pfBlockerNG v3.2.0_9
-
There are updated PRs posted for pfBlockerNG and pfBlockerNG-devel v3.2.0_9.
Once reviewed and approved by the pfSense devs it should be available for installation in pkg manager.
Both versions are currently the same code but there are upcoming changes that will be pushed to devel first.
This PR Adds authentication on MaxMind Downloads.
To contunue utilizing MaxMind, you will need to enter both the Account ID and the Key to have uninterrupted downloads from MaxMind.
https://dev.maxmind.com/geoip/release-notes/2024#presigned-urls-for-database-downloads
https://support.maxmind.com/hc/en-us/sections/1260801610490-Manage-my-License-Keys
-
-
-
-
@BBcan177 Does that mean the -Devel track will start seeing new changes?
Builtin syslog support for logging?
Proper rotation of logfiles (so they dont get fully picked up again @ rotation by syslog-ng/telegraf and other logfile monitors?
Perhaps full wildcard no AAAA filtering (top level or even intire “no AAAA”)Excellent package you are maintaining. Thank you for the great job you are doing
-Keyser
-
-
Hi,
until today 04.04.2024 no update to 3.2.0_9 available ... :-(
Regards and thanks,
fireodo -
@fireodo said in pfBlockerNG v3.2.0_9:
Hi,
until today 04.04.2024 no update to 3.2.0_9 available ... :-(
Regards and thanks,
fireodo3.2.0_8 just released for 23.09.1
-
@mcury yes for that pfSense version is _8
-
Just updated to the _8 version and updated the Maxmind account number & license key (appreciate the heads up warning during initial reload progress logs and on the IP tab). Force reloaded IP/DNSBL afterwards and everything went smoothly. Thank you so much @BBcan177 for your efforts and hard work!
-
@mcury said in pfBlockerNG v3.2.0_9:
3.2.0_8 just released for 23.09.1
Updated the CE 2.7.2 to 3.2.0_8 too and everything fine.
Thanks again @BBcan177
regards, fireodo -
-
@Unoptanio said in pfBlockerNG v3.2.0_9:
After Update to pfBlockerNG v3.2.0_8
Yes here you have to put your Maxmind Account ID (six numbers in my case). Look in your Maxmind account and you will find there your account ID.
Or do you want to ask something else? -
@fireodo
OK done.
I entered the account id. Also in my case 6 digit number -
Excuse me,
Can you tell me why some sites are blocked by viewing this screen with the reason and other sites are blocked by displaying a totally black page with a dot in the center?Can the black screen with the dot in the center be customized?
-
@Unoptanio said in pfBlockerNG v3.2.0_9:
Can you tell me why some sites are blocked by viewing this screen with the reason and other sites are blocked by displaying a totally black page with a dot in the center?
Here is the explanation offered by BBcan177 some years ago:
"This is only displayed when a full Domain is blocked and not for an ADvert on a page! You can also create your own page to display any customizations. "When a ADvert is blocked you see only that 1x1 pixel image.
-
@Unoptanio said in pfBlockerNG v3.2.0_9:
Can the black screen with the dot in the center be customized?
Long story short : you can not and you will not break TLS == https.
In the good old days, it was ok if a site http://www.some-site.tld redirected the visitor to http://www.another-site.tld. It was great, and everybody trusted everybody and we were all happy.
Later on, for obvious reasons, https was introduced. For example : this site, the forum :
Your visiting https://forum.netgate.com/...... and your browser received a certificate from that server that says :
so all is well.
Now, back to pfBlockerng.
If a browser want to visit http://www.google.com and the host name google.com is listed in a DNSBL, pfBlockerng and you've selected "DNSBL Webserver" then pfBlockerng, by the bias of the resolver, will send to the browser the pfSense pfBlockerng web server IP to show you that the page was blocked.
Nice.
But wait ...... does your pfBlockerng has the certificate that says it is "google.com" ?
Do you think you can get one ? Do you own google.com ?
Noop to all this.
So, these days, modern browsers won't show the black pfBlockerng page (the one you've showed) at all. Just a big huge ugly error page.
The solution is :so the pfBlockerng won't show any informative pages anymore.
After all : you can't and don't want to break TLS = https.If you have users on your network that actually visit crappy host names and still us http (port 80) then pfBlockerng is actually useful.
But also means you've a huge security issue : you've people on your network (LAN !!) using ancient technology. Things will go bad fast, have a talk with them, and if needed, throw them of your network.
Or block port 80 TCP all together. -
my config:
Do I change everything to: Null Block (logging) ?
I'm trying...
when I do SAVE it doesn't save the changes in the combo lists and shows me DNSBL webserver/VIP (global)
going inside the tab it seems to have saved.
-
@BBcan177 As per https://forum.netgate.com/topic/179060/pfblockerng-sync-not-working/54 (and https://redmine.pfsense.org/issues/14189) the account ID doesn't sync to the HA backup without adding the one line fix "pfblockerng_sync_on_changes();" to pfblockerng.php (and waiting for cron to run).
-
-