PfBlockerNG
-
I just started using pfBlocker to block ads, but I'm getting this cert dialog on many websites
Well for one, www.google.com shouldn't be in the block list, unless you really are trying to block that domain? Check the Alerts Tab for additional details.
Safari and IE are not designed well in regards to HTTPs, best to use Chrome or FF. Also ensure your Safari version is up-to-date.
Please see the new thread for DNSBL, which might provide some more info:
https://forum.pfsense.org/index.php?topic=102470.0 -
I just started using pfBlocker to block ads, but I'm getting this cert dialog on many websites
Well for one, www.google.com shouldn't be in the block list, unless you really are trying to block that domain? Check the Alerts Tab for additional details.
Safari and IE are not designed well in regards to HTTPs, best to use Chrome or FF. Also ensure your Safari version is up-to-date.
Please see the new thread for DNSBL, which might provide some more info:
https://forum.pfsense.org/index.php?topic=102470.0Thanks for your reply! I checked deeply and there was a list that had google.com as the domain.
In any case, for domains that I WANT to block… should I accept the cert? It' just I'm a bit lost about what it means accepting it and why it shows up!
-
In any case, for domains that I WANT to block… should I accept the cert? It' just I'm a bit lost about what it means accepting it and why it shows up!
When the browser makes an HTTPs request to a domain that is blacklisted by DNSBL, The Resolver (Unbound) forwards the browser to the DNSBL webserver, however the browser sees that the DNSBL webservers certificate is not the same as the domain that it requested, so it reports the cert error. Other browsers like Chrome and Firefox, just drop the failed connection attempts. Safari and IE are always behind the times it seems. If Safari allows accepting the cert, then go ahead. It shouldn't tho as its not the correct certificate. The last thing that you want is to Man-In-The-middle the HTTPs traffic and impersonate a domain. Lots of bad things happen when you do that…
More details here:
https://forum.pfsense.org/index.php?topic=102470.msg573329#msg573329 -
Hil,
I want to allow NAT to my servers only from IPs in Brazil, so I use one country list (alias permit), and use that list as source on my NAT rule. Working as expected.
But I use DNS failover from DNS Made Easy, and monitoring from Uptime Robot, and both are been blocked.
For now I create a second alias, and setup a second NAT.
Are some way to merge both lists? When I try to create one new alias with both alias on, I receive one error that it's not possible because the to aliases are from different types.
Thanks
-
Are some way to merge both lists? When I try to create one new alias with both alias on, I receive one error that it's not possible because the to aliases are from different types.
Please see the following links:
https://forum.pfsense.org/index.php?topic=102071.0
https://forum.pfsense.org/index.php?topic=86212.msg548324#msg548324
https://forum.pfsense.org/index.php?topic=86212.msg553921#msg553921 -
I have been playing around with pfblockerng and so far I love it. I have found one problem though. I use some blacklists from squidblacklist.org and they work great except if you put www in front of the domain. For example, playboy.com is blocked but www,playboy.com is not. Anyway to fix this?
-
I have been playing around with pfblockerng and so far I love it. I have found one problem though. I use some blacklists from squidblacklist.org and they work great except if you put www in front of the domain. For example, playboy.com is blocked but www,playboy.com is not. Anyway to fix this?
Did you manually add the www. domain to a customlist? If so, make sure to select "Update custom list' at the bottom of the page before running a "Force Update"
-
I have been playing around with pfblockerng and so far I love it. I have found one problem though. I use some blacklists from squidblacklist.org and they work great except if you put www in front of the domain. For example, playboy.com is blocked but www,playboy.com is not. Anyway to fix this?
Did you manually add the www. domain to a customlist? If so, make sure to select "Update custom list' at the bottom of the page before running a "Force Update"
No, I used the porn block list from squidblacklist.org.
-
I have been playing around with pfblockerng and so far I love it. I have found one problem though. I use some blacklists from squidblacklist.org and they work great except if you put www in front of the domain. For example, playboy.com is blocked but www,playboy.com is not. Anyway to fix this?
Did you manually add the www. domain to a customlist? If so, make sure to select "Update custom list' at the bottom of the page before running a "Force Update"
No, I used the porn block list from squidblacklist.org.
The issue there is that DNSBL (unbound) will need to add an extra line for each domain (in bold)
local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 10.0.0.111"It can cause some false positives depending on the domain name… Some ADvert servers like:
ads.example.com
You want to block just the ads.example.com and not example.com...
I will see if I can come up with a workaround for that... In the short term, you can add any additional domains to a custom list and block them that way.
-
I have been playing around with pfblockerng and so far I love it. I have found one problem though. I use some blacklists from squidblacklist.org and they work great except if you put www in front of the domain. For example, playboy.com is blocked but www,playboy.com is not. Anyway to fix this?
Did you manually add the www. domain to a customlist? If so, make sure to select "Update custom list' at the bottom of the page before running a "Force Update"
No, I used the porn block list from squidblacklist.org.
The issue there is that DNSBL (unbound) will need to add an extra line for each domain (in bold)
local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 10.0.0.111"It can cause some false positives depending on the domain name… Some ADvert servers like:
ads.example.com
You want to block just the ads.example.com and not example.com...
I will see if I can come up with a workaround for that... In the short term, you can add any additional domains to a custom list and block them that way.
I was scared you would say that. There are around 1 million domains on the list and it would take a very long time to make a custom list.
-
Here is a temporary workaround. Edit the file /usr/local/pkg/pfblockerng/pfblockerng.inc
And add this code after Line 2758
if (substr($line, 0, 4) != 'www.') { $domain_data .= "local-data: \"www." . $line . " 60 IN A {$pfb['dnsbl_vip']}\"\n"; }
https://github.com/pfsense/pfsense-packages/blob/master/config/pfblockerng/pfblockerng.inc#L2758
So it will look like this:
// Remove suppressed domain names if (!in_array($line, $pfb_dnssupp)) { $domain_data .= "local-data: \"" . $line . " 60 IN A {$pfb['dnsbl_vip']}\"\n"; if (substr($line, 0, 4) != 'www.') { $domain_data .= "local-data: \"www." . $line . " 60 IN A {$pfb['dnsbl_vip']}\"\n"; } }
Then execute a "Force Reload" for DNSBL.
-
Thank you BBcan177. That works.
-
@BBcan177 what do you think about adding a format so that we can import "host" file formats and it can parse out the domain name to lookup the IP?
So basically I believe like the "whois" works but it just knows that the first part of the line is an IP that doesn't matter.
0.0.0.0 facebook.com 127.0.0.1 google.com
Like that.
There are a lot of good, free lists out there that are in this format.
Thoughts?
-
If your talking about DNSBL, the parser is already there to parse for the domain name in a host feed… Try it and if there are issues with the parser, send me the URL if it doesn't work.
Have you seen this thread:
https://forum.pfsense.org/index.php?topic=102470.0 -
@BBcan177 man, that's perfect. I cannot tell you how much your work helps me out. Thank you so much for all that you do. pfBlocker is amazing. :)
-
i get this error when saving pfblockerng
Fatal error: Cannot unset string offsets in /usr/local/pkg/pfblockerng/pfblockerng.inc on line 3921
I have setup that iblock_level3 url, that block ip address, how do I excluded a set of IP address from being blocked?
-
Are some way to merge both lists? When I try to create one new alias with both alias on, I receive one error that it's not possible because the to aliases are from different types.
Please see the following links:
https://forum.pfsense.org/index.php?topic=102071.0
https://forum.pfsense.org/index.php?topic=86212.msg548324#msg548324
https://forum.pfsense.org/index.php?topic=86212.msg553921#msg553921Hi, Thanks a lot.
Happy new year!!! -
I have a fresh install of a pfsense 2.2.6 on a watchguard.
Now, I am having some issues with the installation of several packages, one of which is pfBlockerNG.
The package seems to install properly, no error during the installation, but it doesn't appear anywhere in the console.
I had it installed before, on the 2.2.2 variant, and it worked as expected.I thought it was just an interface glitch, and tried to reinstall the package.
Still not luck, so I used the "reinstall gui" option.
Still no luck, so I tried manually addressing>
https://192.168.1.1/pfblockerng/pfblockerng_alerts.php (which I had cached in my browser).This also didn't work.
PS: between the reinstalls I have also rebooted the appliance.
-
I'm trying to whitelist access to a website behind my firewall to my own country only.
When I create a Country list action as an 'alias permit' then use the resulting alias as the Source for the existing website NAT rule, it breaks my internal network access to the site. NAT Refelction is set to Enable (NAT + Proxy), what am i missing here?
-
I am starting to get errors. I guess the lists i am using are old. Where do i get the new list?
pfblockerng.log
[ Abuse_SSLBL ] Downloading update [ 01/02/16 6:01:12 ] .. 200 OK. completed .. [ dShield_Block ] Downloading update [ 01/02/16 6:01:13 ] . cURL Error: 51 SSL: no alternative certificate subject name matches target host name 'feeds.dshield.org' Retry in 5 seconds... . cURL Error: 51 SSL: no alternative certificate subject name matches target host name 'feeds.dshield.org' Retry in 5 seconds... . cURL Error: 51 SSL: no alternative certificate subject name matches target host name 'feeds.dshield.org' Retry in 5 seconds... .. unknown http status code [ pfB_PRI1 - dShield_Block ] Download FAIL [ 01/02/16 6:01:29 ] Firewall and/or IDS are not blocking download. The Following list has been REMOVED [ dShield_Block ] [ Snort_BL ] Downloading update [ 01/02/16 6:01:30 ] . cURL Error: 60 SSL certificate problem: unable to get local issuer certificate Retry in 5 seconds... . cURL Error: 60 SSL certificate problem: unable to get local issuer certificate Retry in 5 seconds... . cURL Error: 60 SSL certificate problem: unable to get local issuer certificate Retry in 5 seconds... .. unknown http status code [ pfB_PRI1 - Snort_BL ] Download FAIL [ 01/02/16 6:01:46 ] Firewall and/or IDS are not blocking download. The Following list has been REMOVED [ Snort_BL ] [ BBC_Goz ] exists. [ Alienvault ] Downloading update .. 200 OK.. completed ..
error.log
[ pfB_PRI1 - dShield_Block ] Download FAIL [ 01/03/16 20:11:11 ] Firewall and/or IDS are not blocking download. . unknown http status code [ pfB_PRI1 - Snort_BL ] Download FAIL [ 01/03/16 20:11:28 ] Firewall and/or IDS are not blocking download. . unknown http status code [ pfB_PRI3 - DangerRulez ] Download FAIL [ 01/03/16 20:11:47 ] [ 188.40.39.38 ] Firewall IP block found in: [ pfB_Top_v4 | 188.40.0.0/16 ] . unknown http status code [ pfB_PRI3 - VMX ] Download FAIL [ 01/03/16 20:12:04 ] [ 195.209.40.11 ] Firewall IP block found in: [ pfB_Top_v4 | 195.208.0.0/15 ] . unknown http status code [ pfB_PRI1 - dShield_Block ] Download FAIL [ 01/03/16 20:13:12 ] Firewall and/or IDS are not blocking download. . unknown http status code [ pfB_PRI1 - Snort_BL ] Download FAIL [ 01/03/16 20:13:29 ] Firewall and/or IDS are not blocking download. . unknown http status code [ pfB_PRI3 - DangerRulez ] Download FAIL [ 01/03/16 20:13:46 ] [ 188.40.39.38 ] Firewall IP block found in: [ pfB_Top_v4 | 188.40.0.0/16 ] . unknown http status code [ pfB_PRI3 - VMX ] Download FAIL [ 01/03/16 20:14:08 ] [ 195.209.40.11 ] Firewall IP block found in: [ pfB_Top_v4 | 195.208.0.0/15 ]