PfBlockerNG v2.0 w/DNSBL
-
The http://adblock.gjtech.net/?format=unix-hosts doesn't seem to be available anymore.
Just turn the list state to OFF.Thanks RonpfS for the reply.
-
I set this up last night and so far good other than certification error pop ups i keep getting on certain sites. Anyone know if there is a fix for this?
Also, do you guys use IPv4 lists and DNSBL or just one?
-
Try Chrome or Firefox.
-
-
-
The way I resolved it is to permanently add cert… click show cert and choose trust check box this will add trust but when it resolves it is handeled dnsbl and returns 1x1pixel.
-
Here is a link to PR # 175 for pfBlockerNG v2.1.1_3
https://forum.pfsense.org/index.php?topic=115357.msg649167#msg649167
-
2.1.1_4 is out , hopefully the answer to all
-
Good morning. I'm having the cannot allocate memory issue after upgrading from 2.1.1_2 to 2.1.1_3, then to 2.1.1_4. Uninstalling and reinstalling with and without keep settings checked off and i am still getting the cannot allocate memory error in pfsense. I've also been doing a force update after each try just in case.
Looking at the pfblockerng.log i cannot see any errors or failures. see below for exact error from pfsense.
There were error(s) loading the rules: /tmp/rules.debug:46: cannot define table pfB_SAmerica_v6: Cannot allocate memory - The line in question reads [46]: table <pfB_SAmerica_v6> persist file "/var/db/aliastables/pfB_SAmerica_v6.txt" @ 2016-08-26 09:28:18
if it helps i have 16GB in the FW.
Thanks.
-
There were error(s) loading the rules: /tmp/rules.debug:46: cannot define table pfB_SAmerica_v6: Cannot allocate memory - The line in question reads [46]: table <pfB_SAmerica_v6> persist file "/var/db/aliastables/pfB_SAmerica_v6.txt" @ 2016-08-26 09:28:18
if it helps i have 16GB in the FW.
Thanks.
You should have leave you original post in the pfBlockerNG v2.1 w/TLD thread.
It is mentionned many many times that if you are using GeoIP tables, you need to raise Firewall Maximum Table Entries in System / Advanced / Firewall & NAT
The file on my pfsense is called South_America_v6.txt, maybe you have leftover from the previous installation. Open the Africa GeoIP tab, verify your selections and hit save, this will update the table. Then run Force Reload IP.
I just enabled the South America GeoIP table on my system and it has the same name as yours pfB_SAmerica_v6, so it is probably just a table size issue. -
Thank you I raised it to 4.5M to be safe.
I pulled it out of there because it looked like that forum was for the dnsbl tld. Many people get annoyed when something is posted in the wrong place.
I also saw that but thought it may no longer applicable once the php updates for pfblockerng were released. I thought that was a short term fix only until the next release.
Once again thank you.
-
I pulled it out of there because it looked like that forum was for the dnsbl tld. Many people get annoyed when something is posted in the wrong place.
2.1.1_4 is pfBlockerNG with DNSBL and TLD. No harm done, one thread or the other will do. But it may be better to use the pfBlockerNG v2.1 w/TLD in the future.
I also saw that but thought it may no longer applicable once the php updates for pfblockerng were released. I thought that was a short term fix only until the next release.
The size of MaxMind GeoIP database is 3-5x larger than previously, that used to make php crashes with the 2.1.1_2 version, this has been fixed.
However the tables generated are 3-5x larger as well, that requires an increase to the Firewall Maximum Table Entries as the default value isn't enough.
-
Thank you for the clarification. I appreciate it. I will endeavor to use that forum for these posts in the future. ;D
-
Hi all,
It's there a way to uninstall this from cli?
I did a mistake and loaded all Africa from geoip section and now Pfsense is not accessible anymore. I suspect it's overloaded. -
my issue seems to be fixed now thanks to BBcan177 and RonpfS who ware supporting me with all posted issues.
As a resume here what i did as a short recap:-
fresh install 2.1.1_4 !!!
-
SystemAdvancedFirewall & NAT change 2 values:
Firewall Maximum States : 2000000 # this ca be leave as default…i prefered to make the change.
Firewall Maximum Table Entries : 10000000 -
reboot sistem if you can if not just enable pfblokerng and run a manual update.
Everything seems to run pretty well now.
Thanks again guys. -
-
@D0X:
But now when browsing I continuously get Safari telling me the certificate is invalid (as shown in the attached picture, it is in Dutch but I think you'll get it).
Safari seems to be the only browser that has this issue. Doesn't seem to occur with Chrome/FF/IE/Edge etc…
Are these cert popups happening when you browse to that blocked Domain directly, or when its blocking that Domain as part of the webpage? Two checks to ensure DNBSL is working as expected... Ping the DNSBL VIP and get a proper response ... Browse to the DNSBL VIP and get the 1x1 pix...
If the popups are from a few common Domains, try to whitelist those and see if that improves it.
Also, in the IPv4 tab, you cannot enter any EasyList Feeds... the IPv4 tab is for IP based listed only.
DNSBL is designed to block the DNS resolution to Advert/Malicious Domains. As such only a portion of the EasyList/Privacy Feeds can be used (Where the feeds lists the actual ADvert Domain). Browser-Addons like ADBlock/UBlock manipulate the elements that are displayed on the page. So they can block certain elements from a particular Domain, while DNSBL can only block the entire Domain.
Only two EasyList feeds can be used with DNSBL and they are hardcoded in the EasyList Tab. There are several other DNSBL Feeds listed at the start of this thread that can fill in the gap to block the balance of the Domains from serving any ADs. Plus its achieved at Network level, without any add-ons manipulating or potentially opening security holes in the browser.
It would really be nice if Safari fixed this issue with their software... Not much I can do to fix that without killing the package logging feature and just NXDOMAIN the DNS requests.
I'm running the latest pfBlockerNG package on pfSense 2.3, and I have the same issue with Safari on OS X and iOS complaining about invalid certificates from googleads.g.doubleclick.net. The latest events were from a banking site and when reading an article on macgroup.org.
I've confirmed that I can ping to the VIP, and a browser sent to the VIP:8081 gets a 1x1 favicon. I've white listed googleads.g.doubleclick.net.
Is there anything else I can do in the pfBlockerNG settings to sort this out?
I'd send a bug report to Apple on this, but I don't understand the problem nearly well enough to know how to properly describe the issue.
-
I'm running the latest pfBlockerNG package on pfSense 2.3, and I have the same issue with Safari on OS X and iOS complaining about invalid certificates from googleads.g.doubleclick.net. The latest events were from a banking site and when reading an article on macgroup.org.
I've confirmed that I can ping to the VIP, and a browser sent to the VIP:8081 gets a 1x1 favicon. I've white listed googleads.g.doubleclick.net.
Is there anything else I can do in the pfBlockerNG settings to sort this out?
I'd send a bug report to Apple on this, but I don't understand the problem nearly well enough to know how to properly describe the issue.
When you whitelist using the Alerts Tab, pfBlockerNG will identify if there are CNAMEs for the domain name and whitelist the CNAME as well.
However when you put a domainname in the Custom Domain Whitelist, you have to find the CNAMEs on your own:
drill @8.8.8.8 googleads.g.doubleclick.net ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 19703 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; googleads.g.doubleclick.net. IN A ;; ANSWER SECTION: googleads.g.doubleclick.net. 299 IN CNAME pagead46.l.doubleclick.net. pagead46.l.doubleclick.net. 299 IN A 172.217.1.98 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 74 msec ;; SERVER: 8.8.8.8 ;; WHEN: Wed Aug 31 15:25:50 2016 ;; MSG SIZE rcvd: 86
Then you add pagead46.l.doubleclick.net to the Custom Domain Whitelist
-
I'm running the latest pfBlockerNG package on pfSense 2.3, and I have the same issue with Safari on OS X and iOS complaining about invalid certificates from googleads.g.doubleclick.net. The latest events were from a banking site and when reading an article on macgroup.org.
I've confirmed that I can ping to the VIP, and a browser sent to the VIP:8081 gets a 1x1 favicon. I've white listed googleads.g.doubleclick.net.
Is there anything else I can do in the pfBlockerNG settings to sort this out?
I'd send a bug report to Apple on this, but I don't understand the problem nearly well enough to know how to properly describe the issue.
When you whitelist using the Alerts Tab, pfBlockerNG will identify if there are CNAMEs for the domain name and whitelist the CNAME as well.
However when you put a domainname in the Custom Domain Whitelist, you have to find the CNAMEs on your own:
drill @8.8.8.8 googleads.g.doubleclick.net ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 19703 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; googleads.g.doubleclick.net. IN A ;; ANSWER SECTION: googleads.g.doubleclick.net. 299 IN CNAME pagead46.l.doubleclick.net. pagead46.l.doubleclick.net. 299 IN A 172.217.1.98 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 74 msec ;; SERVER: 8.8.8.8 ;; WHEN: Wed Aug 31 15:25:50 2016 ;; MSG SIZE rcvd: 86
Then you add pagead46.l.doubleclick.net to the Custom Domain Whitelist
Thanks for the info. I've added pagead46.l.doubleclick.net to the Custom Domain Whitelist. We'll see if that helps.
But, I already had .doubleclick.net in the Custom Domain Whitelist. I thought the "." at the start was supposed to cover all the sub-domains. Does that not work? Or, is this a hint that we're chasing the wrong fix to the problem?
-
But, I already had .doubleclick.net in the Custom Domain Whitelist. I thought the "." at the start was supposed to cover all the sub-domains. Does that not work? Or, is this a hint that we're chasing the wrong fix to the problem?
If you had the prefixed dot, then it should have cleared all of those Domains…
You can check with the following cmd and see if there are any Domains ending with doubleclick.net in the DNSBL blocklist.
grep "doubleclick.net" /var/unbound/pfb_dnsbl.conf
You can also go into Dev mode in the Browser (then goto console), then see if it could be a different Domain that is causing this issue…
-
If you had the prefixed dot, then it should have cleared all of those Domains…
You can check with the following cmd and see if there are any Domains ending with doubleclick.net in the DNSBL blocklist.
grep "doubleclick.net" /var/unbound/pfb_dnsbl.conf
You can also go into Dev mode in the Browser (then goto console), then see if it could be a different Domain that is causing this issue…
It looks like there was quite a long list of doubleclick.net domains already caught:
grep "doubleclick.net" /var/unbound/pfb_dnsbl.conf local-data: "ad-apac.doubleclick.net 60 IN A 10.10.10.1" local-data: "ad-emea.doubleclick.net 60 IN A 10.10.10.1" local-data: "ad.doubleclick.net 60 IN A 10.10.10.1" local-data: "ad.mo.doubleclick.net 60 IN A 10.10.10.1" local-data: "doubleclick.net 60 IN A 10.10.10.1" local-data: "gan.doubleclick.net 60 IN A 10.10.10.1" local-data: "googleads.g.doubleclick.net 60 IN A 10.10.10.1" local-data: "iv.doubleclick.net 60 IN A 10.10.10.1" local-data: "n4403ad.doubleclick.net 60 IN A 10.10.10.1" local-data: "pubads.g.doubleclick.net 60 IN A 10.10.10.1"
I am unable to trigger the SSL certificate error now, but next time it happens I'll check the Safari error console in Dev mode.