How to configure pfSense pfBlockerNG

by

This how-to aims to install and configure pfblockerNG package

1. Package Manager

First of all, you need to install the package on pfSense appliance

  • To do it, go to System > Package Manager > Available Packages
  • In Search section, fill the following fields:
    • Search terms: Type pfBlockerNG
    • Click on Search button
  • In Packages section, the pfBlockerNG will be appear
    • Click on + Install and then on Confirm buttons to launch installation
    • Once installation is completed, pfBlockerNG appears in System > Package Manager > Installed Packages

2. General settings

Before configure DNSBL, IPv4 blacklist or reputation, it is necessary to configure general settings.

  • To do it, go to Services > pfBlockerNG > General
  • In General Settings section, fill the following fields:
    • Enable pfBlockerNGChecked
    • Keep SettingsChecked
    • Cron Settings: Select Every hour, select 0 as minutehour and Daily/Weekly
    • De-DuplicationChecked
    • SuppressionNot checked
    • Global LoggingNot checked
    • MaxMind Localized Language: Select English
    • Disable MaxMind UpdatesNot checked
    • Download Failure Threshold: Select 3
    • Logfile Size: Select 20000
  • In Interface/Rules Configuration section, fill the following fields:
    • Inbound Firewall Rules: Select WAN and Block
    • Outbound Firewall Rules: Select LAN and Reject
      • If you have more than one internal interfaces, press CTRL or CMD (for Mac users) and click on interfaces
    • OpenVPN Interfacechecked
    • IPSec Interfacechecked
    • Floating Ruleschecked
    • Rule Order: Select | pfB_Block/Reject | All other Rules | (original format)
    • Auto Rule Suffix: Select Null (no suffix)
    • Kill StatesNot checked
    • Click on the Save button once all field are filling

3. DNSBL

  • To configure DNSBL, go to Services > pfBlockerNG > DNSBL > DNSBL
    • In DNSBL section, fill the following fields:
      • Enable DNSBLChecked
      • Enable TLDNot checked
      • DNSBL Virtual IP: Enter an IP address is not in our internal networks, like 10.66.66.66
      • DNSBL Listening Port: Enter 8081
      • DNSBL SSL Listening Port: Enter 8443
      • DNSBL Listening Interface: Select LAN or another internal interface
      • DNSBL Firewall RuleChecked
        • If you have several internal interfaces, press CTRL or CMD (for Mac users) and click on interface
    • In DNSBL IP Firewall Rule Settings section, fill the following fields:
      • List Action: Select Deny Both
      • Enable Logging: Select Enable
    • In Advanced Inbound Firewall Rule Settings, I don’t change anything
    • In Advanced Outbound Firewall Rule Settings, I don’t change anything
    • In Alexa Whitelist, I don’t change anything
    • In Custom Domain Whitelist,
      • I recommand to use + button in Alert tab to add custom domains to the whitelist. In fact, pfBlockerNG package uses DNS resolution to find CNAME associated to the domain you want to whitelist
      • To begin, enter the following whitelist domains:
        • `.twitter.com
        • .twitter.com
        • .play.google.com
        • .drive.google.com
        • .accounts.google.com
        • .www.google.com
        • .github.com
        • .www.netflix.com
        • .www.geo.netflix.com # CNAME for (www.netflix.com)
        • .www.eu-west-1.prodaa.netflix.com # CNAME for (www.netflix.com)
        • .outlook.live.com
        • .edge-live.outlook.office.com # CNAME for (outlook.live.com)
        • .outlook.ha-live.office365.com # CNAME for (outlook.live.com)
        • .outlook.ha.office365.com # CNAME for (outlook.live.com)
        • .outlook.ms-acdc.office.com # CNAME for (outlook.live.com)
        • .amazonaws.com
        • .login.live.com
        • .login.msa.akadns6.net # CNAME for (login.live.com)
        • .ipv4.login.msa.akadns6.net # CNAME for (login.live.com)
        • .mail.google.com
        • .googlemail.l.google.com # CNAME for (mail.google.com)
        • .pbs.twimg.com
        • .wildcard.twimg.com # CNAME for (pbs.twimg.com)
        • .sites.google.com
        • .www3.l.google.com # CNAME for (sites.google.com)
        • .docs.google.com
        • .mobile.free.fr
        • cs9.wac.phicdn.net
        • .www.instagram.com
        • .z-p15-instagram.c10r.facebook.com # CNAME for (www.instagram.com)
        • .graph.instagram.com
        • .instagram.c10r.facebook.com # CNAME for (graph.instagram.com)
        • .plus.google.com
        • .samsungcloudsolution.net
        • .samsungelectronics.com
        • .icloud.com
        • .microsoft.com
        • .windows.com
        • .skype.com
        • .googleusercontent.com
        • .oneclient.sfx.ms
        • .sonyentertainmentnetwork.com
        • .osint.bambenekconsulting.com
        • .logging.apache.org
        • .t.co
        • evintl-ocsp.verisign.com
        • evsecure-ocsp.verisign.com
        • .amazonaws.com
        • .symcb.com
        • .symcd.com
        • .digicert.com
    • In TLD Exclusion List, I don’t change anything
    • In TLD Blacklist, I don’t change anything
    • In TLD Whitelist, I don’t change anything
    • Click on the Save button once all field are filling
  • To configure DNSBL feeds, go to Services > pfBlockerNG > DNSBL > DNSBL Feeds
    • Click on + Add button
    • In DNSBL Feeds section, fill the following fields:
      • DNS GROUP Name: Enter DNSBlockListGroup
      • Description: Enter DNS Block list
      • DNSBL: Select Auto and ON, enter the full URL and give a name associated to this one

MalwareJustDomains
http://mirror1.malwaredomains.com/files/justdomains
MicrosoftDomains
https://jasonhill.co.uk/pfsense/microsoft_domains.txt
YouTubeVideoAds
https://jasonhill.co.uk/pfsense/ytadblock.txt
MalwareImmortalDomains
http://mirror1.malwaredomains.com/files/immortal_domains.txt
MalwareHosts
http://www.malwaredomainlist.com/hostslist/hosts.txt
Malvertising
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
hpHostsAds
http://jasonhill.co.uk/pfsense/ad_servers_dnsbl.txt
Cameleon
http://sysctl.org/cameleon/hosts
RansomwareDomainBlocklist
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
Cryptolocker
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt
DNSBLMalicious
http://winhelp2002.mvps.org/hosts.txt
OpenFish
https://www.openphish.com/feed.txt
MoneroMiner
https://raw.githubusercontent.com/Hestat/minerchk/master/minerlist-all.txt
spam404
https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt
Malc0de
https://malc0de.com/bl/BOOT
AbuseCh
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
StevenBlack
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
DisconnectTracking
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
DisconnectAds
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
CoinlistBrowser
https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/hosts_browser
Princeton
https://gist.githubusercontent.com/BBcan177/b6df57cef74e28d90acf1eec93d62d3b/raw/f0996cf5248657ada2adb396f3636be8716b99eb/MS-4
ISClow
https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
DShieldMedium
https://dshield.org/feeds/suspiciousdomains_Medium.txt
DShieldHigh
https://dshield.org/feeds/suspiciousdomains_High.txt
WindowsTelemetry
https://raw.githubusercontent.com/WindowsLies/BlockWindows/master/hostslist
Quidsup
https://raw.githubusercontent.com/quidsup/notrack/master/trackers.txt
AdGuardDNS
https://v.firebog.net/hosts/AdguardDNS.txt
HostsFile
https://hosts-file.net/ad_servers.txt
AirelleHrsk
https://v.firebog.net/hosts/Airelle-hrsk.txt
PrigentMalware
https://v.firebog.net/hosts/Prigent-Malware.txt
PrigentPhishing
https://v.firebog.net/hosts/Prigent-Phishing.txt
ShallaMal
https://v.firebog.net/hosts/Shalla-mal.txt
ISCmedium
https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
ISChigh
https://isc.sans.edu/feeds/suspiciousdomains_High.txt
StevenBlackAds
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/UncheckyAds/hosts
HostsFileExp
https://hosts-file.net/exp.txt
HostsFileEmd
https://hosts-file.net/emd.txt
HostsFilePsh
https://hosts-file.net/psh.txt
HostsFileGrm
https://hosts-file.net/grm.txt
StevenBlackKAdHosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
StevenBlackSpam
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts
W3KBL
https://v.firebog.net/hosts/static/w3kbl.txt
BillStearns
https://v.firebog.net/hosts/BillStearns.txt
Spammers
https://raw.githubusercontent.com/piwik/referrer-spam-blacklist/master/spammers.txt
Dawsey21
https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt
Vokins
https://raw.githubusercontent.com/vokins/yhosts/master/hosts
AirelleTrc
https://v.firebog.net/hosts/Airelle-trc.txt
PrigentAds
https://v.firebog.net/hosts/Prigent-Ads.txt
StevenBlackHosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.2o7Net/hosts
ChefKoch1
https://gist.githubusercontent.com/CHEF-KOCH/080efada22b9659ef61241029122873b/raw/7f9bd984d3c46b3dba2de7606da579bc0ac6780c/Canvas%2520Font%2520Fingerprinting%2520pages%2520%255B2017%2520Edition%255D
ChefKoch2
https://gist.githubusercontent.com/CHEF-KOCH/5a7b1593d1880f906b12a3c87cee4500/raw/3ba028508feb2ef67a3d7ab75f428fd284223e8b/WebRTC%2520tracking%2520list%2520%255B2017%2520Edition%255D.txt
SamsungSmart
https://v.firebog.net/hosts/static/SamsungSmart.txt
EasyPrivacy2
https://v.firebog.net/hosts/Easyprivacy.txt
GiftCardKiller
https://raw.githubusercontent.com/TakoYachty/Gift-Card-Killer/master/giftcardkiller.txt

  • List Action: Select Unbound
      • Update Frequency: Select Once a day
      • Weekly (Day of Week): Select Monday
      • Enable Alexa WhitelistNot checked
    • In Custom Block List section, I don’t change anything
    • Click on the Save button once all field are filling
  • To configure DNSBL feeds, go to Services > pfBlockerNG > DNSBL > DNSBL EasyList
    • In DNSBL – EasyList section, fill the following fields:
      • DNS GROUP Name: Enter EasyList
      • Description: Enter DNSBL Easy list
      • EasyList Feeds:
        • Select ONEasyList w/o Elements, enter EasyListWOElements
        • Clicl on + Add button
        • Select ONEasyPrivacy, enter EasyListWOElements
    • In DNSBL – EasyList Settings section, fill the following fields:
      • Categories: Press CTRL or CMD (for Mac users) + click to select following categories:
        • EASYLIST Adservers
        • EASYLIST Adservers Popup
        • EASYLIST Adult Adservers
        • EASYLIST Adult Adservers Popup
        • EASYPRIVACY Tracking Servers
        • EASYPRIVACY Tracking International
      • List Action: Select Unbound
      • Update Frequency: Select Once a day
      • Weekly (Day of Week): Select Monday
      • Enable Alexa WhitelistNot checked
    • Click on the Save button once all field are filling

4. Update/Apply configuration

Once reputation, IPv4 and IPv6 black list, DNSBL and GeoIP are correctly configured, you need to apply configuration.

  • To do it, go to Services > pfBlockerNG > Update
  • In Update Settings section, fill the following fields:
    • Select ‘Force’ option: Select Reload
    • Select ‘Reload’ option: Select All
    • Click on Run button

5. Verifications / Troubleshooting

General

  • To check if pfBlockerNG is running, go to Status > Services
    • Servicednsbl
    • DescrptionpfBlockerNG DNSBL Web Server
    • StatusGreen

DNSBL

  • To verify DNSBL is blocking somethings, from your laptop client, type the following command:
nslookup adservices.google.com
Server:   <Your DNS IP Address>
Address:  <Your DNS IP Address>#53

Non-authoritative answer:
Name: adservices.google.com
Address: 10.66.66.66 ---> It is the DNSBL Virtual IP
  • You can also go to a site with a lot of adverts, for example, www.yahoo.com. With your favourite packet capture software, Wireshark, run it on your client laptop while you navigate on Yahoo. In your packet capture, you probably see the following DNS request/response:
No.     Time           Source                Destination           Protocol Length Info
    193 3.642003       <CLIENT IP ADDRESS>   <DNS IP ADDRESS>      DNS      81     Standard query 0x2e50 A y.analytics.yahoo.com
    196 3.644553       <DNS IP ADDRESS>      <CLIENT IP ADDRESS>   DNS      97     Standard query response 0x2e50 A y.analytics.yahoo.com A 10.66.66.66
  • Finally, you can check log files.
    • To do it, go to Services > pfBlockerNG > Logs
    • In Log/File Browser selections section, fill the following fields:
      • Log/File type: Select Log File
      • Log/File selection: Select one of following:
        • pfblockerng.log: to see if update jobs are ok
        • error.log: to see if anything is wrong
        • dnsbl.log: to see all blocked requests
        • extras.log: to see other things
        • maxmind_ver: to see MaxMind GeoIP database update

https://github.com/mikael-andre/pfSense/wiki/HOWTO-pfSense-pfBlockerNG