PfBlockerNG v2.0 w/DNSBL
-
Anyone else experience that pfBlockerNG doesn't work on 2.3 if using floating rules? After the last update, I noticed all my rule counts were ZERO hits on the pfBlocker widget. So I tried going to a website on a blocked country, and it did not block.
Then tried:
1. Disabled the floating rules option (saved), forced an update, and then tried the website again and it was blocked.
2. Then re-enabled floating rules (saved), forced an update, tried the website again and it was NOT blocked.
3. Disabled the floating rules option (saved), forced an update, and then tried the website again and it was blocked.So, seems on my system at least the floating rules simply do not work. I can't tell if this is a 2.3 issue or a pfBlocker issue though.
Jason Bottjen
I do a bunch of traffic shaping with floating rules, and they all show hits. Remember, last rule wins for floating, which is the opposite of non-floating rules.
-
Anyone else experience that pfBlockerNG doesn't work on 2.3 if using floating rules? After the last update, I noticed all my rule counts were ZERO hits on the pfBlocker widget. So I tried going to a website on a blocked country, and it did not block.
Then tried:
1. Disabled the floating rules option (saved), forced an update, and then tried the website again and it was blocked.
2. Then re-enabled floating rules (saved), forced an update, tried the website again and it was NOT blocked.
3. Disabled the floating rules option (saved), forced an update, and then tried the website again and it was blocked.So, seems on my system at least the floating rules simply do not work. I can't tell if this is a 2.3 issue or a pfBlocker issue though.
Jason Bottjen
I do a bunch of traffic shaping with floating rules, and they all show hits. Remember, last rule wins for floating, which is the opposite of non-floating rules.
unless you have quick match enabled, right?
-
@irj972:
unless you have quick match enabled, right?
Right.
-
Hi,
I am not sure if I found a little bug in the GUI:
In pfblockerng general settings I configured CRON settings like this:
once a day :15 0 3When going to services –> cron I can see this - which is correct I assume:
15 3 * * * root /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1BUT when I go to pfblockerng --> Updates I can see this:
Status NEXT Scheduled CRON Event will run at 01:15 with 01:44:46 time remaining.
Refresh to update current status and time remaining.
PS: At the moment it is 11:30 pm on my system and pfsense GUI + CLI.Is there something wrong or did I miss some configuration in pfblockerng which is related to this time ?
PPS:
The redirect of DNSBL to the https VIP always shows an invalid certificate. As far as I can see this is because the CN in the cert is not the same as the blocked domain. I tried it with creating a wildcard certificate for some domains in the DNSBL like ".smaato.net" which showed a correct certificate for "c09.smaato.net" and so on. Tried with a wilcard certificate like ".net" but this did not work.So my question ist if it is possible after downloading all the DNSBL domains to copy all these domains into a file and the create one new certificate which contains all these domains as SAN in the certificate, them replace the "old" cert on "/var/unbound/dnsbl_cert.pem" with the new one. Further is it possible to add the "ssl.ca-file" parameter (https://redmine.lighttpd.net/projects/1/wiki/Docs_SSL) to the lighhtpd conf file?
Found some code here not sure if it can be used:
openssl req -batch -newkey rsa:2048 -sha1 -keyout priv-key.pem -out certreq.pem -config openssl-gwdg.cnf
#################################################################### [ req ] distinguished_name = req_distinguished_name string_mask = nombstr # The extensions to add to a certificate request req_extensions = v3_req # GWDG default options for certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = DE countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = NIEDERSACHSEN localityName = Your City localityName_default = GOETTINGEN 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Gesellschaft fuer wissenschaftliche Datenverarbeitung # Dieser Teil ist Optional und kann bei Bedarf einkommentiert werden # Wichtig: Es dürfen keine Sonderzeichen wie z.B. auch ein - oder _ dort vorkommen! # # organizationalUnitName = Organizational Unit Name (eg, section) # organizationalUnitName_default = AG A commonName = YOUR NAME commonName_max = 64 commonName_default = example.gwdg.de emailAddress = E-MAIL emailAddress_max = 64 emailAddress_default = support@gwdg.de [ v3_req ] subjectAltName = DNS:example.gwdg.de, DNS:www.example.gwdg.de, DNS:www2.example.gwdg.de ####################################################################
Don't know if there is a SAN limit per certificate but perhaps with wildcard it should reduce the amount.
Regards
-
Hi,
I am not sure if I found a little bug in the GUI:
In pfblockerng general settings I configured CRON settings like this:
once a day :15 0 3When going to services –> cron I can see this - which is correct I assume:
15 3 * * * root /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1BUT when I go to pfblockerng --> Updates I can see this:
Status NEXT Scheduled CRON Event will run at 01:15 with 01:44:46 time remaining.
Refresh to update current status and time remaining.
PS: At the moment it is 11:30 pm on my system and pfsense GUI + CLI.Is there something wrong or did I miss some configuration in pfblockerng which is related to this time ?
Thanks Nachtfalke, I posted a fix for this in pfBlockerNG v2.0.14 (for pfSense v2.3)
-
Hi again,
I am still facing problems with certificate errors on Google Chrome 50 and IE10 on Windows 7. I am running pfsense 2.3 and the most recent pfblockerng package.
To make sure that there aren't any side-effects with squid anymore I configured an "allow mc-pc to any" rule on the LAN interface, I disabled squid package and disabled squid configuration on my browser.
Further I uninstalled pfblockerng package with (Keep Settings enabled) and then removed all remaining files in "usr/local/pkg/pfblockerng/" and all pfblockerng related files (config + certificates) in "/var/unbound/".Then I did a reinstall of the pfblockerng package and I did a "Force Update All".
So I attached some screenshots which show the following:
1.) Which show tha I do not get any "IF" or "SOURCE" displayed for HTTPS requests
2.) I get a certificate warning with Google Chrome 50 and IE10 when accessing a website with https directly which is in the DNSBL
3.) When I accept the "insecure/untrusted" certificate then it will display an "IF" and "SOURCE" in the "Alerts" tab.
4.) Sometimes I am getting a HSTS error messageI know that pfblockerng / DNSBL will still block access to the websites on DNS level but it will not give my any visibility in the Alerts tab as long as the certificate problem exists.
So do you have the same problems?
Any ideas how to fix this?Kind regards :-)
-
When I enable DNSBL, local PCs show the yellow triangle exclamation mark, which indicate there is no internet connection. However the internet is connected. The yellow triangle icon goes away if I disable DNSBL.
Any one knows how to fix this issue?
-
When I enable DNSBL, local PCs show the yellow triangle exclamation mark, which indicate there is no internet connection. However the internet is connected. The yellow triangle icon goes away if I disable DNSBL.
Any one knows how to fix this issue?
Did you look at the Alerts tab for pfBlockerNG ?
That is where you will see what domain is blocked and to what list it belong to.
You can suppress that domain by clicking the "+" suppress icon. -
When I enable DNSBL, local PCs show the yellow triangle exclamation mark, which indicate there is no internet connection. However the internet is connected. The yellow triangle icon goes away if I disable DNSBL.
Any one knows how to fix this issue?
Did you look at the Alerts tab for pfBlockerNG ?
That is where you will see what domain is blocked and to what list it belong to.
You can suppress that domain by clicking the "+" suppress icon.I suppress couple domains and looks like the yellow triangle icon has gone away. Thanks!
Just wondering, is there any other way to solve this issue, like put the local PCs in a white list or something like that? -
I suppress couple domains and looks like the yellow triangle icon has gone away. Thanks!
Just wondering, is there any other way to solve this issue, like put the local PCs in a white list or something like that?I think you suppressed: www.msftncsi.com
Recent discussion here:
https://forum.pfsense.org/index.php?topic=111460.msg620939#msg620939The package doesn't have a built-in whitelist. Its up to the user to decide what to block.
-
I think you suppressed: www.msftncsi.com
You can suppress the verification site(s?) or you can kill the verification by disabling "EnableActiveProbing" in the registry on Windows systems.
Rick
-
Hi,
After upgrading to 2.0.14 I'm still experiencing a lot of errors related to the blocklists:
There were error(s) loading the rules: /tmp/rules.debug:344: macro 'pfB_DNSBLIP' not defined - The line in question reads [344]: block in log quick on $WAN reply-to ( em1 x.x.x.x ) inet from $pfB_DNSBLIP to any tracker 1770008414 label "USER_RULE: pfB_DNSBLIP auto rule"
There were error(s) loading the rules: /tmp/rules.debug:328: macro 'pfB_DNSBLIP' not defined - The line in question reads [328]: block in log quick on $WAN reply-to ( em1 x.x.x.x ) inet from $pfB_DNSBLIP to any tracker 1770008442 label "USER_RULE: pfB_DNSBLIP auto rule"
There were error(s) loading the rules: /tmp/rules.debug:39: cannot load "/var/db/aliastables/pfB_PRI3.txt": No such file or directory - The line in question reads [39]: table persist file "/var/db/aliastables/pfB_PRI3.txt"
If I do a forced reload of the DNSBL, most errors are gone, but they keep coming back, especially after an update of the rules. It seems to have started after I did the first update after the version that came with the pfsense 2.3 package…
Hope this can be fixed!
using the latest pfsense 2.3, pfBlockerNG 2.0.14 with DNSBL, two servers in a CARP failover configuration (but not syncing pfBlockerNG, if I do that the IP address of the DNSBL is duplicated leading to other errors)
-
hi,
how to de-duplicate for certain ipv4 list only? i have a few lists that the same address on both inbound or outbound only.i have port opened for webserver, so i have some top spam country blocked inbound. some of the ip address from inbound are blocked on my outbound(pedo/porn)
is this even possible? or there is already a solution?
-
After upgrading to 2.0.14 I'm still experiencing a lot of errors related to the blocklists:
Hi gesture1968, I sent you a PM.
-
how to de-duplicate for certain ipv4 list only?
If you enable "de-duplication" all of the Aliases that are set as "Deny" will be de-duplicated.
If you want to have an Alias bypass de-duplication, you can use the "Alias Native" format and manually create the firewall rule accordingly.
-
how to de-duplicate for certain ipv4 list only?
If you enable "de-duplication" all of the Aliases that are set as "Deny" will be de-duplicated.
If you want to have an Alias bypass de-duplication, you can use the "Alias Native" format and manually create the firewall rule accordingly.
thanks for pointing it out. i think i did read the exact thing as described.
-
Hi,
After upgrading to 2.0.14 I'm still experiencing a lot of errors related to the blocklists:
There were error(s) loading the rules: /tmp/rules.debug:344: macro 'pfB_DNSBLIP' not defined - The line in question reads [344]: block in log quick on $WAN reply-to ( em1 x.x.x.x ) inet from $pfB_DNSBLIP to any tracker 1770008414 label "USER_RULE: pfB_DNSBLIP auto rule"
There were error(s) loading the rules: /tmp/rules.debug:328: macro 'pfB_DNSBLIP' not defined - The line in question reads [328]: block in log quick on $WAN reply-to ( em1 x.x.x.x ) inet from $pfB_DNSBLIP to any tracker 1770008442 label "USER_RULE: pfB_DNSBLIP auto rule"
There were error(s) loading the rules: /tmp/rules.debug:39: cannot load "/var/db/aliastables/pfB_PRI3.txt": No such file or directory - The line in question reads [39]: table persist file "/var/db/aliastables/pfB_PRI3.txt"
If I do a forced reload of the DNSBL, most errors are gone, but they keep coming back, especially after an update of the rules. It seems to have started after I did the first update after the version that came with the pfsense 2.3 package…
Hope this can be fixed!
using the latest pfsense 2.3, pfBlockerNG 2.0.14 with DNSBL, two servers in a CARP failover configuration (but not syncing pfBlockerNG, if I do that the IP address of the DNSBL is duplicated leading to other errors)
Thanks BBCan177, but I've found the problem :-[. In the aliastable it is mentioned that you can use FQDNs, so in my wisdom to suppress the maildomains from google.com and outlook.com I'd filled them in as aliasses. During the assembly of the updated files, your script tries to remove the entries in the pfblockerng suppresslist from the selected blocklists, but since it does not understand the FQDN, an error was reported and the list was erased, ending up being empty (this all happens after the 'emptyfiles' check). That resulted in the errors. Perhaps in your script you could check for invalid entries in the table and skip them, in stead of erasing the list…
Greetings,
Gesture. -
Hi BBcan177,
Would it be possible to have PFBlockerNG use CARP vIP's as DNSBL IP address, since now I have to disable the sync between two servers due to the syncing and therefore duplication of the address. Using two identical addresses leads to errors in the logging, and possibly unwanted/unexpected behaviour.
Greetings
Gesture. -
Is there a way to avoid this issue? I am seeing it on Firefox and Chrome when visiting Youtube.com
I've verified that both my local dns and chrome dns cache have been cleared.
-
Hello, i have one question because i try to make it but i'm not sure if it's possible with pfblockerng…
I want permit only acces to my country in some rules nat, i explain .... only from my country can i access to typical NAT 110-> mail server or 3389->TS , i view in pfblocker i can block only from my country to -> LAN, but i'm only restrict this rules NAT, in rule NAT i view from "source" but only can i put ip or alias, how can i make "alias" to my "country ips" ????
Thank you