PfBlockerNG
-
I don't think I'm explaining well … For example, I actually want/need to have an two different alias for North America.
"Outbound_Block_North_America" would be a list that contains 60% of the countries and this will be countries I want to block outbound access to in North America. I will block only a few countries as I want to visit internet sites in most countries in North America. I would create a "Block outbound to Outbound_Block_North_America"
"Inbound_North_America" would be a list that contains only Canada and the United States since these are the only two countries in North America that should be allowed inbound. I would create a "Permit Inbound_North_America to Open_Ports" rule for these.
Just can't quite see how to create these two different Alias from North America and have them coexisting at the same time - maybe it's not possible? Apologies for dragging this out.
FYI: I'm not getting the "Alias Native" option in the drop down. I have only "Alias Block", "Alias Permit", and "Alias Match". I just installed pfBlocker this past week, into PFSense 2.2.4 (i386).
-
ok I misunderstood your questions the first time around. It seemed like you wanted to create two of the same Alias configurations… So what you are proposing is fine.
I notice in the Top20 tab that it is missing the "Alias Native" option. I will add that soon. However, the "native" option is available in all the other Continent tabs inc (v4/v6 tabs)
I suggest you make a new Alias (and not use the Continent tabs), and add the path to the CC folder directly, as per the following link:
https://forum.pfsense.org/index.php?topic=102071.msg569296#msg569296Then once the two aliases are created, run a "Force Update" to get those built. Then create your Firewall rules with your requirements and reference the appropriate alias.
-
Thanks - that does exactly what I want and worked fine! One minor thing to point out, the instructions for adding the country data to the list are:
"'Country code': /usr/pbi/pfblockerng-amd64/share/GeoIP/cc/US_v4.txt (Change 'US' to required code)"
However, depending on your hardware, you might need to change "amd64". In my case, it didn't work until I changed this to "i386".
Thanks again!
-
Thanks - that does exactly what I want and worked fine! One minor thing to point out, the instructions for adding the country data to the list are:
"'Country code': /usr/pbi/pfblockerng-amd64/share/GeoIP/cc/US_v4.txt (Change 'US' to required code)"
However, depending on your hardware, you might need to change "amd64". In my case, it didn't work until I changed this to "i386".
Thanks again!
I am running out of real estate on the pages to add more help text! Not that many people read it! :) Thanks for the feedback!
-
I suggest an improvement :
Add another tab (same as Proxy and Satellite), for blocking IP range by iana Regional Internet Registry (RIR)
(https://www.iana.org/numbers)
Attached, you'll find many lists filtered by RIR
Many thanks for your work.
Regards ;)AFRINIC.txt
APNIC.txt
ARIN.txt
LACNIC.txt
RIPE.txt
reserved.txt
bogon.txt
multicast.txt
others.txt -
@nl:
I suggest an improvement :
Add another tab (same as Proxy and Satellite), for blocking IP range by iana Regional Internet Registry (RIR)
Thanks for the suggestion nl,
I think it would be best for users who wish to use such lists, to just create a new Alias and add the URLs to the Source Fields as required… I would rather not create an additional tab.
-
Hello!
I just started using pfBlocker to block ads, but I'm getting this cert dialog on many websites
-
I just started using pfBlocker to block ads, but I'm getting this cert dialog on many websites
Well for one, www.google.com shouldn't be in the block list, unless you really are trying to block that domain? Check the Alerts Tab for additional details.
Safari and IE are not designed well in regards to HTTPs, best to use Chrome or FF. Also ensure your Safari version is up-to-date.
Please see the new thread for DNSBL, which might provide some more info:
https://forum.pfsense.org/index.php?topic=102470.0 -
I just started using pfBlocker to block ads, but I'm getting this cert dialog on many websites
Well for one, www.google.com shouldn't be in the block list, unless you really are trying to block that domain? Check the Alerts Tab for additional details.
Safari and IE are not designed well in regards to HTTPs, best to use Chrome or FF. Also ensure your Safari version is up-to-date.
Please see the new thread for DNSBL, which might provide some more info:
https://forum.pfsense.org/index.php?topic=102470.0Thanks for your reply! I checked deeply and there was a list that had google.com as the domain.
In any case, for domains that I WANT to block… should I accept the cert? It' just I'm a bit lost about what it means accepting it and why it shows up!
-
In any case, for domains that I WANT to block… should I accept the cert? It' just I'm a bit lost about what it means accepting it and why it shows up!
When the browser makes an HTTPs request to a domain that is blacklisted by DNSBL, The Resolver (Unbound) forwards the browser to the DNSBL webserver, however the browser sees that the DNSBL webservers certificate is not the same as the domain that it requested, so it reports the cert error. Other browsers like Chrome and Firefox, just drop the failed connection attempts. Safari and IE are always behind the times it seems. If Safari allows accepting the cert, then go ahead. It shouldn't tho as its not the correct certificate. The last thing that you want is to Man-In-The-middle the HTTPs traffic and impersonate a domain. Lots of bad things happen when you do that…
More details here:
https://forum.pfsense.org/index.php?topic=102470.msg573329#msg573329 -
Hil,
I want to allow NAT to my servers only from IPs in Brazil, so I use one country list (alias permit), and use that list as source on my NAT rule. Working as expected.
But I use DNS failover from DNS Made Easy, and monitoring from Uptime Robot, and both are been blocked.
For now I create a second alias, and setup a second NAT.
Are some way to merge both lists? When I try to create one new alias with both alias on, I receive one error that it's not possible because the to aliases are from different types.
Thanks
-
Are some way to merge both lists? When I try to create one new alias with both alias on, I receive one error that it's not possible because the to aliases are from different types.
Please see the following links:
https://forum.pfsense.org/index.php?topic=102071.0
https://forum.pfsense.org/index.php?topic=86212.msg548324#msg548324
https://forum.pfsense.org/index.php?topic=86212.msg553921#msg553921 -
I have been playing around with pfblockerng and so far I love it. I have found one problem though. I use some blacklists from squidblacklist.org and they work great except if you put www in front of the domain. For example, playboy.com is blocked but www,playboy.com is not. Anyway to fix this?
-
I have been playing around with pfblockerng and so far I love it. I have found one problem though. I use some blacklists from squidblacklist.org and they work great except if you put www in front of the domain. For example, playboy.com is blocked but www,playboy.com is not. Anyway to fix this?
Did you manually add the www. domain to a customlist? If so, make sure to select "Update custom list' at the bottom of the page before running a "Force Update"
-
I have been playing around with pfblockerng and so far I love it. I have found one problem though. I use some blacklists from squidblacklist.org and they work great except if you put www in front of the domain. For example, playboy.com is blocked but www,playboy.com is not. Anyway to fix this?
Did you manually add the www. domain to a customlist? If so, make sure to select "Update custom list' at the bottom of the page before running a "Force Update"
No, I used the porn block list from squidblacklist.org.
-
I have been playing around with pfblockerng and so far I love it. I have found one problem though. I use some blacklists from squidblacklist.org and they work great except if you put www in front of the domain. For example, playboy.com is blocked but www,playboy.com is not. Anyway to fix this?
Did you manually add the www. domain to a customlist? If so, make sure to select "Update custom list' at the bottom of the page before running a "Force Update"
No, I used the porn block list from squidblacklist.org.
The issue there is that DNSBL (unbound) will need to add an extra line for each domain (in bold)
local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 10.0.0.111"It can cause some false positives depending on the domain name… Some ADvert servers like:
ads.example.com
You want to block just the ads.example.com and not example.com...
I will see if I can come up with a workaround for that... In the short term, you can add any additional domains to a custom list and block them that way.
-
I have been playing around with pfblockerng and so far I love it. I have found one problem though. I use some blacklists from squidblacklist.org and they work great except if you put www in front of the domain. For example, playboy.com is blocked but www,playboy.com is not. Anyway to fix this?
Did you manually add the www. domain to a customlist? If so, make sure to select "Update custom list' at the bottom of the page before running a "Force Update"
No, I used the porn block list from squidblacklist.org.
The issue there is that DNSBL (unbound) will need to add an extra line for each domain (in bold)
local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 10.0.0.111"It can cause some false positives depending on the domain name… Some ADvert servers like:
ads.example.com
You want to block just the ads.example.com and not example.com...
I will see if I can come up with a workaround for that... In the short term, you can add any additional domains to a custom list and block them that way.
I was scared you would say that. There are around 1 million domains on the list and it would take a very long time to make a custom list.
-
Here is a temporary workaround. Edit the file /usr/local/pkg/pfblockerng/pfblockerng.inc
And add this code after Line 2758
if (substr($line, 0, 4) != 'www.') { $domain_data .= "local-data: \"www." . $line . " 60 IN A {$pfb['dnsbl_vip']}\"\n"; }
https://github.com/pfsense/pfsense-packages/blob/master/config/pfblockerng/pfblockerng.inc#L2758
So it will look like this:
// Remove suppressed domain names if (!in_array($line, $pfb_dnssupp)) { $domain_data .= "local-data: \"" . $line . " 60 IN A {$pfb['dnsbl_vip']}\"\n"; if (substr($line, 0, 4) != 'www.') { $domain_data .= "local-data: \"www." . $line . " 60 IN A {$pfb['dnsbl_vip']}\"\n"; } }
Then execute a "Force Reload" for DNSBL.
-
Thank you BBcan177. That works.
-
@BBcan177 what do you think about adding a format so that we can import "host" file formats and it can parse out the domain name to lookup the IP?
So basically I believe like the "whois" works but it just knows that the first part of the line is an IP that doesn't matter.
0.0.0.0 facebook.com 127.0.0.1 google.com
Like that.
There are a lot of good, free lists out there that are in this format.
Thoughts?