PfBlockerNG v2.0 w/DNSBL
-
There were error(s) loading the rules: /tmp/rules.debug:46: cannot define table pfB_SAmerica_v6: Cannot allocate memory - The line in question reads [46]: table <pfB_SAmerica_v6> persist file "/var/db/aliastables/pfB_SAmerica_v6.txt" @ 2016-08-26 09:28:18
if it helps i have 16GB in the FW.
Thanks.
You should have leave you original post in the pfBlockerNG v2.1 w/TLD thread.
It is mentionned many many times that if you are using GeoIP tables, you need to raise Firewall Maximum Table Entries in System / Advanced / Firewall & NAT
The file on my pfsense is called South_America_v6.txt, maybe you have leftover from the previous installation. Open the Africa GeoIP tab, verify your selections and hit save, this will update the table. Then run Force Reload IP.
I just enabled the South America GeoIP table on my system and it has the same name as yours pfB_SAmerica_v6, so it is probably just a table size issue. -
Thank you I raised it to 4.5M to be safe.
I pulled it out of there because it looked like that forum was for the dnsbl tld. Many people get annoyed when something is posted in the wrong place.
I also saw that but thought it may no longer applicable once the php updates for pfblockerng were released. I thought that was a short term fix only until the next release.
Once again thank you.
-
I pulled it out of there because it looked like that forum was for the dnsbl tld. Many people get annoyed when something is posted in the wrong place.
2.1.1_4 is pfBlockerNG with DNSBL and TLD. No harm done, one thread or the other will do. But it may be better to use the pfBlockerNG v2.1 w/TLD in the future.
I also saw that but thought it may no longer applicable once the php updates for pfblockerng were released. I thought that was a short term fix only until the next release.
The size of MaxMind GeoIP database is 3-5x larger than previously, that used to make php crashes with the 2.1.1_2 version, this has been fixed.
However the tables generated are 3-5x larger as well, that requires an increase to the Firewall Maximum Table Entries as the default value isn't enough.
-
Thank you for the clarification. I appreciate it. I will endeavor to use that forum for these posts in the future. ;D
-
Hi all,
It's there a way to uninstall this from cli?
I did a mistake and loaded all Africa from geoip section and now Pfsense is not accessible anymore. I suspect it's overloaded. -
my issue seems to be fixed now thanks to BBcan177 and RonpfS who ware supporting me with all posted issues.
As a resume here what i did as a short recap:-
fresh install 2.1.1_4 !!!
-
SystemAdvancedFirewall & NAT change 2 values:
Firewall Maximum States : 2000000 # this ca be leave as default…i prefered to make the change.
Firewall Maximum Table Entries : 10000000 -
reboot sistem if you can if not just enable pfblokerng and run a manual update.
Everything seems to run pretty well now.
Thanks again guys. -
-
@D0X:
But now when browsing I continuously get Safari telling me the certificate is invalid (as shown in the attached picture, it is in Dutch but I think you'll get it).
Safari seems to be the only browser that has this issue. Doesn't seem to occur with Chrome/FF/IE/Edge etc…
Are these cert popups happening when you browse to that blocked Domain directly, or when its blocking that Domain as part of the webpage? Two checks to ensure DNBSL is working as expected... Ping the DNSBL VIP and get a proper response ... Browse to the DNSBL VIP and get the 1x1 pix...
If the popups are from a few common Domains, try to whitelist those and see if that improves it.
Also, in the IPv4 tab, you cannot enter any EasyList Feeds... the IPv4 tab is for IP based listed only.
DNSBL is designed to block the DNS resolution to Advert/Malicious Domains. As such only a portion of the EasyList/Privacy Feeds can be used (Where the feeds lists the actual ADvert Domain). Browser-Addons like ADBlock/UBlock manipulate the elements that are displayed on the page. So they can block certain elements from a particular Domain, while DNSBL can only block the entire Domain.
Only two EasyList feeds can be used with DNSBL and they are hardcoded in the EasyList Tab. There are several other DNSBL Feeds listed at the start of this thread that can fill in the gap to block the balance of the Domains from serving any ADs. Plus its achieved at Network level, without any add-ons manipulating or potentially opening security holes in the browser.
It would really be nice if Safari fixed this issue with their software... Not much I can do to fix that without killing the package logging feature and just NXDOMAIN the DNS requests.
I'm running the latest pfBlockerNG package on pfSense 2.3, and I have the same issue with Safari on OS X and iOS complaining about invalid certificates from googleads.g.doubleclick.net. The latest events were from a banking site and when reading an article on macgroup.org.
I've confirmed that I can ping to the VIP, and a browser sent to the VIP:8081 gets a 1x1 favicon. I've white listed googleads.g.doubleclick.net.
Is there anything else I can do in the pfBlockerNG settings to sort this out?
I'd send a bug report to Apple on this, but I don't understand the problem nearly well enough to know how to properly describe the issue.
-
I'm running the latest pfBlockerNG package on pfSense 2.3, and I have the same issue with Safari on OS X and iOS complaining about invalid certificates from googleads.g.doubleclick.net. The latest events were from a banking site and when reading an article on macgroup.org.
I've confirmed that I can ping to the VIP, and a browser sent to the VIP:8081 gets a 1x1 favicon. I've white listed googleads.g.doubleclick.net.
Is there anything else I can do in the pfBlockerNG settings to sort this out?
I'd send a bug report to Apple on this, but I don't understand the problem nearly well enough to know how to properly describe the issue.
When you whitelist using the Alerts Tab, pfBlockerNG will identify if there are CNAMEs for the domain name and whitelist the CNAME as well.
However when you put a domainname in the Custom Domain Whitelist, you have to find the CNAMEs on your own:
drill @8.8.8.8 googleads.g.doubleclick.net ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 19703 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; googleads.g.doubleclick.net. IN A ;; ANSWER SECTION: googleads.g.doubleclick.net. 299 IN CNAME pagead46.l.doubleclick.net. pagead46.l.doubleclick.net. 299 IN A 172.217.1.98 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 74 msec ;; SERVER: 8.8.8.8 ;; WHEN: Wed Aug 31 15:25:50 2016 ;; MSG SIZE rcvd: 86
Then you add pagead46.l.doubleclick.net to the Custom Domain Whitelist
-
I'm running the latest pfBlockerNG package on pfSense 2.3, and I have the same issue with Safari on OS X and iOS complaining about invalid certificates from googleads.g.doubleclick.net. The latest events were from a banking site and when reading an article on macgroup.org.
I've confirmed that I can ping to the VIP, and a browser sent to the VIP:8081 gets a 1x1 favicon. I've white listed googleads.g.doubleclick.net.
Is there anything else I can do in the pfBlockerNG settings to sort this out?
I'd send a bug report to Apple on this, but I don't understand the problem nearly well enough to know how to properly describe the issue.
When you whitelist using the Alerts Tab, pfBlockerNG will identify if there are CNAMEs for the domain name and whitelist the CNAME as well.
However when you put a domainname in the Custom Domain Whitelist, you have to find the CNAMEs on your own:
drill @8.8.8.8 googleads.g.doubleclick.net ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 19703 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; googleads.g.doubleclick.net. IN A ;; ANSWER SECTION: googleads.g.doubleclick.net. 299 IN CNAME pagead46.l.doubleclick.net. pagead46.l.doubleclick.net. 299 IN A 172.217.1.98 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 74 msec ;; SERVER: 8.8.8.8 ;; WHEN: Wed Aug 31 15:25:50 2016 ;; MSG SIZE rcvd: 86
Then you add pagead46.l.doubleclick.net to the Custom Domain Whitelist
Thanks for the info. I've added pagead46.l.doubleclick.net to the Custom Domain Whitelist. We'll see if that helps.
But, I already had .doubleclick.net in the Custom Domain Whitelist. I thought the "." at the start was supposed to cover all the sub-domains. Does that not work? Or, is this a hint that we're chasing the wrong fix to the problem?
-
But, I already had .doubleclick.net in the Custom Domain Whitelist. I thought the "." at the start was supposed to cover all the sub-domains. Does that not work? Or, is this a hint that we're chasing the wrong fix to the problem?
If you had the prefixed dot, then it should have cleared all of those Domains…
You can check with the following cmd and see if there are any Domains ending with doubleclick.net in the DNSBL blocklist.
grep "doubleclick.net" /var/unbound/pfb_dnsbl.conf
You can also go into Dev mode in the Browser (then goto console), then see if it could be a different Domain that is causing this issue…
-
If you had the prefixed dot, then it should have cleared all of those Domains…
You can check with the following cmd and see if there are any Domains ending with doubleclick.net in the DNSBL blocklist.
grep "doubleclick.net" /var/unbound/pfb_dnsbl.conf
You can also go into Dev mode in the Browser (then goto console), then see if it could be a different Domain that is causing this issue…
It looks like there was quite a long list of doubleclick.net domains already caught:
grep "doubleclick.net" /var/unbound/pfb_dnsbl.conf local-data: "ad-apac.doubleclick.net 60 IN A 10.10.10.1" local-data: "ad-emea.doubleclick.net 60 IN A 10.10.10.1" local-data: "ad.doubleclick.net 60 IN A 10.10.10.1" local-data: "ad.mo.doubleclick.net 60 IN A 10.10.10.1" local-data: "doubleclick.net 60 IN A 10.10.10.1" local-data: "gan.doubleclick.net 60 IN A 10.10.10.1" local-data: "googleads.g.doubleclick.net 60 IN A 10.10.10.1" local-data: "iv.doubleclick.net 60 IN A 10.10.10.1" local-data: "n4403ad.doubleclick.net 60 IN A 10.10.10.1" local-data: "pubads.g.doubleclick.net 60 IN A 10.10.10.1"
I am unable to trigger the SSL certificate error now, but next time it happens I'll check the Safari error console in Dev mode.
-
It looks like there was quite a long list of doubleclick.net domains already caught:
If you manually add any domains to the DNSBL Whitelist, you must execute a "Force Reload - DNSBL" for the whitelist to take effect.
If you added .doubleclick.net to the DNSBL Whitelist, then the grep command above should have returned no results, since that Domain is in the DNSBL whitelist…
-
It looks like there was quite a long list of doubleclick.net domains already caught:
If you manually add any domains to the DNSBL Whitelist, you must execute a "Force Reload - DNSBL" for the whitelist to take effect.
Is this the "Reload" selection on the Update page? I was running "Update" after making any changes.
If you added .doubleclick.net to the DNSBL Whitelist, then the grep command above should have returned no results, since that Domain is in the DNSBL whitelist…
By "DNSBL whitelist", do you mean the "Custom Domain Whitelist" on the DNSBL page? ".doubleclick.net" (without the quotes) is the first line on that list. Or should I be looking a different whitelist?
-
Is this the "Reload" selection on the Update page? I was running "Update" after making any changes.
Yes the Update tab has "Update|Cron|Reload" buttons… For Reload you can further select a reload of IP/DNSBL or All...
Force Update will not "Reload" any changes that you made... Without running a "Force Reload", a previously downloaded Feed will not use the new settings, until Cron runs, and its re-downloaded... So thats the reason for the "Force Reload" button.
Click on the blue "i" infoblock Icons on the pages… It will show additional help text...
By "DNSBL whitelist", do you mean the "Custom Domain Whitelist" on the DNSBL page? ".doubleclick.net" (without the quotes) is the first line on that list. Or should I be looking a different whitelist?
Yes, DNSBL Custom Whitelist.
-
Is this the "Reload" selection on the Update page? I was running "Update" after making any changes.
Yes the Update tab has "Update|Cron|Reload" buttons… For Reload you can further select a reload of IP/DNSBL or All...
Force Update will not "Reload" any changes that you made... Without running a "Force Reload", a previously downloaded Feed will not use the new settings, until Cron runs, and its re-downloaded... So thats the reason for the "Force Reload" button.
Click on the blue "i" infoblock Icons on the pages… It will show additional help text...
By "DNSBL whitelist", do you mean the "Custom Domain Whitelist" on the DNSBL page? ".doubleclick.net" (without the quotes) is the first line on that list. Or should I be looking a different whitelist?
Yes, DNSBL Custom Whitelist.
Thanks for the clarification. I had previously read the info triggered by the blue "i"s. It makes perfect sense now that I know how the option works. I had assumed, incorrectly, that the lists would be reloaded after an update.
Now, when I run 'grep "doubleclick.net" /var/unbound/pfb_dnsbl.conf', I get a null result, apparently as expected. And, happily, my wife hasn't complained about Safari barfing up SSL certificate errors for over 24 hours.
-
When running the force reload dnsbl, I noticed some of the TLD's, that I enter in the custom whitelist, were listed but not the exact subdomains that should have been whitelisted by using (for example) .facebook.com. I wanted mail.facebook.com to be whitelisted but it whitelisted ads.facebook.
If you put .FQDN it will whitelist the whole .FQDN domain,If you put .facebook.com it will whitelist the whole .facebook.com domain, mail.facebook.com, ads.facebook.com, what.ever.they.use.facebook.com, etc.Newegg was not even listed.
So it looks like it searching the other DNSBL lists for those hostnames but not finding them so it's not exclusively whitelisting them.
Do I need to enter the fqdn as listed in the alerts?
Look at the Alerts Tab DNSBL section and hover over the "+" icon, it will tell you why the blocks happens.
You can also click on it to Whitelist it from the alerts tabs. When the whitelisting happens, it will comes back with what actions it tooks. Sometimes it will also whitelist CNAME of the FQDN. Then have a look at the Custom Domain Whitelist to see what was done.There is also a legend infoblock at the bottom of the page.
-
Here are some basic instructions to get started with DNSBL.
- Open the pfBNG "DNSBL" Tab:
(Use the defaults unless you have a need to use otherwise)
Enter the DNSBL VIP as 10.10.10.1
Enter the DNSBL Listening Port as 8081
Enter the DNSBL SSL Listening port as 8443
Select the DNSBL Listening Interface as LanI have vlans configured on pfsense. Therefore there is no LAN option. The my only options are the different vlans, so what can I choose for the listening interface?
-
Here are some basic instructions to get started with DNSBL.
- Open the pfBNG "DNSBL" Tab:
(Use the defaults unless you have a need to use otherwise)
Enter the DNSBL VIP as 10.10.10.1
Enter the DNSBL Listening Port as 8081
Enter the DNSBL SSL Listening port as 8443
Select the DNSBL Listening Interface as LanI have vlans configured on pfsense. Therefore there is no LAN option. The my only options are the different vlans, so what can I choose for the listening interface?
Hi maverik1,
I haven't tested that before, but I assume that it should be ok to choose any one of the VLANS…
After enabling DNSBL, run this command from the shell to see if the DNSBL VIP is assigned to the VLAN:
ifconfig
You should see a line like this in the VLAN:
inet 10.10.10.1 netmask 0xffffffff broadcast 10.10.10.1
Then try to ping the DNSBL VIP address and see if it responds…
Since you have multiple VLANs, its a good idea to enable the DNSBL Permit rule option....
-
I can confirm pfbNG works fine with VLANs.
-
OK here's a strange occurrence…
pfSense just upgraded to 2.3.2 but this behaviour happened with 2.2.1 on a physically different router.pfb version 2.1.1_4.
On our LAN when we use google chrome (latest) and go to google it can take several seconds for google to display. Doing a search can take 20 seconds to respond, but it does come back eventually.
On firefox or any other browser, internet access is instant, including identical searches on the same PC simultaneously.
pfb is working OK when enabled ie blocking incoming and outgoing ipv4 correctly.
When pfBlockerNG is disabled, searches and access on chrome become instant too, so something in pfBlocker is slowing down just chrome.
This behaviour is consistent across different PCs on different versions of windows.I don't really have much idea what this can be, and logs aren't telling me much.
tl;dr - chrome+pfblockerng = very slow. Firefox = fast. Turn off pfblocker =all browsers incl chrome fast