Version 3 (modified by 6 years ago) ( diff ) | ,
---|
pfBlockerNG
pfBlocker-NG introduces an Enhanced Alias Table Feature to pfSense. This Allows, assigning many IP address URL lists to a single alias and then choose a rule action. Blocking countries and IP ranges, DNS lists is easy with pfBlocker.
To Install go to Package Manager and search and install pfBlocker-NG. This will take some time to install
Before going further go to ntopng settings and disable it otherwise your pfSense will get stuck due to low memory
Once pfBlocker-NG is installed, goto Firewall > pfBlockerNG for settings.
On pfBlockerNG settings, General Page, tick Enable and Save.
Next go to Update tab and click Run, this will update default lists.
To block IP blocks based on country go to GeoIP tab and select country/s and their List Action accordingly and Save.
To block a custom IP block, goto IPv4 or IPv6 and click +Add
- Give an Alias
- Discription
- URL to a IP subnets list or go to Custom List and enter manually.
- List Action, whether to block or not, whether it is inbound or outbound, etc.
- If it is a URL list, give a update frequency
Block traffic based on DNS
Modern traffic filtering becomes uneasy due to encryption methods, therefore the easiest way in filtering them is to block the DNS. But there should be some requirements for that,
- All devices in the network should resolve DNS from pfsense. You have to block accessing public DNS resolvers by your clients. eg: write a block rule on DNS ports for outgoing traffic from your LAN.
- Need to maintain an updated DNS list of unwanted domains.
To accomplish the second point above we will associate some publicly available community maintained dns block lists based on content category.
You can find some of these links from
- https://github.com/pi-hole/pi-hole/wiki/Customising-sources-for-ad-lists
- https://github.com/StevenBlack/hosts
- https://firebog.net/
on pfBlockerNG, go to DNSBL tab and tick enable DNSBL
When blocking is enabled all matched domains will be redirected to a IP address known as DNSBL Virtual IP and it will reply with a plain pixel. Therefore, you have to configure an IP address that is not used in your LAN segment. For the lab purposes change DNSBL Virtual IP to 192.168.254.254 as we do not use that IP in our network.
Then Define a List action from DNSBL IP Firewall Rule Settings, ideally, Deny Outbound and click save.
Next, Go to DNSBL Feeds
Click Add.
- DNS GROUP Name: PRON_Sites
- Description: BLock Porn sites
- DNSBL:
- Format: Auto
- State: ON
- Source: https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_all.list
- Header: list1 and click Add
- on the second line use url: https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list with Header: List2 and Add
- List Action: Unbound
- Update Frequency: Once a day
- Save
Now go to Update and run it. Wait till you see UPDATE PROCESS ENDED
Then go to your GUI vm and do nslookup 121sexcam.com
which is a blocked domain. You may also try this on web browser as well.
You can also try defining custom feed lists as well.