) {

The local destination file is opened for writing - so initial file size date etc are lost : CURL doesn't cache by itself : the file can only be re downloaded at this stage.

Also :
/usr/local/pkg/pfblockerng/pfblockerng.inc line 170 :

CURLOPT_FRESH_CONNECT => true

Now read Is there a way to tell curl to not use cache

edit :
I forget something : most feeds are https://..... and default TLS web server caching is : no caching.
So even if you, on the receiving side, are ok to receive a cached version, you still get the entire file again.

Btw :less used download methods like rsync are version/date/time aware.

@bob-dig
I temporarily disabled my feed and added reddit.com and www.reddit.com to the DNSBL Custom_List and the website (and others) is still not blocked. (Yes, I did a force update all)

I have tried on different computers on the network and they can still access it.

I have also tried on three different browsers.

I am really confused why some sites are blocked while others are not.

Yup that^. You can't make that page work for https as long as you have any sort of sane security in your browser.

Steve

@j24 I added a NAT rule that redirects the DNS requests from the VLAN to a known DNS e.g. 8.8.8.8. It's not the best solution I hope someone can help us separate pfBlocker from the other VLANs.

I'm having the same issue with pfBlocker and NAT rules. I have no issues adding white-list rules for my devices that are on a directly routed subnet. But trying to figure out how to handle an allow rule for an existing NAT rule is causing issues.

Have you found any solution yourself as of yet?

Solved it guys, did some googling on that SSL error and found another post here:

In
/var/unbound

Delete
dnsbl_cert.pem
unbound_control.key
unbound_control.pem
unbound_server.key
unbound_server.pem

Reboot and run force update/reload.

DNSBL now up and running. Thanks for the help in diagnosing guys.

I have the same problem but also my google home is blocking, i have added some IP adresses of google but not helped me.

Anyone a suggestion about that? I think i am not the anyone that this problem have with Google services.

@jot thanks for the info. You are right. Though I do not understand why to force whitelist google and yandex subdomains which are used for ads - ads.google.com|adservices.google.com. I just can not block ads if I enable safesearch option

@riaanwest said in pfblockerng:

Basically making pfblockerng to create an alias for each category referenced in shallalist so you can create manual firewall rules using those aliases pointing to lets say social networks?

You can't use FW_Rules with DNSBL tables.

DNSBL operate on the Domain Name space.

Firewall rules operate on the IP space.

@newyork10023 said in pfBlockerNG rule element modification and ordering:

To begin, pfBlockerNG_devel 2.2.1_2 is awesome. Wow. Thanks.

Thanks!

Certain feeds are naughty. For example, adding RFC 1918 (Private Address Space), Multicast addresses, etc., etc., etc., is just BAD. Blocking possibly necessary system addresses, including multicast addresses, etc., is just NASTY. Adding a WhiteList is not going to fix this issue. These rule elements need to be culled from the list(s), and I mean permanently.

By chance are you using Firehol Level1? That feed contains bogons and should not be used for Outbound blocking. You can also enable "Suppression" which will remove local/loopback addresss.

A couple of feature suggestions for automatic rule insertion: use rule Separators to bind automatic rule insertion to specific places in the rules. (Indeed, one of my pet peeves is that automatic rules re-arrange Separator organization in seemingly random ways.). Another suggestion would be that automatic rule insertion should not re-arrange rule ordering AT ALL (after their initial placement). Subsequent rule updates should update rules IN PLACE. I like the possibility that Separators could be used to bind automatic rule insertion. But, disabling all automatic rule insertion needs to be an option for DNSBL.

Firewall rule separators will be very difficult to implement with pfBlockerNG and auto rules...