Author Topic: Edd Noman's Guide to pfSense 04 – How-To Block Ad’s and Websites using pfBlocker  (Read 15596 times)

Offline Edd Noman

  • Administrator
  • Newbie
  • *****
  • Posts: 33
  • Karma: +2/-0
    • View Profile
Edd Noman's Guide to pfSense 04 – How-To Block Ad’s and Websites using pfBlockerNG

In this guide I will be covering how to use the DNSBL feature of pfBlockerNG package to block users from accessing unwanted websites like porn, Facebook or YouTube and also keep your users safe from known infected website so that the risk of getting infected whit viruses or malware is reduces, this will also clean up Ad’s seen on websites also so you get a better browsing experience.

How pfBlockerNG and DNSBL achieve to do all this even if the sites uses HTTPS and SSL encryptions is by using DNS bases aliases that has both the Domain and IP to generate the firewall rules. These aliases are generated upon predefined txt files that contain the IP and Domain information that are updated by known security professionals and provider once a bad IP or Domain is identified.

The only issue whit pfBlockerNG and DNSBL is that it can use a lot of resources both RAM and CPU the more lists you assign it the more RAM and CPU it would need to process all of them, the lowest set of hardware I would recommend using for this is 2Gb RAM and 4Core 1.5Ghz processor.

pfBlockerNG uses the DNS Resolver service of pfSense to handle DNS resolutions so before we start the installation make sure your DNS Resolver is running whit the Forwarding mode enabled, this is found under Services -> DNS Resolver -> General Option



Now you would install pfBlockerNG as you would any other package by navigating to: System -> Packet Manager -> Available Packets and then search for “pfBlocker” and then click install



Confirm that you want to install the package and all its dependency



Now the installer and progress bar will go over your screen, give it a few moments to complete as it is a fairly large package to download and install and depending on the system you using it can take a few moments to get it done



When installation is done Navigate to Firewall -> pfBlockerNG to start the configuration

General Settings
Enable pfBlockerNG: Yes (checked)
Keep Settings: Yes (checked)
CRON Settings: Every hour | :15 | 0 | 0 (this will sync the list every 15min past a full hour ie, 01:15 then 02:15)
De-Duplication: Yes (checked)
CIDR Aggregation: Yes (checked)
Suppression: Yes (checked)
MaxMind Localized Language: English
Download Failure Threshold: 4
Logfile Size: 20000



Interface/Rules Configuration
Inbound Firewall Rules: WAN | Block
Outbound Firewall Rules: LAN | Reject
Rule Order: pfB_Pass/Match | pfB_Block/Reject | pfSense Pass/Match | pfSense Block/Reject
Auto Rule Suffix: Auto Rule
Kill States: Yes (checked)
Save and Apply



Now we want to move on to DNSBL settings found on Firewall -> pfBlockerNG -> DNSBL

DNSBL Configuration
Enable DNSBL: Yes (checked)
Enable TLD: Yes (checked)
DNSBL Virtual IP: 10.10.10.1
DNSBL Listening Port: 8081
DNSBL SSL Listening Port: 8443
DNSBL Listening Interface: LAN
DNSBL Firewall Rule: Yes | LAN



DNSBL IP Firewall Rule Settings
List Action: Deny Outbound
Enable Logging: Enable
Save and Apply



Next we configure the DNSBL EasyList from Firewall -> pfBlockerNG -> DNSBL -> DNSBL EasyList

DNSBL – EasyList
DNS GROUP Name: EasyList
Description: EasyList

EasyList Feeds
State: ON | EasyList Feeds: EasyList W\O Elements | Header: EasyList
State: ON | EasyList Feeds: EasyPrivacy | Header: EasyPrivacy



DNSBL - EasyList Settings
Categories: All selected*
List Action: Unbound
Update Frequency: Once a day
Weekly (Day of Week): Monday
Save and Apply



Now we get to the heart of the configurations as we need to define our DNSBL Feeds and from where pfBlockerNG should pull its information from, a good source for this is on the pfSense forum from the developer himself on this link: https://forum.pfsense.org/index.php?topic=102470.msg573167#msg573167

Navigate to Firewall -> pfBlockerNG -> DNSBL -> DNSBL Feeds to add your feeds lists
I am currently running 4 different feeds and those are: Adverts, Malicious, DGA Crypto and hpHost and I have them configured whit the following information

Adverts
DNS GROUP Name: Ads
Description: DNSBL Adverts
DNSBL:
Format: Auto|State: ON | Source: http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext | Header: yoyo
Format: Auto|State: ON | Source: http://hosts-file.net/ad_servers.txt | Header: hpHosts_ads
Format: Auto|State: ON | Source: https://adaway.org/hosts.txt | Header: Adaway
Format: Auto|State: ON | Source: http://sysctl.org/cameleon/hosts | Header: Cameleon
List Action: Unbound
Update Frequency: Every 8hours
Weekly (Day of Week): Monday
Save and Apply



Malicious
DNS GROUP Name: Malicious
Description: DNSBL Malicious
DNSBL:
Format: Auto|State: ON | Source: http://hosts-file.net/download/hosts.zip| Header: hpHosts
Format: Auto|State: ON | Source: http://someonewhocares.org/hosts/hosts| Header: SWC
Format: Auto|State: ON | Source: https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt| Header: spam404
Format: Auto|State: ON | Source: https://malc0de.com/bl/BOOT| Header: malc0de
Format: Auto|State: FLEX | Source: https://mirror1.malwaredomains.com/files/justdomains | Header: MDS
Format: Auto|State: ON | Source: http://winhelp2002.mvps.org/hosts.txt| Header: MVPS
Format: Auto|State: ON | Source: http://www.malwaredomainlist.com/hostslist/hosts.txt| Header: MDL
List Action: Unbound
Update Frequency: Once a day
Weekly (Day of Week): Monday
Save and Apply



DGA
: DGA
Description: DNSBL DGA for Cryptolocker
DNSBL:
Format: Auto|State: ON | Source: http://osint.bambenekconsulting.com/feeds/dga-feed.gz| Header: BBC_DGA
Format: Auto|State: ON | Source: http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt| Header: BBC_C2
List Action: Unbound
Update Frequency: Every 8hours
Weekly (Day of Week): Monday
Save and Apply



hpHost
DNS GROUP Name: hpHosts_partial
Description: DNSBL hpHosts_partial
DNSBL:
Format: Auto|State: ON | Source: http://hosts-file.net/hphosts-partial.asp| Header: hpHosts_partial
List Action: Unbound
Update Frequency: Every 6hours
Weekly (Day of Week): Monday
Save and Apply



When done you should be left whit the same 4 categories for blocking Ad’s and some of the malware and crypto locker, you can add more list and sources to this configuration but you need to do your own research on that. The entire list I used is free and open source maintained but there is also paid alternatives for feeds.



At this point we have only configured pfBlockerNG to use DNSBL and react on domain names, but we would also want to block the known bad IPs out on the internet to do this navigate to: Firewall -> pfBlockerNG -> IPv4

I will only be covering IPv4 in this guide, but if you use IPv6 the same method is used to add the rules needed for that, I just do not have the source list to provide you. My IPv4 alias list is called Badguys and are configured as following

Badguys
Alias Name: Badguys
List Description: IPv4 Badguys
IPv4 Lists:
Format: Auto|State: ON | Source: https://gist.githubusercontent.com/BBcan177/d7105c242f17f4498f81/raw/90eb2ac8bdc01af3008d728b7c0f10dc7b2506b4/MS-3| Header: BBcan177_Domains_IPv4
Format: Auto|State: ON | Source: https://rules.emergingthreats.net/blockrules/compromised-ips.txt| Header: ETCompromised
Format: Auto|State: ON | Source: https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt| Header: ETBlocked
Format: Auto|State: ON | Source: https://gist.githubusercontent.com/BBcan177/bf29d47ea04391cb3eb0/raw/b344ebc9475acdea1fae38a12c4ea9332838a184/MS-1| Header: BBcan177Threats
Format: Auto|State: Auto | Source: http://www.malwaredomainlist.com/hostslist/ip.txt| Header: Malwaredomainlist
Format: Auto|State: ON | Source: https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt| Header: Ransomware
List Action: Deny Both
Update Frequency: Once a day
Weekly (Day of Week): Monday
Enable Logging: Enable
States Removal: Enable
Save and Apply





And this is all that is needed for a working setup of pfBlockerNG to act on known bad sites ether whit domain or IP, it will also block AD’s on webpages you visits, and the last thing for us to do is creating a custom block list of website we do not want our user to visit even though they are marked as clean you may have other reasons for why they need to be blocked. This is handled by the TLD feature of DNSBL so to do this we need to navigate to: Firewall -> pfBlockerNG -> DNSBL

At the bottom of this page you have several advanced options the one we are after is TLD Exclusion List, TLD Blacklist and TLD Whitelist. Yes the names are as intuitive as to what functions they have

TLD Exclusion List will be used for domains you do not want to be included in any pfBlockerNG rules or aliases, no action is performed on these domains, other rules in pfSense may apply
TLD Blacklist will be used for domains you want to specifically block access to
TLD Whitelist will be used for any domains you want to always be accessible, these sites will not be blocked by the firewall.

Open up TLD Blacklist and enter the following domains:

fb.com
facebook.com
youtube.com
cnn.com

Save



After you have made any changes to DNSBL or the TLD lists you need to force an update of the new rule set before the changes take effect on your network, to do a update navigate to Firewall -> pfBlockerNG ->Update
When doing a manual update or forced update due to changes in the config you do not want to run it close to when the cron task is running there is a clock on the update page that will tell you when the next update will run

Select 'Force' option: Reload
Select 'Reload' option: All



When the update is finished you can try to access one of the domains you blocked in TLD Blacklist and you should only get a black screen instead of the actual site loading





Now this should be all there is to blocking websites and ad’s from pfBlockerNG

If you follow this guide and it is not working for you and it broke your system, I am not responsible or liability for that as you should not take anything you read on the internet at face value and you should test settings like this in a lab environment and not on your production servers

Offline DarkAngel

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Thanks!
Great guide...