First run pfBlockerNG - false positive?

Reply to First run pfBlockerNG - false positive? on Mon, 27 Feb 2023 15:36:59 GMT

furom — Mon, 27 Feb 2023 15:36:59 GMT

@gertjan said in First run pfBlockerNG - false positive?:

But you, as the admin, have added dnsbl feeds (or IP feeds) to pfBlockerng.
Hostnames (or IP's) in these feeds will get blocked.
Did you have a look at these lists ? ;)

Thank you for a nice and informative answer! I will try with the address you suggest, and no... I have not looked at the lists in detail, but looks like a good idea to get a better understandning of this... :)

Reply to First run pfBlockerNG - false positive? on Mon, 27 Feb 2023 07:43:31 GMT

Gertjan — Mon, 27 Feb 2023 07:43:31 GMT

@furom said in First run pfBlockerNG - false positive?:

media player tried to go to app-measurement.com and pfBlockerNG caught that and wanted to dispose of the attempt

Exact.

Disable pfBlockerng, and then 'ask' what IPv4 'app-measurement.com' has.
You'll see, it exists.

When I ask what 'app-measurement.com' I get a solid :

[23.01-RELEASE][admin@pfSense.closetome.tld]/root: host app-measurement.com
app-measurement.com has address 0.0.0.0
Host app-measurement.com not found: 2(SERVFAIL)

This means that 'app-measurement.com' was on some list/feed that I let pfBlockerng use.

Btw 0.0.0.0 a dn not 10.10.10.1 because the virtual IP coupled with a web browser telling you that the site you try to visit just don't work.
Ok, it works ... but only for http:// visist, and who does http:// these day ? Nobody.
https:// visits with a web browser will show a browser depending page telling the browser user that a very complicated error has arrived. And certainly not the pfBlocker web server page telling the suer the URL/jhostname in question has been blocked;
So, my advise, select "0.0.0.0 = null logging" everywhere, don't bother using this one :

@furom said in First run pfBlockerNG - false positive?:

but as I block anything I don't accept, it failed?

You, and pfBlockerng, did nothing.
But you, as the admin, have added dnsbl feeds (or IP feeds) to pfBlockerng.
Hostnames (or IP's) in these feeds will get blocked.
Did you have a look at these lists ? ;)

Reply to First run pfBlockerNG - false positive? on Sun, 26 Feb 2023 18:56:37 GMT

SteveITS — Sun, 26 Feb 2023 18:56:37 GMT

@furom Up to you, if you want users to see that warning page.

Reply to First run pfBlockerNG - false positive? on Sun, 26 Feb 2023 18:07:19 GMT

furom — Sun, 26 Feb 2023 18:07:19 GMT

@steveits said in First run pfBlockerNG - false positive?:

@furom the pfBlocker IP shows an error/info page for http (or a cert error for https). I believe you can turn that off and have it go nowhere if you want.

I actually got no such thing. I guess because I am not permitting the Vitual IP...? So should I let it connect to the virtual ip or not?

Reply to First run pfBlockerNG - false positive? on Sun, 26 Feb 2023 17:58:13 GMT

SteveITS — Sun, 26 Feb 2023 17:58:13 GMT

@furom the pfBlocker IP shows an error/info page for http (or a cert error for https). I believe you can turn that off and have it go nowhere if you want.