Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    domain not being blocked

    Scheduled Pinned Locked Moved pfBlockerNG
    5 Posts 3 Posters 637 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      droidus
      last edited by

      I am following this tutorial: https://nguvu.org/pfsense/pfSense-pfblockerng-configuration-guide/.
      In my PRI1 IPv4 Custom List, I add msn.com to test that it is working. When I save, then update, the page still loads. I did enable Enable Domain/AS.
      I am running Netgate pfSense Plus 23.05.1 and pfBlockerNG-devel 3.2.0_5.

      NollipfSenseN johnpozJ 2 Replies Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @droidus
        last edited by

        @droidus Bare in mind that the IP could change...it would be better to add the domain to DNSBL instead.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @droidus
          last edited by

          @droidus said in domain not being blocked:

          I add msn.com to test that it is working. When I save, then update, the page still loads.

          keep in mind also states, and dns being cached.. These are 2 things that have to take into account.

          If client looks up domain.tld and gets say IP address 1.2.3.4.. Just because you tell unbound via pfblocker to not resolve that IP or send a bogus IP, the client would still have the IP cached in its local dns and also its browser dns cache, etc.

          You also need to take into account even if you created a rule to block the 1.2.3.4 address, unless you cleared the state on the firewall, even with a new block rule - the traffic would still be allowed via the existing state.

          You need to either kill off that state, or wait for it to timeout and be cleared on its own.. Then when client tries to create a new state to this IP, the firewall would block it.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          D 1 Reply Last reply Reply Quote 0
          • D
            droidus @johnpoz
            last edited by

            @johnpoz

            @johnpoz said in domain not being blocked:

            You also need to take into account even if you created a rule to block the 1.2.3.4 address, unless you cleared the state on the firewall, even with a new block rule - the traffic would still be allowed via the existing state.

            You need to either kill off that state, or wait for it to timeout and be cleared on its own.. Then when client tries to create a new state to this IP, the firewall would block it.

            How do I do this without clearing all states as posted here: https://docs.netgate.com/pfsense/en/latest/monitoring/status/firewall-states-reset.html?
            How can I test if pfblockerng is working without accessing malicious IPs? Would I just add an IP, like 8.8.8.8 to IPv4 Custom_List, UPDATE, and see if I can still ping it?

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @droidus
              last edited by johnpoz

              @droidus you can kill off specific states in the state table

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.