Skip to main content

pfBlockerNG Guide

pfBlockerNG is an excellent Free and Open Source package developed for pfSense® software that provides advertisement blocking and malicious content blocking, as well as geo-blocking capabilities.

By installing pfBlockerNG, you can not only block ads but also web tracking, malware and ransomware. When you use pfBlockerNG, you gain extra security and privacy. It will do this for your entire network by utilizing a feature known as DNSBL (short for Domain Name System-based Blackhole List). pfBlockerNG also allows you to block internet traffic from specific IP addresses. These IP addresses may belong to specific countries and regions, which can be very useful in protecting your network from all of those hackers attempting to gain access to it.

tip

If you are looking for a solution that enables content filtering and advertisement blocking on your pfSense® software firewall, or you are an open-minded administrator who is enthusiastic for new solutions, we strongly recommend you to try Sensei (ZENARMOR) developed by Sunny Valley Networks.

Sensei (ZENARMOR) provides the firewall administrator with the ability to extend the firewall's capabilities beyond the traditional stateful L2/L3/L4 firewall such as application control and web filtering.

What is pfBlockerNG?#

pfBlockerNG is a pfSense® software package created by BBCan177 and used for IP/DNS-based filtering. It is based on the previous work of Marcello Coutinho and Tom Schaefer. The project's goal was to extend pfSense's core firewall functionality by allowing users to control and manage inbound and outbound access through the firewall using IP and DNS control lists.

pfBlockerNG gives pfSense® software the ability to make allow/deny decisions based on items like the geolocation of an IP address, the domain name of a resource, or the Alexa ratings of specific websites.

Most of the pfSense® software users think that pfBlockerNG is a fantastic package and a pfSense® installation would be incomplete without it.

History of pfBlockerNG#

Since 2014, pfBlockerNG has been protecting assets behind pfSense® software consumer and corporate networks. The desire to create a unified solution to manage IP and Domain feeds with rich customization and management features drove the development of pfBlockerNG. BBcan177 an independent developer created, designed, and developed pfBlockerNG. It is still being supported and maintained by BBcan177.

Before pfBlockerNG was born, the pf-blocker developed by Marcello Coutinho was widespread among the pfSense® community. Pf-blocker was the successor of the Country Block developed by Tom Schaefer. On Oct 27, 2011, Country Block ended and the pf-blocker took over. The package was designed to keep a mail server from being flooded with spam. However, pf-blocker was unable to process the required feeds, and when large IP feeds were added, it crashed. BBcan177 had offered to assist the developer in adding some additional functionality, but he got nothing in return. As a result, Pf-blocker life was very short and the last commit to the pf-blocker GitHub repository was on Jun 20, 2014. Fortunately, pfBlockerNG was released on Nov 30, 2014, and pf-blocker ended.

BBcan177 takes a lot of responsibility for developing pfBlockerNG and making sure that it is thoroughly tested before release and that any issues are resolved as soon as possible.

It's worth noting that BBCan177 has a Patreon campaign where you can easily donate a few dollars to ensure he keeps up with and improves the package. We strongly encourage you to donate if you are using pfBlockerNG in a production environment.

At the time of writing this article, the latest version of pfBlockerNG-devel package is v3.0.0_16 released on April 8th of 2021.

Features of the pfBlockerNG#

pfBlockerNG includes a wide variety of features such as country blocking, IP/DNS blacklisting, and IP reputation blocking to protect your network from unwanted traffic. We will cover the pfBlockerNG features briefly below.

IP Blocking#

pfBlockerNG allows you to create firewall rules based on IPv4 and IPv6 address spaces. So that You can control both incoming and outgoing traffic on single or multiple interfaces. You can also restrict the IP address according to geolocation. Geolocation is the identification or estimation of an IP address's real-world geographic location. MaxMind, an industry leader in the accuracy of IP geolocation provides and maintains lists that are used by pfBlockerNG. Websites host content and media on servers all over the world, so be cautious about blocking too much. Inadvertently blocking some of these IP addresses may result in broken websites or unavailable downloads.

DNS Blocking#

pfBlockerNG can also control DNS Resolver access to prevent access to malicious websites such as advertisements, threats, and malware. Domain blocking is a very effective method to filter tracking domains, malicious domains, and advertisements. Your DNS requests are checked against a blocklist as you browse the internet. If a match is found, the request is denied. It's an excellent way to block ads without using a proxy server.

Domain names gathered from various blacklist sources or manually entered are used to generate optimized DNS Resolver blocklists. You can subscribe to popular user-maintained blocklists as well as use prebuilt EasyLists.

info

The EasyList filter lists are sets of rules originally designed for Adblock that automatically remove unwanted content from the internet, such as irritating advertisements, bothersome banners, and inconvenient tracking. It is the most commonly used list by many ad blockers and serves as the foundation for over a dozen combination and supplementary filter lists.

Inbound traffic filtering#

pfSense® software blocks all inbound traffic by default. Therefore, there is no need to apply a rule to inbound traffic for additional protection unless there are open ports on your firewall. However, you may occasionally have a number of ports open, exposing a VPN endpoint and several self-hosted services. If this is the case, then it is advisable to use the custom IP list and GeoIP restriction features of pfBlockerNG to limit access.

Outbound traffic filtering#

Outbound blocking is available in pfBlockerNG to prevent users from accidentally visiting malicious websites. When combined with logging, this is a useful method for identifying potentially compromised devices.

Policy-based routing#

pfBlockerNG allows you to create policy-based routing firewall rules that direct traffic away from specific gateways or gateway groups.

Malicious DNS Blocking and advert limiting#

DNS blocking to networks served by the DNS Resolver is also supported in pfBlockerNG to prevent access to tracking and/or malicious sites. Be cautious of the possibility of introducing false positives.

Spam Filtering#

If you have a mail server on your network, pfBlockerNG is an excellent package to use. You can prevent spam from reaching your server by including a spam blacklist, such as Spamhaus.

Whitelists#

If you want a domain not to be blocked, pfBlockerNG allows you to add it to the whitelist.

SafeSearch#

SafeSearch can be configured for the most popular search engines. You can also use Firefox to block DNS over HTTPS and set YouTube restrictions.

How to Install and Configure pfBlockerNG#

You can easily set up and configure the pfBlockerNG package on your pfSense® software firewall by following these steps:

  1. pfBlockerNG package installation
  2. pfBlockerNG initial configuration

pfBlockerNG package installation#

To install the pfBlockerNG package, you may follow the instructions given below.

  1. Access your pfSense® software WebGUI.

pfSense® Software CE GUI sign in page

Figure 1. pfSense® Software CE GUI sign-in page

info

Default username and password for pfSense® software is admin and pfsense. It is strongly recommended that you change your password with a strong one.

  1. Navigate to the System -> Package Manager->Available Packages.

Accessing Package Manager on pfSense® Software CE GUI

Figure 2. Accessing Package Manager on pfSense® Software CE GUI

Accessing Available Packages on pfSense® Software CE GUI

Figure 3. Accessing Available Packages on pfSense® Software CE GUI

  1. Type pfblockerng into the search field and then click search.
  2. Click install on the version with -devel at the end of the package.

Search and install pfBlockerNG-devel package

Figure 4. Search and install pfBlockerNG-devel package

  1. Click Confirm to let the package install. This will take some time because it needs to download several files and databases.

 Confirmation for installing pfBlockerNG-devel package

Figure 5. Confirmation for installing pfBlockerNG-devel package

  1. Once the installation is complete, you should see success after a few minutes.

pfBlockerNG-devel package installation completed succesfully

Figure 6. pfBlockerNG-devel package installation completed successfully

pfBlockerNG initial configuration#

  1. Click on the Firewall drop-down menu on your pfSense® software GUI.
  2. Click on pfBlockerNG to start the configuration wizard.

Accessing pfBlocker menu on pfSense® software GUI

Figure 7. Accessing pfBlocker menu on pfSense® software GUI

  1. Click Next to continue.

pfBlockerNG setup wizard

Figure 8. pfBlockerNG setup wizard

  1. Click Next to proceed to the configuration. This will remove all settings if you have previously configured pfBlockerNG and install the following components:
  • IP: Firewall rules will be defined for the WAN interface to block the worst-known attackers.
  • DNSBL: DNS resolver will be utilized so that advertising and other known malicious domains are blocked.

pfBlockerNG component installation notice

Figure 9. pfBlockerNG component installation notice

  1. Select [WAN](/docs/network-basics/what-is-wan) for Inbound Firewall Interface and [LAN](/docs/network-basics/what-is-lan) for Outbound Firewall Interface to complete the IP Component Configuration. If you have more than one internal interface, you may select all the ones you wish to set up pfBlockerNG for.

pfBlockerNG IP Component Configuration

Figure 10. pfBlockerNG IP Component Configuration

  1. Click on Next to proceed to the configuration.
  2. Enter an IP address that is not used in your networks for VIP address and leave the port and ssl port as default. pfBlockberNG DNSBL web server will run on these IP addresses. If your LAN is 10.1.1.0/24, the VIP address should not be in this range. Here in our example, we leave the address at 10.10.10.1. Also, you may enable IPv6 DNSBL and DNSBL Whitelist options.

pfBlockerNG DNSBL Component Configuration

Figure 11. pfBlockerNG DNSBL Component Configuration

  1. Click on Finish to finish the wizard. The setup is now complete.

pfBlockerNG initial configuration finalize

Figure 12. pfBlockerNG initial configuration finalize

  1. The pfBlockerNG update page then appears, and all activated blocklists are automatically downloaded and activated. Also, you may select the Cron option for regular updates.

pfBlockerNG update settings

Figure 13. pfBlockerNG update settings

Congratulations! You now have a basic pfSense® web filter running with pfblockerNG!

pfBlockerNG installation is complete

Figure 14. pfBlockerNG installation is complete

General Settings of pfBlockerNG#

To view or change the general settings of the pfBlockerNG, you may navigate to Firewall-> pfBlockerNG -> General`.

Make sure that pfBlockerNG is enabled on your pfSense® software firewall. You may leave the settings on this page at their default values.

 General Settings of pfBlockerNG

Figure 15. General Settings of pfBlockerNG

IP Filtering#

Even if the firewall is not configured with open internet facing ports, local users may inadvertently initiate connections to malicious servers and this may be a high-security risk for your network. To reduce the likelihood of this happening, you should restrict access to known sources of Ransomware, malware, botnets, and Command & Control (C&C) servers. Through the bundled PRI1 feed, pfBlockerNG provides regularly updated blocklists.

In this section, we'll explain how to enable the IP feed (PRI1-PR5 groups) on pfBlockerNG and set up a firewall rule to prevent outbound traffic from accessing any addresses in that group.

IP Configuration#

You should navigate to the Firewall-> pfBlockerNG -> IPand ensure the following settings onIP Configuration` pane.

  1. Enable De-Duplication. This option provides reducing the list size by detecting and removing duplicate entries
  2. Enable CIDR aggregation. This option optimizes CIDRs. Because CIDR aggregation is processor intensive, you may need to disable it if your firewall does not have enough power.
  3. Enable Suppression. When enabled, RFC1918 and loopback addresses are filtered. Suppression makes sure that your local subnets are not blocked. Also, pfBlockerNG removes any deny list entries that match those specified in the Suppression list which can be manually or automatically populated from the pfBlockerNG alerts tab.
  4. You may leave other settings as default. But, ensure that the Placeholder IP address is not used in your network. Also, you may enable ASN reporting, When it is enabled the Alerts and Statistics tab will report the ASN for the Block/Reject/Permit/Match IP entries. The ASN details are collected from BGPview.io and cached for 1 week (can be configured for 24,12,4,1 hour caching)

 IP Configuration pane of pfBlockerNG

Figure 16. IP Configuration pane of pfBlockerNG

  1. Click Save IP Settings button at the end of the page

MaxMind GeoIP configuration#

With pfBlockerNG's GeoIP feature, you can filter traffic to and from entire countries or continents. pfBlockerNG accomplishes this by utilizing the MaxMind GeoIP database, which requires a license key. This license key is completely free. The MaxMind License Key field description includes a link to the MaxMind registration page.

To obtain your license key, fill out the registration form on the MaxMind sign-up page.

 MaxMind GeoLite2 Sign Up page

Figure 17. MaxMind GeoLite2 Sign Up page

MaxMind Managing license keys

Figure 18. MaxMind Managing license keys

After generating a license key, enter it in the MaxMind License Key field on the pfBlockerNG.

You may select MaxMind localized language as you wish. The following languages are available:

  • English
  • French
  • Brazilian Portuguese
  • Spanish
  • German
  • Japanese
  • Simplified Chinese

Also, you may disable the MaxMind monthly CSV GeoIP database cron update.

MaxMind GeoIP configuration

Figure 19. MaxMind GeoIP configuration

IPv4 Suppression List#

pfBlockerNG allows you to add the IP addresses (only for /32 or /24) that should never be blocked to the suppression list. You can add one IP address per line. You must run Force Reload-IP after manually adding an IP address to this list, for changes to take effect.

IPv4 Suppression list

Figure 20. IPv4 Suppression list

IP Interface/Rules Configuration#

According to the settings in the IP Interface/Rules Configuration pane, pfBlockerNG defines firewall rules automatically. In this pane, you can specify which inbound and outbound interface(s) pfBlockerNG's IPv4, IPv6, and GeoIP filtering apply to. To determine the inbound and outbound interfaces you may follow the next instructions.

  1. Select WAN for Inbound Firewall Rules to apply auto rules to the inbound interface.
  2. Select LAN for Outbound Firewall Rules to apply auto rules to the outbound interface.
  3. Enabling the Floating Rules option may be useful if you have more than one outbound interface. Floating rules are special firewall rules that take precedence over regular firewall rules. This ensures that pfBlockerNG begins filtering traffic as soon as it enters the firewall. Another advantage is that pfBlockerNG will generate the floating rules for you.
  4. Enable Kill states. Since IP blocklists are updated several times per day and you should allow pfBlockerNG to immediately kill any connection to a blocked IP.
  5. You may leave other options as default.
  6. Click on the Save IP Settings button at the bottom of the page.

IP Interface/Rules Configuration on pfBlockerNG

Figure 21. IP Interface/Rules Configuration on pfBlockerNG

Enabling IPv4 Filtering#

On pfBlockerNG PRI1 feed is enabled by default. Feeds are publicly available blocklists that pfBlockerNG is configured to synchronize with on a regular basis. To view the list of enabled IPv4 feeds, navigate to the Firewall -> pfBlockerNG -> IP -> IPv4.

Enabled IPv4 feed on pfBlockerNG

Figure 22. Enabled IPv4 feed on pfBlockerNG

PRI1 feed has a fairly broad coverage but is designed to avoid false positives, so there is a greater chance that it will miss genuine threats. To harden the security on your network, you should enable additional IPv4 feeds on your pfBlockerNG. To view the list of available feeds on the pfBlockerNB, navigate to the Firewall -> pfBlockerNG -> Feeds.

IPv4 Category feeds

Figure 23. IPv4 Category feeds(PRI1-5)

At the time of writing, the available Number of Feeds per Category Type is given below:

CategoryNumber of Feeds
IPv492
IPv614
DNSBL140

Table 1. Number of Feeds per Category Type

IPv4 Category feeds are divided into five groups(PRI1-5). These PRI groups are Known Ransomware, malware, botnets, Command & Control (C&C) servers, bots, web scripts, phishing & compromised servers, malicious IP's found attacking SSH, SMTP, IMAP, TELNET, FTP endpoints and other known originators of malicious behavior. In general, the lower the number, the more pfBlockerNG tries to avoid false positives. Therefore you should be prepared for some websites to be unreachable unexpectedly if you enable the more restrictive lists (PRI3 and above). In such cases, some troubleshooting and possibly whitelisting of false positives will be required. There are also a variety of feed groups aimed at blocking specific types of malicious or undesirable traffic such as:

  • Scanner (Internet Storm Center)
  • Mail (Known sources of spam; useful for protecting mail servers)
  • Forum Spam
  • Tor nodes(Known Tor exit points; not inherently dangerous but you may want to isolate users anonymizing their traffic.)
  • Internic (Contains root name servers needed to initialize the cache of Internet domain name servers)
  • Proxy IP
  • Torrent IP
  • Public DNS
  • DOH (DNS over HTTP)
  • VPN
  • BlocklistDE

 Other IPv4 Category feed groups

Figure 24. Other IPv4 Category feed groups

You may enable IPv4 category PRI3 group feeds on your pfBlockerNG by following the next steps.

  1. Scroll down to the PRI3 group header and click the + icon next to the group name. This will redirect you to the settings page to add the rule.

Adding IPv4 category PRI3 group feeds

Figure 25. Adding IPv4 category PRI3 group feeds

  1. You may set the name and description, or leave them as default.
  2. Select ON option in the State drop-down menu for all feeds in the IPv4 Source Definitions pane. You may also select HOLD option if you wish to download the list once but exclude it from automatic updates. We will not enable the BBC_C2 feed as it requires an API key.
  3. You may also click the Enable All button at the bottom of the IPv4 Source Definitions pane to enable all feeds.

IPv4 source definitions for PRI3 group on pfBlockerNG

Figure 26. IPv4 source definitions for PRI3 group

  1. Scroll down to the Settings pane and select one of the Action options you wish to take when an IP address is matched.
  2. Select Deny Both in the Action drop-down menu to apply the rule to both inbound and outbound connections.

 IPv4 category settings to add PRI3 feeds on pfBlockerNG

Figure 27. IPv4 category settings to add PRI3 feeds on pfBlockerNG

  1. Leave other settings as default.
  2. Click on the Save IPv4 Settings button.
  3. Congratulations! You have successfully enabled IPv4 category PRI3 feeds on your pfBlockerNG to protect your network.
  4. You may also apply PRI feeds rule to both inbound and outbound connections by selecting Deny Both in Action drop-down menu and clicking the Save button on IPv4 Summary pane.

IPv4 category settings

Figure 28. IPv4 category settings

You can follow the similar steps given above for enabling other PRI groups, IPv6 and DNS blocklists, just add the alias group, select the lists you want to enable, and choose the action to be taken when an item is matched. However, be aware that there is a memory and processing impact with each list enabled and you may overload your hardware.

Verifying IPv4 Filtering#

By following the given steps below you may verify IPv4 filtering on your pfBlockerNG. Before starting to test IPv4 filtering you should ensure that pfBlockerNG settings are updated. If it is not, you may Force Update by clicking on the Run button in the Update Settings under Update tab of the pfBlockerNG.

  1. Navigate to the Firewall -> Rules -> Floating.
  2. Ensure that the firewall rules for blocking IPv4 category PRI3 groups are added.

Firewall floating rules on pfSense® software for blocking IPv4 category PRI3 groups

Figure 29. Firewall floating rules on pfSense® software for blocking IPv4 category PRI3 groups

  1. Hover your mouse over the Source pfB_PRI3_v4 to view the blocked IP lists.

Viewing IPv4 PRI3 alias details

Figure 30. Viewing IPv4 PRI3 alias details

  1. Note one of the IP addresses from the list to try to access for testing IPv4 filtering. We will select 1.0.221.21 for testing
  2. You may open your browser and enter the IP address you select from the list to the search bar or ping the IP address from the CLI prompt. You should see that the IP address is not reachable.

PRI3 ip address is not reachable

Figure 31. PRI3 ip address is not reachable

  1. To view that IP address is blocked by pfBlockerNG you may check the related firewall logs click on the Related log entries icon at the top right corner of the page.
  2. Search for the IP address that tries to access, such as 1.0.221.21. You should see the related logs showing the PRI3 IP address is blocked by pfBlockerNG as given in the figure below.

Firewall log showing PRI3 ip address is blocked by pfBlockerNG

Figure 32. Firewall log showing PRI3 ip address is blocked by pfBlockerNG

GeoIP Blocking#

GeoIP feature of the pfBlockerNG can be useful for restricting access to specific regions. This will not be useful in all circumstances because not all regions are malicious. However, if all of your expected traffic comes from a specific geographic region, allowing traffic from other regions is pointless because it exposes you to additional risk for no real benefit. In most cases, you'll only need to block inbound access based on GeoIP data. This allows your local users to access any websites all over the world while blocking inbound access from regions where you don't expect traffic.

To enable GeoIP Blocking on your pfBlockerNG,

  1. Navigate to the Firewall -> pfBlockerNG -> IP -> GeoIP.
  2. Select Deny Inbound in Action drop-down menu for Top Spammers -a list of countries that have been identified as a frequent source of online attacks- and Proxy and Satellite -well known anonymous proxy and satellite providers-.
  3. You may also select one of the continents where you never expect legitimate traffic to originate.

GeoIP blocking on pfBlockerNG

Figure 33. GeoIP blocking on pfBlockerNG

  1. Click the Save button.

Instead of blocking a whole region, you may block specific countries. To block a country in a region;

  1. Click on the pencil icon next to the region.
  2. Select the countries that you wish to block.
  3. Enable List Action and Logging
  4. Click on Save.

Blocking countries using GeoIP on pfBlockerNG

Figure 34. Blocking countries using GeoIP on pfBlockerNG

DNS Blocking#

You may block advertisements and some malicious sites such as Malware, Porn, Gambling, etc. by pfBlockerNG which has DNS blackholing capability. When you enable the DNSBL feature on your pfBlockerNG, the DNS requests against a list of known ad networks and trackers will be blocked at the DNS level on your network.

To be able to use the DNS Blocking feature of the pfBlockerNG, you should make sure that your client devices are configured to use the pfSense® software firewall as their DNS server. If you are using a standard pfSense® software configuration, this will be set automatically. However, if you have configured an alternative DNS server, such as a Pi-hole, you should check the DNS configuration on pfSense® software and configure client devices to use it.

  1. Navigate to Services -> DNS Resolver -> General Settings and check that the DNS resolver is enabled.

Enabling DNS resolver on pfSense® software

Figure 35. Enabling DNS resolver on pfSense® software

  1. Navigate to System -> General Setup and check that external DNS resolvers are configured as these will be required to forward DNS requests that aren't blocked. You may add Google DNS server, 8.8.8.8, as external DNS and click the Save button.

 Adding DNS server on pfSense® software

Figure 36. Adding DNS server on pfSense® software

  1. Navigate to Services -> DHCP Server and select all the interfaces for which you want to enable blocking and ensure that nothing is listed under DNS servers. If you have a configured static DNS, set them to your pfSense® software firewall's IP address.
  1. Navigate to the Firewall-> pfBlockerNG -> IP`
  2. Enable DNSBL.
  3. Select Unbound python mode for DNSBL mode setting.
tip

Unbound python mode requires substantially less memory than the unbound mode. It allows for some advanced options too.

  1. Ensure that the following options are enabled:
  • Wildcard Blocking TLD
  • DNS Reply Logging: This will show you all the DNS queries which are answered by Unbound.
  • DNSBL Blocking
  • HSTS mode
  • CNAME Validation checked: This option must be enabled to make sure that an ad domain cannot bypass DNSBL by using a different DNS name.

DNSBL settings on pfBlockerNG

Figure 37. DNSBL settings on pfBlockerNG

  1. Scroll down to the DNSBL Webserver Configuration pane. Make sure that the Virtual IP address is correct and It is not already used in the Network. You may leave other settings as default.

DNSBL webserver configuration on pfBlockerNG

Figure 38. DNSBL webserver configuration on pfBlockerNG

  1. Scroll down to the DNSBL Configuration pane.
  2. Enable Permit Firewall Rules and select LAN interface. This will create rules in the Floating in your Firewall and enable pfBlockerNG for selected networks(LAN).
  3. Select DNSBL Webserver/VIP for Global Logging/Blocking Mode. So that Domains are sinkholed to the DNSBL VIP and logged via the DNSBL WebServer. You may leave other settings as default.

DNSBL configuration on pfBlockerNG

Figure 39. DNSBL configuration on pfBlockerNG

  1. Click Save DNSBL Settings button at the bottom of the page.

Enable some DNSBL feeds#

On pfBlockerNG ADS_Basic feed is enabled by default. To view the list of enabled DNSBL feeds, navigate to the Firewall -> pfBlockerNG -> DNSBL -> DNSBL Groups.

Enabled DNSBL Group feed on pfBlockerNG

Figure 40. Enabled DNSBL Group feed on pfBlockerNG

ADS_Basic feed, also known as StevenBlack_ADs, has a fairly broad coverage but is designed to avoid false positives, so there is a greater chance that it will miss genuine threats. To harden the security on your network, you should enable additional DNSBL feeds on your pfBlockerNG. To view the list of available feeds on the pfBlockerNB, navigate to the Firewall -> pfBlockerNG -> Feeds.

DNSBL Category feeds

Figure 41. DNSBL Category feeds

At the time of writing, there are 140 DNSBL Category Feeds available. There are also a variety of feed groups on pfBlockerNG aimed at blocking specific types of malicious or undesirable traffic such as:

  • EasyList
  • ADs
  • Email
  • Malicious
  • Phishing
  • BBCAN177
  • STUN
  • DoH
  • Torrent
  • BBC
  • Malicious2
  • Cryptojackers
  • Compilation
  • Firebog_Suspicious
  • Firebog_Advertising
  • Firebog_Trackers
  • Firebog_Malicious
  • Firebog_Other

You may enable different DNSBL feeds as you wish on your pfBlockerNG by following the next steps. Here, we will enable EasyList group feeds on our pgBlockerNG as an example. We also recommend you add the Steven Black feed is one of the best-maintained blacklist databases on the internet.

info

EasyList is the primary filter list that removes the majority of advertisements from international webpages, as well as unwanted frames, images, and objects. It is the most commonly used list by many ad blockers and serves as the foundation for over a dozen combination and supplementary filter lists.

caution

The more feeds you enable, the more likely it is that you will disrupt internet access for users on your network. Then you must whitelist specific domain names.

  1. Scroll down to the EasyList group header and click the + icon next to the group name. This will redirect you to the settings page to add the rule.

Adding DNSBL category EasyList group feeds

Figure 42. Adding DNSBL category EasyList group feeds

  1. You may set the name and description, or leave them as default.

Setting name and description for newly added DNSBL feed

Figure 43. Setting name and description for newly added DNSBL feed

  1. You may click Enable All button at the bottom of the DNSBL Source Definitions pane to enable all feeds. But, we will enable some of the feeds such as EasyList, EasyList_Adware, EasyList_Spanish, EasyList_Turkish and EasyPrivacy. Select ON option in the State drop-down menu for the related feeds in the DNSBL Source Definitions pane. You may also select HOLD option if you wish to download the list once but exclude it from automatic updates.

DNSBL source definitions for EasyList group

Figure 44. DNSBL source definitions for EasyList group

  1. Scroll down to the Settings pane and select one of the Action options you wish to take when a domain name is matched.
  2. Select Unbound in the Action drop-down menu.

DNSBL category settings to add EasyList feeds on pfBlockerNG

Figure 45. DNSBL category settings to add EasyList feeds on pfBlockerNG

  1. Leave other settings as default.
  2. You may add your own domain name list that you wish to block by clicking on + sign icon. Custom DNSBL list on pfBlcokerNG

Figure 46. Custom DNSBL list on pfBlockerNG

  1. Enter domain name to be blocked. We will add dnsbltest.com domain for verification of DNSBL blocking on our pfBlockerNG.
  2. Click on the Save DNSBL Settings button.
  3. Congratulations! You have successfully enabled DNSBL category EasyList feeds on your pfBlockerNG to protect your network.

 DNSBL Groups summary on pfBlockerNG

Figure 47. DNSBL Groups summary on pfBlockerNG

You can follow the similar steps given above for enabling more DNSBL groups, just add the alias group, select the lists you want to enable and choose the action to be taken when an item is matched. However, be aware that there is a memory and processing impact with each list enabled and you may overload your hardware.

Forcing to reload the DNSBL on pfblockerNG#

You may need to force reloading the DNSBL list. To activate the newly enabled DNSBL settings, follow these steps:

  1. Navigate to the Firewall -> pfBlockerNG -> Update
  2. Select Reload in Force option.
  3. Select DNSBL in Reload option.
  4. Click on Run.

 Forcing to reload the DNSBL list on pfblockerNG

Figure 48. Forcing to reload the DNSBL list on pfblockerNG

Verifying the DNSBL Blocking on pfBlockerNG#

You may verify your DNSBL Blocking settings on pfBlockerNG by following the next steps easily.

  1. Open your favorite browser and enter the domain name that you added to the Custom DNSBL list. It is dnsbltest.com for our example.
  2. You should see the default blocking landing page of pfBlockerNG given below.

DNSBL blocking landing page of pfBlockerNG

Figure 49. DNSBL blocking landing page of pfBlockerNG

  1. Also, you should see the related blocks on pfBlockerNG alerts. Navigate to the Firewall > pfBlockerNG > Reports -> Alerts.
  2. Search dnsbltest.com on the DNSBL Python pane.

DNSBL alerts in pfBlockerNG

Figure 50. DNSBL alerts in pfBlockerNG

  1. Another verification method for DNSBL is viewing the DNSBL Block Stats page under Reports tab of pfBlockerNG. You may see the related blocks in Top Blocked Domain or Top Blocked Evaluated Domain, if the blocked domain is on the top blocked domain list in your firewall.

Top Blocked Domain and Top Blocked Evaluated Domain

Figure 51. Top Blocked Domain and Top Blocked Evaluated Domain

info

You may add your custom pfBlockerNG block web pages to /usr/local/www/pfblockerng/www/ on your pfSense® software. Then activate it in the Blocked Webpage option of DNSBL Configuration pane.

  1. Lastly, you may check the result of the DNS query for dnsbltest.com domain in your network. Your pfSense® software DNS resolver should return the Virtual IP address(10.10.10.1 by default) of the DNSBL Web server as a result.

 nslookup for dnsbltest.com returns VIP of DNSBL server on pfBlockerNG

Figure 52. nslookup for dnsbltest.com returns VIP of DNSBL server on pfBlockerNG

Ad-Blocking Verification#

To verify the ad-blocking feature of the pfBlockerNG, you may connect to the yahoo.com website on your favorite browser. You should see empty spaces in the place of advertisements on the page as given below.

yahoo.com page with ad-blocking (ads in the red rectangles are blocked)

Figure 53. yahoo.com page with ad-blocking (ads in the red rectangles are blocked)

yahoo.com page without ad-blocking

Figure 54. yahoo.com page without ad-blocking

DNS over HTTPS/TLS Blocking#

pfBlockerNG allows you to block DNS over HTTPS/TLS packets on your network. It includes a comprehensive list of known public DNS servers that support DNS over HTTPS. Since DNS over HTTPS is a serious privacy and security risk, you should enable DoH/DoT(DNS over HTTPS/DNS over TLS) feature on your pfBlockerNG. Otherwise, some of your users in your network may bypass pfBlockerNG's adblocking and pfSense's DNS server.

To enable DoH/DoT Blocking you may follow the steps listed below.

  1. Navigate to the Firewall -> pfBlockerNG -> DNSBL -> DNSBL SafeSearch.
  2. Select Enable for DoH/DoT Blocking in the DNS over HTTPS/TLS Blocking pane
  3. Select all the DNS servers from the DoH/DoT Blocking List you want to block.
  4. Click Save button at the bottom of the page.

Enabling DoH/DoT on pfBlockerNG

Figure 55. Enabling DoH/DoT on pfBlockerNG

Enabling SafeSearch and YouTube Restrictions#

pfBlockerNG has a SafeSearch feature which will force Search sites to utilize the "Safe Search" algorithms. At the time of writing, SafeSearch is supported by Google, Yandex, DuckDuckGo, Bing and Pixabay.

pfBlockerNG also allows you to use YouTube Restrictions on your network. YouTube Restricted Mode filters out potentially mature videos while leaving a large number of videos still available. You may use the following settings for Youtube restrictions on your pfBlockerNG:

  • Strict: This setting is the most restrictive. Strict Mode does not block all videos, but works as a filter to screen out many videos based on an automated system, while leaving some videos still available for viewing.
  • Moderate: This setting is similar to Strict Mode but makes a much larger collection of videos available.

To enable SafeSearch and YouTube Restrictions you may follow the steps listed below.

  1. Navigate to the Firewall -> pfBlockerNG -> DNSBL -> DNSBL SafeSearch.
  2. Select Enable for SafeSearch Redirection in the SafeSearch settings pane.
  3. You may select Moderate or Strict to enable YouTube Restrictions.
  4. Click the Save button at the bottom of the page.

SafeSearch settings on pfBlockerNG

Figure 56. SafeSearch settings on pfBlockerNG

Whitelisting#

While you shouldn't have too many problems as long as you don't get too innovative with your blocklists, rightful services may be blocked in some cases. This may be a result of genuine false positives, but it can also be an indication that a legitimate site has been hacked and is now sending malicious traffic, so always be careful before whitelisting. Because the blocklists are frequently updated, these issues are often temporary.

When you need to whitelist something on pfBlockerNG, you can follow the next steps below:

  1. Navigate to Firewall -> pfBlockerNG -> Reports -> Alerts.

  2. Look through the list of recent blocks and add the offending item to the whitelist by clicking the + icon next to it. For example, we will add the dnsbltest.com domain that we use for DNSBL testing to the whitelist. This will pop up a confirmation message.

Domain Whitelisting on pfBlockerNG

Figure 57. Domain Whitelisting on pfBlockerNG

  1. Click OK.

  2. It will ask you if you want to whitelist this domain only or add a wildcard for the domain. Select as you wish.

 Domain Whitelisting on pfBlockerNG-2

Figure 58. Domain Whitelisting on pfBlockerNG-2

  1. Then, you will have the option to add a description. To enter a description click on Yes and then enter a description.

Enter description for whitelist

Figure 59. Enter a description for whitelist

  1. The pfBlockerNG will no longer block the whitelisted domain.

Whitelisting completed successfully

Figure 60. Whitelisting completed successfully