Posted by Jared Thomas, Last modified by Josh Ashline on 02 May 2017 12:04 PM
pfBlocker is an addon for pfSense that allows us to define IP addresses and DNS hostnames to be blocked at the perimeter. In and of itself, this is not a full IDS security solution but these addresses are known-bad and setting this package up is an important part of an overall security plan for a network.
Install pfBlocker from System - Package Manager - Available packages
Go to Firewall - pfBlocker - IPv4 and add in IP blacklists. For each entry, set List Action to Deny Both and Update Frequency to Every 6 hours. Alias Name and Header/Label fields should be a one-word description of the list with no special characters.
Go to the General tab and make sure that the following is set:
Under Inbound Firewall Rules, make sure that all WAN interfaces are highlighted
Under Outbound Firewall Rules, make sure that all LAN and DMZ interfaces are highlighted
Click Save at the bottom
If there are any public-facing ports open for services such as email and/or remote access, go to GeoIP tab and highlight as many countries as possible for both IPV4 and IPV6. Keep in mind that if you have an internal email server and you select one of these countries, you will not be able to receive any mail from that country. By default, the best countries to select are China, Russia, Ukraine, and Brazil. Set the List Action to Deny Inbound and save
Click the Update tab and then click the Run button. Observe the output and fix any issues that may have arisen.
If an IP address is blocked and needs to be allowed, find the relevant entry in the Alerts tab and then click on the + sign next to the IP that you want to whitelist
Click on DNSBL tab and set the following fields
Enable DNSBL checked
DNSBL Virtual IP is set to an address in a range that will not be seen by the router for ANY other purpose. Try 10.100.100.1.
DNSBL Listening port set to an unused port on the firewall. Try 8181
DNSBL SSL Listening Port set to an unused port on the firewall. Try 8443
Expand the Alexa Whitelist section
Check the Enable Alexa box
Set Number of AlexaTop Domains to Whitelisting to 10k
Click Save at the bottom
Click on the DNSBL Feeds tab under the DNSBL tab and set the following:
Go to the Update tab, click the Run button and resolve any issues that are logged
For DNSBL, this configuration will only tarpit and block DNS requests that are made directly to the pfSense. In order to use the DSNBL feature in an Active Directory network, configure forwarders on the DNS servers to point to the pfSense. On a non-domain network, either forward DNS requests to the pfSense or set the pfSense as the DNS server for the network.
To test if the DNSBL function is working, navigate to an ad-heavy page such as Yahoo and see if the ads have been removed