pfBlocker just started (about 2-3 days ago) blocking video/image links on Reddit and Discord calls. Has anyone else had this happen or have a hint on how to fix it?

Hey folks,

I recently installed pfsense on a computer and deployed it. I installed pfblockerng to replace my pi-hole.

I'm having an issue where I don't see any permitted traffic. I thought I checked everything but can't seem to find what might be missing.

Any ideas what to do or where to go? Both pfsense and pfblockerng (devel) are the most recent versions.

Not sure how to reach out to the maintainer but GeoIP is broken in the latest dev

https://forum.netgate.com/topic/196190/ipv4-source-definitions-line-1-invalid-geoip-entry/3

I definitely don't feel comfortable going into the .PHP file and editing. Can we get a fix for this soon?

I can't add AS152194; autocomplete doesn't seem to pick it up. Any other ASN is fine.

(edit: I tried a different pfSense instance and it was picked up fine. It's just me. Seeing what else I can learn. /edit)

I tried setting ASN caching to 1 hour and then reload all but no joy. Running pfbng 3.2.0_20 in 2.7.2 rel. Suggestions?

edit: I think I've confirmed this isn't possible. There's no quick way to get a readable copy of the list data. I'm not complaining; knowing this helps me budget my time. /edit

I need a copy of pfBng config, where the data in Custom_List -> Domain/AS is in viewable text.

In a pfSense xml backup, pfB's custom data is base64 encoded. By the time I'm done decoding I haven't saved any time over manually copy/pasting the list data.

Am I missing anything?

u/BBCan177 pfblockerNG-devl has been updated to include ipinfo details so you can pull down ASN information for blocklists. The non devl version of pfblocker currently doesn't have this. Will it get updated any time soon?

https://zerodot1.gitlab.io is a 404 now.

Imgur

Contents here.

# ls -l
total 18032
-rw-r--r--  1 root wheel 4936423 Jan 20 00:15 0hageziTIFmedium.md5.raw
-rw-r--r--  1 root wheel 5882487 Jan  9 00:15 0hageziTIFmedium.orig    

Can see it has downloaded a newer file named md5.raw, the .orig is the older file actually being used by pfblockerng.

The log shows this for the list.

[ 0hageziTIFmedium ]
				( md5 feed )		. 200 OK
				( md5 changed )		Update found
[ 0hageziTIFmedium ]		 Reload [ 01/20/25 00:15:08 ] . completed ..

Ok I set the list update interval to hourly (was daily), and its now overwriting orig files, so will monitor to see if it persists every day. Further update, its failing to update the .orig files still on automatic cron.

This morning the Talos BL in pfBlockerNG failed and continues to fail. Went to the URL and the site is returning 404. I just want to make sure this is the right URL and that the problem is on Cisco's side.

https://talosintelligence.com/documents/ip-blacklist

Hi,

How do I stop pfblockerng service via the pfsense shell? I tried `pfSsh.php playback svc stop pfblockerng` however despite receiving the output "pfblockerng has been stopped" - in reality it wasn't.

Edit: I want to disable the DNSBL specifically

Hi,

How do I configure time schedule based DNSBL Blocking? Yes, I'm aware of DNS caches, still, I would like to understand how to configure a schedule for DNSBL blocking.

Thank you

Hi, I've tried searching on google but cannot get an answer to my question, I would like to configure dns blocking for only a some IP addresses and NOT all the devices which use pfsense. How do I do this? thanks

I googled a lot for this, couldnt find the answer, so would be appreciated, thank you.

I have null blocking enabled in my DNSBL global settings as well as the DNSBL Group page. The issue is that IPv6 queries are still sent to the DNSBL Web Server when I test.

Is this because I have the IPv6 DNSBL setting enabled under the DNSBL Web Server settings? Per the description, if this is not enabled, there will not be any blocking of DNS queries from IPv6 clients.

"Enable DNSBL for IPv6 DNS Resolution filtering. Default IPv6 Webserver address [ ::10.10.10.1 ] and ports [80/443]"

I have PfblockerNg enabled on everything on my network, but i would like to disable it on a vlan so it can work with my virtual machine, (i have a ai that does not play nicely with pfBlockerNG) is there anyway to do this.

Wishing everyone a Happy New Year 2025!

Thanks to all who support the project in any way. It's appreciated!

On my HP t730 (bare metal, Pf Plus 24.11) should pfB be adding 10ms on overhead on cached lookups (over it being disabled)?

I am running a cumulative of 2,462,079 DNS records blocked on it, but ram utilization is no more than 40%?

Does pfblocker support using cities for geoip ACLs? I have a purchased geoip (not lite) db attached to my account that I'd like to leverage.

Hi,

Using pfBlocker for years now without any issues and currently on the latest version: 3.2.0_20. Overnight the dashboard status changed to yellow exclamation icon for DNSBL which told me to inspect the py_error.log for more details. I opened the log file specified and found this error message:

ERROR| [pfBlockerNG]: Failed to open MaxMind DB: Error opening database file (/usr/local/share/GeoIP/GeoLite2-Country.mmdb). Is this a valid MaxMind DB file?

Never had issue before with MaxMind and not sure what triggered it. Now whenever I run reload I will get a new error entry. Just to be on the safe side I generated new license key and even rebooted the whole pfSense but none of that helped and I am still getting the error when I re-run the reload.

Any suggestions?

I recently wanted to look into enabling ASN functionality, IPinfo.io account and token created and added, asn.csv is downloading fine on CE and Plus pfBlockerNG-devel 3.2.0_20. I'm trying to add the list of ASNs I extracted from the Spamhaus ASN drop list which has 291 ASN numbers listed, some of which I did verify are empty and won't load IPs for certain specific ones in the list. When I add the list of 291 ASNs the faster method in the IPv4 Custom_List field, one per line, with the Domain/AS box ticked I am getting a total of two CIDRs that populate in my ASN Deny log and ten IP ranges that populate the ASN Orig log. Deleting these logs and running another force reload and update showed the same results when ASNs are entered in the IPv4 Custom_List field even though the update log viewer does appear that they were each being processed but no IP stats.

When entering ASNs as individual IPv4 source definitions one by one, then they do successfully process IPs for each ASN that is added and populate the expected IPs in their individual Deny log for each ASN I added as individual IPv4 source definitions populating 39 CIDRs from the first 20 ASNs added this method.

I did also try with having just the numerical ASN number without the "AS" prefix and with "AS" in the Custom_List field just like the Source Definitions field accepts but both formats process the same in the update log viewer and the same two CIDRs populate. I'm curious as to how to make this work with using only the IP Custom_List fields as I've also located another ASN list that I'd prefer for blocking on inbound only also with 743 ASNs listed but each would be quite a handful to try to add as one source definition line at a time for both IPv4 and IPv6 and across multiple boxes

Hello, I am getting kicked from my game every hour on cron update. This is the IP I am connected that is breaking the connection to game. I changed the update to run every 24 hours but I have never had this issue before. Is there something work in my settings? I dont seer anything in the reports or logs to indicate why this is happening. this is on 6100 24.11 and version 3.2.0_16. CPU is good.

https://preview.redd.it/6ej8bsdkd98e1.png?width=1697&format=png&auto=webp&s=edd1b1a0c42a2379b0df9872c3b7e57dcd455b3c

edit: Found the solution here https://forum.netgate.com/topic/185817/talos_bl_v4-failed-downloads

I've been receiving the errors below. How do I fix this?

[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 12/16/24 15:00:29 ] 
[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 12/16/24 14:00:22 ]
[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 12/16/24 09:00:14 ]
[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 12/16/24 08:00:12 ]
[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 12/16/24 07:00:12 ]
[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 12/16/24 06:00:22 ]
[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 12/16/24 05:00:25 ]
[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 12/16/24 04:00:11 ]
[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 12/16/24 03:00:12 ]
[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 12/16/24 02:00:18 ]

			

and

DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download. [ 08/25/24 08:00:20 ] Restoring previously downloaded file contents... [ 08/25/24 08:00:20 ]

[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 08/25/24 09:00:16 ] DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download. [ 08/25/24 09:00:21 ] Restoring previously downloaded file contents... [ 08/25/24 09:00:21 ]

[ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 08/25/24 10:00:13 ] DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download. [ 08/25/24 10:00:18 ] Restoring previously downloaded file contents... [ 08/25/24 10:00:18 ]

Some more info.

I am aware I recently posted an issue with some files not getting updated, so when I noticed this, I did check to see if it was the same problem, but all evidence suggests the downloads are successful, timestamp etc. is updated, so doesnt appear to be same issue.

Every cron or force reload run will make all ASN files be downloaded again.

ASN cache is set to a week, and any custom ASN I have configured also set to once a week.

I did find this, dont know if relevant.

https://github.com/pfsense/FreeBSD-ports/commit/06d25eb955f0974feb7b77d2786f1dc62066e9be

But I wonder if this contributed to the rate limiting problems which led to the change to ipinfo?

Example list here, also this would require adding support for the syntax.

https://github.com/AdguardTeam/AdGuardSDNSFilter/blob/master/Filters/

DNS blocking is hard as unlike via browser, most lists on the net are breaking stuff, even lists that claim to be breakage free. I discovered these exception lists, and I am currently manually adding to the dnsbl form box manually every update.

As a workaround I was going to auto download the list in category that is set to disabled action, and then auto convert the file with a script in the post script configuration, but I cant find the source file for the dnsbl whitelist to edit the dnsbl whitelist so am having to do it manually via the UI. The surpression in /var/db/pfblockerng is generated after saving, there is another file in /var/unbound, but cant find one that holds the source configuration.

If I can get this working or feature is made officially, I might start maintaining a whitelist that unbreaks devices and websites.

Plan is also to make a list to exempt basic telemetry as most lists include app telemetry as trackers when they not trackers. Example amazon metrics which when blocked causes amazon devices to drain really fast.

Restart unbound with clean cache, initially working state.

Do a query from a device that is NOT whitelisted to a hostname in a black list, you should get filtered dns result e.g. 10.10.10.1.

Then do same query from a device that is whitelisted in python group policy, and you get the real internet address in the result.

Now do same query from the first device or any device that isnt whitelisted, you will get the real unfiltered internet address.

This is on pfsense 2.7.2 with latest pfblockerng-devel. Python enabled, python control enabled, using VIP, python group policy, python dnsbl blocking.

Some more information.

When the filtered reply is sent, the query is in the dns reply log as expected. When the unfiltered cache reply is sent, the query does NOT show in the dns reply log, but IS present in the unbound verbose query log. Confirming unbound is serving the reply and its not making it to dnsbl.

So I want to enable recursive subdomain blocking, but not globally.

From what I have googled, its a choice of enabling it on every feed, with potential resource and false positive issues, or no support for it at all. bbcan17 saying its most valuable on malware lists.

I noticed for each DNSBL group top1m can be toggled, so I propose a solution to the problem.

Is it possible to add a TLD on/off per group, so could e.g. enable TLD support for a small set of domains, whilst having it off for large lists?

https://www.patreon.com/pfBlockerNG

I saw this post and wanted to confirm that AGH style blocklists can be used devel now?

Latest devel version, pfsense 2.7.2.

Noticed whilst debugging issues that no updates had been applied for 'any' dns blacklists including local files since 22 April 2024.

In the logs, it reported needed updating, but didnt report failed update.

Top1m was also enabled, but had a repeating error as below for every run.

TOP1M Database downloading ( approx 21MB ) ... Please wait ...
 Building TOP1M Whitelist [
TOP1M conversion Failed. File: top-1m.csv, not found...
 DNSBL - TOP1M changes found - Rebuilding!
 completed    

Its as if pfblocknerng thinks its downloaded a file but it hasnt.

I can edit any file I want fine from within the diagnostics edit feature in pfsense, everything looks fine on the shell.

If I selected force update in the GUI, it also didnt do what I would expect, it said files exist and just skipped to end.

The only way I could force an up to date file was to wipe everything in /var/db/pfblockerng/dnsblorig and also /var/db/pfblockerng/dnsbl, and then finally I got new files pulled down.

In addition the custom file also got populated after I did this as well.

Please let me know what I can do to help debug.

Edit, so its all working fine after stuck files were deleted, and top1m turned off then on again. I am going with permission issues as was suggested to me, also in error log was 403 permission denied for updating top1m (file as source not a web address), which kind of confirms that.

It seems the default DNSBL whitelist no longer populates for me on a fresh setup on my SG8200 despite enabling it during the pfblockerng wizard setup. Would someone be kind enough to list it in this thread.

I'm using pfSense 2.7.2 with pfBlockerNG-devel 3.2.0_20. The MaxMind database fails to refresh with the following error:

[ pfB_PRI3_v4 - MaxMind_BD_Proxy_v4 ] Download FAIL [ 11/29/24 13:02:32 ]
  DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download.
 [ 11/29/24 13:02:32 ]
  Restoring previously downloaded file contents... [ 11/29/24 13:02:32 ]

I found some troubleshooting advice on the web and confirmed that nothing is blocking my connection to the MaxMind web server. I also logged into my MaxMind user portal to ensure the account was still active, and I did not find any errors.

It's at this point that I realized the pfBlocker site in the PRI3 setting is a test page at:
https://www.maxmind.com/en/high-risk-ip-sample-list

Is this the proper setting? Is there something else I need to do?

Thanks for any help.