pfblocker is not working. it does not block anything.
-
Re: pfBlockerNG-devel v3.1.0_0
Hi. I am quite new in using pfblockerng_devel 3.1.0_4. I have installed and configured pfblockerng. It has created two sets of floating rules in firewall. I do not know what is the problem, but it appears it does not block anything. My guess is it has to be something with the firewall rules or something else that I am missing here.
Who can help please? -
What does the widget show ?
Something like :
What do you see under Firewall > pfBlockerNG > Alerts ?
Both pfb_* processes are running :
?
Do you have loaded DNSBL feeds ?
@noonstarx said in pfblocker is not working. it does not block anything.:
It has created two sets of floating rules in firewall.
These floating rules are for created if you've set up one or more feeds using IP addresses.
-
mine if different issue out of 4 vlans only 1 vlan net working but those 4 vlans was selected in pfblcker main setting
-
@gertjan Hi. Thanks for replying.
Answer to your questions:
My widget shows:
image url)My Alerts are:
My Processes:
And yes I have load DNSBL feeds.
-
We're both using the same DNSQB feed/list :
so, instead of locating this file on pfSense, let's get the first line from here https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Here it is :
Let's test the first one, eu1.clevertap-prod.com, on a device on my LAN :
C:\Users\Gauche>nslookup eu1.clevertap-prod.com Serveur : pfSense.brit-hotel-fumel.net Address: 192.168.1.1 Nom : eu1.clevertap-prod.com Address: 0.0.0.00.0.0.0 => blocked.
Btw : 192.168.1.1 is my pfSense, and I'm using the resolver unbound - using Python mode.
and this event is logged :
@noonstarx said in pfblocker is not working. it does not block anything.:
My Alerts are:
Your log shows filtered stuff on the WAN interface.
You have NAT rules ? Or letting traffic in ?
If not, don't bother filtering the WAN. -
At least you have alerts... I don't see any for ages now but it is blocking just fine.
-
@bob-dig said in pfblocker is not working. it does not block anything.:
I don't see any for ages now but it is blocking just fine.
Your probably not looking who is knocking on the closed door : the WAN, and that's a wise thing.
Further more, your LAN clients are not visiting prohibited IPs, that also a good thing.I had one last auguste, 4:
and that was me testing an "IP, using an PC on my LAN, 192.168.1.6.
The DNSBL (Python) part is full of attempts, like our Samsung 'Samsung' TV trying to call 'home'.
Even the PC I'm suing right now is trying to contact "incoming.telemetry.mozilla.org" Probably Firefox calling home.
-
@gertjan Actually no, I don't know why but pfblocker is not showing any alerts here. I do block on WAN but only on ports that I had opened.
-
@gertjan Hi. I still cannot figure it out.
There are a couple of NAT rules:
and this:
and I get DNSBL Block alerts from LAN interface as well. But when it comes to particular website block like facebook, still I cannot see any change.
and when:
C:\Users\user>nslookup facebook.com
Server: dns.google
Address: 8.8.8.8Non-authoritative answer:
Name: facebook.com
Addresses: 2a03:2880:f167:81:face:b00c:0:25de
157.240.227.35 -
@noonstarx said in pfblocker is not working. it does not block anything.:
There are a couple of NAT rules:
Those are not WAN based, they redirect 10.10.10.1, the IP of the build in web browser, to 127.0.0.1 so it can show you the "You've accessed a blocked site" page.
Which, IMHO, is a useless functionality, as most sites are accessed by https these days, and https can't redirected like that. Only ancient http request could be redirected.
I'm not using the this pfblockerng web server, but do 0.0.0.0+logging.
Your outbound nat rules are by default, that's fine.
This is pure BS :
@noonstarx said in pfblocker is not working. it does not block anything.:
C:\Users\user>nslookup facebook.com
Server: dns.google
Address: 8.8.8.8why would you want your device (PC) to ask 8.8.8.8 to resolve for you ? ? ?
You are completely bypassing the resolver running on pfSense.
Conclusion : you are bypassing the pfSense resolver == bypassing pfblockerng. Remember : pfblockerng integrates itself into unbound, the resolver.Read again :
I guess its 'case closed' now
