wiki:noc2018/agenda/PfsensepfBlockerNG

Version 2 (modified by admin, 6 years ago) ( diff )

--

pfBlockerNG

pfBlocker-NG introduces an Enhanced Alias Table Feature to pfSense. This Allows, assigning many IP address URL lists to a single alias and then choose a rule action. Blocking countries and IP ranges, DNS lists is easy with pfBlocker.

To Install go to Package Manager and search and install pfBlocker-NG. This will take some time to install

Before going further go to ntopng settings and disable it otherwise your pfSense will get stuck due to low memory

Once pfBlocker-NG is installed, goto Firewall > pfBlockerNG for settings.

On pfBlockerNG settings, General Page, tick Enable and Save.

Next go to Update tab and click Run, this will update default lists.

To block IP blocks based on country go to GeoIP tab and select country/s and their List Action accordingly and Save.

To block a custom IP block, goto IPv4 or IPv6 and click +Add

  • Give an Alias
  • Discription
  • URL to a IP subnets list or go to Custom List and enter manually.
  • List Action, whether to block or not, whether it is inbound or outbound, etc.
  • If it is a URL list, give a update frequency

Block traffic based on DNS

Modern traffic filtering becomes uneasy due to encryption methods, therefore the easiest way in filtering them is to block the DNS. But there should be some requirements for that,

  • All devices in the network should resolve DNS from pfsense. You have to block accessing public DNS resolvers by your clients. eg: write a block rule on DNS ports for outgoing traffic from your LAN.
  • Need to maintain an updated DNS list of unwanted domains.

To accomplish the second point above we will associate some publicly available community maintained dns block lists based on content category.

You can find some of these links from

on pfBlockerNG, go to DNSBL tab and tick enable DNSBL

When blocking is enabled all matched domains will be redirected to a IP address known as DNSBL Virtual IP and it will reply with a plain pixel. Therefore, you have to configure an IP address that is not used in your LAN segment. For the lab purposes change DNSBL Virtual IP to 192.168.254.254 as we do not use that IP in our network.

Then Define a List action from DNSBL IP Firewall Rule Settings, ideally, Deny Outbound and click save.

Next, Go to DNSBL Feeds

Click Add.

Now go to Update and run it. Wait till you see UPDATE PROCESS ENDED

Then go to your GUI vm and do nslookup 121sexcam.com which is a blocked domain. You may also try this on web browser as well.

You can also try defining custom feed lists as well.

Note: See TracWiki for help on using the wiki.