@steveits said in SG3100 + pfBlockerNG-devel ?:

@mudmanc4 Here is the redmine bug report so you can follow it.

re: what triggers it, from the report certain orders of preg_match() calls can. It seems apparent that the pfSense GUI does not as everything I've seen is in regards to packages. Perhaps the feeds used (variable size) make a difference?

So far so good.

SG-3100 - 21.02p2 - Clean install

Actions taken in pfblockerNG

1 - Wizard
2 - Maxmind key set
3 - MaxMind Localized Language changed to Brazilian portuguese
Not using geoIP yet, planning to.

4 - Feeds

Noticed that only one DNSBL was in use, ADs_Basic, so I added the following:
. EasyList
. EasyList_Portuguese
. EasyPrivacy

5 - Changed DNSBL Mode to Unbound python mode
6 - Unchecked DNS Reply Logging because I don't need it

03b069f3-5e54-4692-9490-7065bac7d249-image.png

@bob-dig
I temporarily disabled my feed and added reddit.com and www.reddit.com to the DNSBL Custom_List and the website (and others) is still not blocked. (Yes, I did a force update all)

I have tried on different computers on the network and they can still access it.

I have also tried on three different browsers.

I am really confused why some sites are blocked while others are not.

@viragomann Wenn die erste Antwort bzw. der erste Hop von Traceroute schon * * * zurückgegeben hatte, dann stimmte zu dem Zeitpunkt was mit dem Routing nicht wirklich. Wäre dann eher interessant gewesen, was beim traceroute blubb dann tatsächlich der volle Output war. Wäre es pfBNG gewesen, dann hätte die Auflösung von awsh.de schon 0.0.0.0 oder 127.1.1.7 ergeben und wäre ins "nichts" gelaufen. Wenn die aber sauber zur IP aufgelöst wurde und der Trace dann nicht ging, dann war das kein pfSense, sondern eine Routing/Proxmox Problem.

Yup that^. You can't make that page work for https as long as you have any sort of sane security in your browser.

Steve

If you set pfBlocker to "native alias" instead of block, that will just create an alias and you can create your own block/allow rules however you want them.

I'll query the ISP on what are they doing there. Doubt they'll talk... but that is a different story.

Just as a quick follow up: If you pay for your own public IP to get forwarded to you, they should have no trouble setting their UBNT POP the way you want. Otherwise what's the gain in paying for something you can't successfully use all the way you want? ;)

Thanks Rod-it and Plissje for your info. It will help me to unblock other website. I believe upgraded pfblocker and pfsense to the newest version solved the problem.

I'm having the same issue with pfBlocker and NAT rules. I have no issues adding white-list rules for my devices that are on a directly routed subnet. But trying to figure out how to handle an allow rule for an existing NAT rule is causing issues.

Have you found any solution yourself as of yet?

Solved it guys, did some googling on that SSL error and found another post here:

In
/var/unbound

Delete
dnsbl_cert.pem
unbound_control.key
unbound_control.pem
unbound_server.key
unbound_server.pem

Reboot and run force update/reload.

DNSBL now up and running. Thanks for the help in diagnosing guys.

I have the same problem but also my google home is blocking, i have added some IP adresses of google but not helped me.

Anyone a suggestion about that? I think i am not the anyone that this problem have with Google services.

@kiokoman Aha, that makes much more sense! Thanks!

Amigos, a solução para o meu problema foi aumentar as entradas máximas da tabela do firewall no campo:
System / Advanced / Firewall e NAT
Mudei o valor padrão de 400000 para 800000, mas o valor fica a critério de cada um de acordo a sua necessidade.

@riaanwest said in pfblockerng:

Basically making pfblockerng to create an alias for each category referenced in shallalist so you can create manual firewall rules using those aliases pointing to lets say social networks?

You can't use FW_Rules with DNSBL tables.

DNSBL operate on the Domain Name space.

Firewall rules operate on the IP space.

DNSBL will block domains, it cannot block based on a URL as it is a DNS based blocker.

@newyork10023 said in pfBlockerNG rule element modification and ordering:

To begin, pfBlockerNG_devel 2.2.1_2 is awesome. Wow. Thanks.

Thanks!

Certain feeds are naughty. For example, adding RFC 1918 (Private Address Space), Multicast addresses, etc., etc., etc., is just BAD. Blocking possibly necessary system addresses, including multicast addresses, etc., is just NASTY. Adding a WhiteList is not going to fix this issue. These rule elements need to be culled from the list(s), and I mean permanently.

By chance are you using Firehol Level1? That feed contains bogons and should not be used for Outbound blocking. You can also enable "Suppression" which will remove local/loopback addresss.

A couple of feature suggestions for automatic rule insertion: use rule Separators to bind automatic rule insertion to specific places in the rules. (Indeed, one of my pet peeves is that automatic rules re-arrange Separator organization in seemingly random ways.). Another suggestion would be that automatic rule insertion should not re-arrange rule ordering AT ALL (after their initial placement). Subsequent rule updates should update rules IN PLACE. I like the possibility that Separators could be used to bind automatic rule insertion. But, disabling all automatic rule insertion needs to be an option for DNSBL.

Firewall rule separators will be very difficult to implement with pfBlockerNG and auto rules...