Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNSBL not creating firewall rules

    pfBlockerNG
    dnsbl firewall rules pfblockerng
    3
    24
    185
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FredMcfly last edited by

      I am using pfBlockerNG-devel 3.0.0_15, and pfsense 2.5.0-Release.

      Firewall rules are created for IPv4, but are not created for DNSBL. So nothing in DNSBL is blocked.

      I have pfBlockerNG and DNSBL both enabled.
      I have tried using "Unbound" and "Unbound python mode"
      VIP is 10.10.10.1, internal network is 192.168...
      I have tried enabling and disabling "Permit Firewall Rules" with "LAN" selected

      I have tried "Global Logging/Blocking Mode" set as both "DNSBL WebServer/VIP" and "No Global mode"

      I have tried with "Resolver Cache" enabled and disabled.
      I have tried with "DNSBL IPs" as "disabled" and "Deny Both"

      DNSBL groups has the default lists (e.g., EasyList, etc)
      The lists are enabled and set to Unbound.

      Yes, I have done "force reload" for "all" many times. And the lists are downloaded and updated.

      DNS Forwarder is disabled and DNS Resolver is enabled to port 53
      "Network Interfaces" is set to LAN, LAN IPv6 Link-Local, and Localhost
      "Outgoing Network Interfaces" is set to WAN, WAN IPv6 Link-Local
      "DNSSEC" is enabled
      I have tried with both "Python Module" enabled and disabled.
      DNS Query Forwarding is disabled
      Use SSL/TLS is disabled
      DHCP Registration is disabled.
      Static DHCP is disabled.

      The widget shows that packets are seen for DNSBL, but nothing is blocked because the firewall doesn't have any rules for them.

      81524a0d-306a-4018-965d-6b4402b77e39-image.png

      Websites that should be blocked do show up in the Reports->Alerts tab.

      Because I was desperate, I even reinstalled pfSense from scratch. And I still can't get it working.

      Can anyone help me identify what I am missing/failing to do?

      Antonio Briguglio Bob.Dig 2 Replies Last reply Reply Quote 0
      • Antonio Briguglio
        Antonio Briguglio @FredMcfly last edited by

        @fredmcfly DNSBL Configuration
        Permit Firewall Rules enable

        F 1 Reply Last reply Reply Quote 0
        • F
          FredMcfly @Antonio Briguglio last edited by

          @antonio-briguglio
          Yes, I did that already.

          Quote: "I have tried enabling and disabling "Permit Firewall Rules" with "LAN" selected"

          Antonio Briguglio 2 Replies Last reply Reply Quote 0
          • Antonio Briguglio
            Antonio Briguglio @FredMcfly last edited by

            @fredmcfly Uninstall the pfblockerNg package and then reinstall it,

            F 1 Reply Last reply Reply Quote 0
            • Antonio Briguglio
              Antonio Briguglio @FredMcfly last edited by

              @fredmcfly https://www.tecmint.com/install-configure-pfblockerng-dns-black-listing-in-pfsense/

              Antonio Briguglio 1 Reply Last reply Reply Quote 0
              • Antonio Briguglio
                Antonio Briguglio @Antonio Briguglio last edited by

                @antonio-briguglio
                https://www.firewallhardware.it/pfblockng-filtraggio-domini-e-url/
                configure as described in the two guides. A guide is in Italian but with screenshoots and easy to understand

                F 1 Reply Last reply Reply Quote 0
                • F
                  FredMcfly @Antonio Briguglio last edited by

                  @antonio-briguglio
                  I have tried to use these, but only part of it applies because I am using pfBlockerNG-devel 3.0.0_15 and the instructions at those websites use pfBlockerNG 2.x Release. So a lot of the options are no longer in version 3.0.0_15.

                  1 Reply Last reply Reply Quote 0
                  • F
                    FredMcfly @Antonio Briguglio last edited by FredMcfly

                    @antonio-briguglio
                    Yes, I reinstalled pflbockerng several times as well, in fact I even reinstalled pfSense from scratch.

                    F 1 Reply Last reply Reply Quote 0
                    • F
                      FredMcfly @FredMcfly last edited by

                      I even removed version 3.0 (Keep settings was not checked) and installed 2.1.4_25 and I still cannot block websites.

                      Bob.Dig 1 Reply Last reply Reply Quote 0
                      • Bob.Dig
                        Bob.Dig @FredMcfly last edited by

                        @fredmcfly DNSBL doesn't need any firewall rules, it is blocked in DNS.

                        F 1 Reply Last reply Reply Quote 0
                        • F
                          FredMcfly @Bob.Dig last edited by

                          @bob-dig
                          That makes sense. Didn't think about that. But then why aren't websites blocked?

                          1 Reply Last reply Reply Quote 0
                          • Bob.Dig
                            Bob.Dig @FredMcfly last edited by

                            @fredmcfly said in DNSBL not creating firewall rules:

                            Websites that should be blocked do show up in the Reports->Alerts tab.

                            That is like it should be.

                            F 1 Reply Last reply Reply Quote 0
                            • F
                              FredMcfly @Bob.Dig last edited by

                              @bob-dig But I can still access the websites.

                              Bob.Dig 1 Reply Last reply Reply Quote 0
                              • Bob.Dig
                                Bob.Dig @FredMcfly last edited by Bob.Dig

                                @fredmcfly Give an example with screenshot. It is working here.
                                Edit: Maybe your Browser is not using the pfSense DNS but something different, maybe even DoH.

                                F 1 Reply Last reply Reply Quote 0
                                • F
                                  FredMcfly @Bob.Dig last edited by

                                  @bob-dig
                                  So only some of the websites are being logged. But ones that aren't blocked are not logged.

                                  Bob.Dig 1 Reply Last reply Reply Quote 0
                                  • Bob.Dig
                                    Bob.Dig @FredMcfly last edited by Bob.Dig

                                    @fredmcfly said in DNSBL not creating firewall rules:

                                    But ones that aren't blocked are not logged.

                                    Which is again normal.

                                    F 1 Reply Last reply Reply Quote 0
                                    • F
                                      FredMcfly @Bob.Dig last edited by

                                      @bob-dig I agree that it is normal to have a log for a website that is blocked.

                                      So any ideas why a website that is listed in the block list, fails to be blocked?

                                      I have added rules to block DNS requests to the outside following this recipe.

                                      Basically it blocks all outside DNS requests but allows requests to the local DNS Resolver.

                                      Bob.Dig 1 Reply Last reply Reply Quote 0
                                      • Bob.Dig
                                        Bob.Dig @FredMcfly last edited by

                                        @fredmcfly For example, you probably can't block DoH like this, so you have to check your browser settings.
                                        Also post some screenshots what you have done and what is not working as expected.

                                        F 1 Reply Last reply Reply Quote 0
                                        • F
                                          FredMcfly @Bob.Dig last edited by FredMcfly

                                          @bob-dig
                                          OK, I checked the browser and it is not using DoH, see figure below or click on this link:

                                          566e662c-145a-4244-9eef-7c3654bb74fd-image.png

                                          Here are my DNSBL settings:
                                          b320abca-a7da-4171-9363-b345e0d88020-image.png

                                          08cc3792-6668-4746-bf68-715b6afdc029-image.png

                                          f91dd301-e4b9-4f29-b9de-a982cac28f42-image.png

                                          b952dee3-44f4-4a08-92a3-73883952b7cc-image.png

                                          DNSL Feeds
                                          b19a9d5b-ff16-4090-9184-b72924d185d5-image.png

                                          My blacklist feed settings:
                                          d4126f2a-b598-4f0e-b49e-d48f1c02ada4-image.png
                                          e3198499-2a83-410c-941b-ef3a95801ce7-image.png

                                          When I do a force update, the feeds are downloaded and updated. Including my blacklist.

                                          ===[ DNSBL Domain/IP Counts ] ===================================
                                          
                                           1221752 total
                                            704572 /var/db/pfblockerng/dnsbl/Shallalist_porn.txt
                                            150125 /var/db/pfblockerng/dnsbl/Maltrail_BD.txt
                                            122595 /var/db/pfblockerng/dnsbl/C19_CTC.txt
                                             97559 /var/db/pfblockerng/dnsbl/Shallalist_porn_v4.ip
                                             29312 /var/db/pfblockerng/dnsbl/SFS_Toxic_BD.txt
                                             28363 /var/db/pfblockerng/dnsbl/Shallalist_redirector.txt
                                             14523 /var/db/pfblockerng/dnsbl/Shallalist_gamble.txt
                                             14273 /var/db/pfblockerng/dnsbl/SWC.txt
                                             10633 /var/db/pfblockerng/dnsbl/EasyList.txt
                                              8449 /var/db/pfblockerng/dnsbl/Adaway.txt
                                              6999 /var/db/pfblockerng/dnsbl/Spam404.txt
                                              6827 /var/db/pfblockerng/dnsbl/EasyPrivacy.txt
                                              6612 /var/db/pfblockerng/dnsbl/Shallalist_anonvpn_v4.ip
                                              6435 /var/db/pfblockerng/dnsbl/MVPS.txt
                                              3034 /var/db/pfblockerng/dnsbl/Shallalist_dating.txt
                                              2507 /var/db/pfblockerng/dnsbl/D_Me_ADs.txt
                                              1985 /var/db/pfblockerng/dnsbl/Krisk_C19.txt
                                              1951 /var/db/pfblockerng/dnsbl/Shallalist_models.txt
                                              1464 /var/db/pfblockerng/dnsbl/Yoyo.txt
                                              1180 /var/db/pfblockerng/dnsbl/Shallalist_redirector_v4.ip
                                              1146 /var/db/pfblockerng/dnsbl/Shallalist_sex_lingerie.txt
                                               482 /var/db/pfblockerng/dnsbl/myblacklist.txt
                                               390 /var/db/pfblockerng/dnsbl/Shallalist_anonvpn.txt
                                               158 /var/db/pfblockerng/dnsbl/Shallalist_sex_education.txt
                                                98 /var/db/pfblockerng/dnsbl/Juniper_v4.ip
                                                42 /var/db/pfblockerng/dnsbl/Shallalist_gamble_v4.ip
                                                23 /var/db/pfblockerng/dnsbl/D_Me_Tracking.txt
                                                 6 /var/db/pfblockerng/dnsbl/Juniper.txt
                                                 5 /var/db/pfblockerng/dnsbl/myblacklist_v4.ip
                                                 2 /var/db/pfblockerng/dnsbl/EasyList_v4.ip
                                                 1 /var/db/pfblockerng/dnsbl/Shallalist_models_v4.ip
                                          

                                          If I look at myblacklist_v4.txt I find the following lines as expected:

                                          local-data: "redd.it 60 IN A 10.10.10.1"
                                          local-data: "reddit-com.poiu.icu 60 IN A 10.10.10.1"
                                          local-data: "reddit.com 60 IN A 10.10.10.1"
                                          local-data: "reddup.co 60 IN A 10.10.10.1"
                                          

                                          But if I enter reddit.com in my browser, I can still access it and click on links. So the website is not cached in the browser and it is not blocked.

                                          pfSense says my DNS servers are as follows:
                                          164e3b6d-307f-4eca-b950-a557c664cdc8-image.png

                                          Any other information that may be helpful?

                                          F 1 Reply Last reply Reply Quote 0
                                          • F
                                            FredMcfly @FredMcfly last edited by

                                            Here are my Firewall rules to block DNS request to ports 53 and 853, and to force DNS request to local:
                                            37e9164a-3d2b-4cef-aff0-8a826722cde3-image.png

                                            F 1 Reply Last reply Reply Quote 0
                                            • F
                                              FredMcfly @FredMcfly last edited by

                                              DNS Resolver Settings:
                                              d4bc73a9-abf2-4451-9999-5e6ed482254d-image.png
                                              5480b739-dec2-42e6-a80b-2d71f1b03e8f-image.png
                                              8c58c9a7-455e-4fab-b1f4-c15e706e0e48-image.png

                                              1 Reply Last reply Reply Quote 0
                                              • F
                                                FredMcfly last edited by

                                                So I did some experimenting and some websites in my list are indeed blocked, but other websites are not blocked even though they are listed in the file /var/db/pfblockerng/dnsbl/myblacklist.txt

                                                I'm not sure why this is happening.

                                                1 Reply Last reply Reply Quote 0
                                                • Bob.Dig
                                                  Bob.Dig last edited by Bob.Dig

                                                  I added reddit.com to the DNSBL Custom_List of malicious and it worked, after pfBlocker run the usual update.
                                                  Also I don't needed any firewallrules for that, because it is all dns based.

                                                  Capture.PNG

                                                  Edit: I tried your list, problem seems to be that reddit.com is blocked, but not www.reddit.com.

                                                  F 1 Reply Last reply Reply Quote 0
                                                  • F
                                                    FredMcfly @Bob.Dig last edited by

                                                    @bob-dig
                                                    I temporarily disabled my feed and added reddit.com and www.reddit.com to the DNSBL Custom_List and the website (and others) is still not blocked. (Yes, I did a force update all)

                                                    I have tried on different computers on the network and they can still access it.

                                                    I have also tried on three different browsers.

                                                    I am really confused why some sites are blocked while others are not.

                                                    1 Reply Last reply Reply Quote 0
                                                    • First post
                                                      Last post

                                                    Products

                                                    • Platform Overview
                                                    • TNSR
                                                    • pfSense
                                                    • Appliances

                                                    Services

                                                    • Training
                                                    • Professional Services

                                                    Support

                                                    • Subscription Plans
                                                    • Contact Support
                                                    • Product Lifecycle
                                                    • Documentation

                                                    News

                                                    • Media Coverage
                                                    • Press
                                                    • Events

                                                    Resources

                                                    • Blog
                                                    • FAQ
                                                    • Find a Partner
                                                    • Resource Library
                                                    • Security Information

                                                    Company

                                                    • About Us
                                                    • Careers
                                                    • Partners
                                                    • Contact Us
                                                    • Legal
                                                    Our Mission

                                                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                    Subscribe to our Newsletter

                                                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                    © 2021 Rubicon Communications, LLC | Privacy Policy