Knowledgebase:
Configuring pfBlocker for DNS and IP blacklisting
Posted by Jared Thomas, Last modified by Josh Ashline on 02 May 2017 12:04 PM
pfBlocker is an addon for pfSense that allows us to define IP addresses and DNS hostnames to be blocked at the perimeter. In and of itself, this is not a full IDS security solution but these addresses are known-bad and setting this package up is an important part of an overall security plan for a network.

IP Blacklists
  1. Install pfBlocker from System - Package Manager - Available packages
  2. Go to Firewall - pfBlocker - IPv4 and add in IP blacklists. For each entry, set List Action to Deny Both and Update Frequency to Every 6 hours. Alias Name and Header/Label fields should be a one-word description of the list with no special characters.
    1. CIArmy - http://cinsscore.com/list/ci-badguys.txt
    2. ZeuS - https://zeustracker.abuse.ch/blocklist.php?download=badips
    3. DShield - https://isc.sans.edu/block.txt
    4. ETCompromised - https://rules.emergingthreats.net/blockrules/compromised-ips.txt
    5. ETDshield - https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
    6. Tor - https://www.dan.me.uk/torlist/
  3. Go to the General tab and make sure that the following is set:
    1. checked
    2. De-Duplication checked
    3. Suppression checked
    4. Under Inbound Firewall Rules, make sure that all WAN interfaces are highlighted
    5. Under Outbound Firewall Rules, make sure that all LAN and DMZ interfaces are highlighted
    6. Click Save at the bottom
  4. If there are any public-facing ports open for services such as email and/or remote access, go to GeoIP tab and highlight as many countries as possible for both IPV4 and IPV6. Keep in mind that if you have an internal email server and you select one of these countries, you will not be able to receive any mail from that country. By default, the best countries to select are China, Russia, Ukraine, and Brazil. Set the List Action to Deny Inbound and save
  5. Click the Update tab and then click the Run button. Observe the output and fix any issues that may have arisen.
  6. If an IP address is blocked and needs to be allowed, find the relevant entry in the Alerts tab and then click on the + sign next to the IP that you want to whitelist

DNS Blacklists
  1. Click on DNSBL tab and set the following fields
    1. Enable DNSBL checked
    2. DNSBL Virtual IP is set to an address in a range that will not be seen by the router for ANY other purpose. Try 10.100.100.1.
    3. DNSBL Listening port set to an unused port on the firewall. Try 8181
    4. DNSBL SSL Listening Port set to an unused port on the firewall. Try 8443
    5. Expand the Alexa Whitelist section
      1. Check the Enable Alexa box
      2. Set Number of AlexaTop Domains to Whitelisting to 10k
    6. Click Save at the bottom
  2. Click on the DNSBL Feeds tab under the DNSBL tab and set the following:
    1. Add a group
    2. Add the following three lists:
      1. malwaredomainlist - http://www.malwaredomainlist.com/hostslist/hosts.txt
      2. malwaredomains - http://mirror1.malwaredomains.com/files/justdomains
      3. bambenek - http://osint.bambenekconsulting.com/feeds/dga-feed.gz
    3. Set List Action to Unbound
    4. Set Update Frequency to Every 6 hours
    5. Add another DNSBL group named Ads with the following lists and the same settings as the Malware group
      1. yoyo - http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext
      2. adaway - https://adaway.org/hosts.txt
      3. winhelp - http://winhelp2002.mvps.org/hosts.txt
  3. Go to the Update tab, click the Run button and resolve any issues that are logged
  4. For DNSBL, this configuration will only tarpit and block DNS requests that are made directly to the pfSense. In order to use the DSNBL feature in an Active Directory network, configure forwarders on the DNS servers to point to the pfSense. On a non-domain network, either forward DNS requests to the pfSense or set the pfSense as the DNS server for the network.
  5. To test if the DNSBL function is working, navigate to an ad-heavy page such as Yahoo and see if the ads have been removed
(8 vote(s))
Helpful
Not helpful

Comments (1)
Squidblacklist
16 July 2017 02:03 AM
Heads up, pfblocker now supports domain blacklists for web filtering purposes, including support for Squidblacklist.org subscribers.

We are a subscription based service, gotta pay the bills, but we do have some free stuff for the community as well, come on over and check it out.
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).