HOWTO pfSense pfBlockerNG - mikael-andre/pfSense GitHub Wiki

HOWTO+pfSense+pfBlockerNG

This how-to aims to install and configure pfblockerNG package

1. Package Manager

First of all, you need to install the package on pfSense appliance

To do it, go to System > Package Manager > Available Packages
In Search section, fill the following fields:
- Search terms: Type pfBlockerNG
- Click on Search button
In Packages section, the pfBlockerNG will be appear
- Click on + Install and then on Confirm buttons to launch installation
- Once installation is completed, pfBlockerNG appears in System > Package Manager > Installed Packages

2. General settings

Before configure DNSBL, IPv4 blacklist or reputation, it is necessary to configure general settings.

To do it, go to Services > pfBlockerNG > General
In General Settings section, fill the following fields:
- Enable pfBlockerNG: Checked
- Keep Settings: Checked
- Cron Settings: Select Every hour, select 0 as minute, hour and Daily/Weekly
- De-Duplication: Checked
- Suppression: Not checked
- Global Logging: Not checked
- MaxMind Localized Language: Select English
- Disable MaxMind Updates: Not checked
- Download Failure Threshold: Select 3
- Logfile Size: Select 20000
In Interface/Rules Configuration section, fill the following fields:
- Inbound Firewall Rules: Select WAN and Block
- Outbound Firewall Rules: Select LAN and Reject
  - If you have more than one internal interfaces, press CTRL or CMD (for Mac users) and click on interfaces
- OpenVPN Interface: checked
- IPSec Interface: checked
- Floating Rules: checked
- Rule Order: Select | pfB_Block/Reject | All other Rules | (original format)
- Auto Rule Suffix: Select Null (no suffix)
- Kill States: Not checked
- Click on the Save button once all field are filling

3. Reputation

TODO

4. IPv4

TODO

5. IPv6

TODO

6. DNSBL

To configure DNSBL, go to Services > pfBlockerNG > DNSBL > DNSBL
- In DNSBL section, fill the following fields:
  - Enable DNSBL: Checked
  - Enable TLD: Not checked
  - DNSBL Virtual IP: Enter an IP address is not in our internal networks, like 10.66.66.66
  - DNSBL Listening Port: Enter 8081
  - DNSBL SSL Listening Port: Enter 8443
  - DNSBL Listening Interface: Select LAN or another internal interface
  - DNSBL Firewall Rule: Checked
    - If you have several internal interfaces, press CTRL or CMD (for Mac users) and click on interface
- In DNSBL IP Firewall Rule Settings section, fill the following fields:
  - List Action: Select Deny Both
  - Enable Logging: Select Enable
- In Advanced Inbound Firewall Rule Settings, I don't change anything
- In Advanced Outbound Firewall Rule Settings, I don't change anything
- In Alexa Whitelist, I don't change anything
- In Custom Domain Whitelist,
  - I recommand to use + button in Alert tab to add custom domains to the whitelist. In fact, pfBlockerNG package uses DNS resolution to find CNAME associated to the domain you want to whitelist
  - To begin, enter the following whitelist domains:
    - `.twitter.com
    - .twitter.com
    - .play.google.com
    - .drive.google.com
    - .accounts.google.com
    - .www.google.com
    - .github.com
    - .www.netflix.com
    - .www.geo.netflix.com # CNAME for (www.netflix.com)
    - .www.eu-west-1.prodaa.netflix.com # CNAME for (www.netflix.com)
    - .outlook.live.com
    - .edge-live.outlook.office.com # CNAME for (outlook.live.com)
    - .outlook.ha-live.office365.com # CNAME for (outlook.live.com)
    - .outlook.ha.office365.com # CNAME for (outlook.live.com)
    - .outlook.ms-acdc.office.com # CNAME for (outlook.live.com)
    - .amazonaws.com
    - .login.live.com
    - .login.msa.akadns6.net # CNAME for (login.live.com)
    - .ipv4.login.msa.akadns6.net # CNAME for (login.live.com)
    - .mail.google.com
    - .googlemail.l.google.com # CNAME for (mail.google.com)
    - .pbs.twimg.com
    - .wildcard.twimg.com # CNAME for (pbs.twimg.com)
    - .sites.google.com
    - .www3.l.google.com # CNAME for (sites.google.com)
    - .docs.google.com
    - .mobile.free.fr
    - cs9.wac.phicdn.net
    - .www.instagram.com
    - .z-p15-instagram.c10r.facebook.com # CNAME for (www.instagram.com)
    - .graph.instagram.com
    - .instagram.c10r.facebook.com # CNAME for (graph.instagram.com)
    - .plus.google.com
    - .samsungcloudsolution.net
    - .samsungelectronics.com
    - .icloud.com
    - .microsoft.com
    - .windows.com
    - .skype.com
    - .googleusercontent.com
    - .oneclient.sfx.ms
    - .sonyentertainmentnetwork.com
    - .osint.bambenekconsulting.com
    - .logging.apache.org
    - .t.co
    - evintl-ocsp.verisign.com
    - evsecure-ocsp.verisign.com
    - .amazonaws.com
    - .symcb.com
    - .symcd.com
    - .digicert.com
- In TLD Exclusion List, I don't change anything
- In TLD Blacklist, I don't change anything
- In TLD Whitelist, I don't change anything
- Click on the Save button once all field are filling
To configure DNSBL feeds, go to Services > pfBlockerNG > DNSBL > DNSBL Feeds
- Click on + Add button
- In DNSBL Feeds section, fill the following fields:
  - DNS GROUP Name: Enter DNSBlockListGroup
  - Description: Enter DNS Block list
  - DNSBL: Select Auto and ON, enter the full URL and give a name associated to this one
    - Name: BBcan177Domains, URL: https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw/be5fddb116667699c246df97b79e1032ab71bb1c/MS-2;
    - Name: BBcan177Threats, URL: https://gist.githubusercontent.com/BBcan177/bf29d47ea04391cb3eb0/raw/b344ebc9475acdea1fae38a12c4ea9332838a184/MS-1;
    - Name: YoYo, URL: http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext;
    - Name: SWC, URL: http://someonewhocares.org/hosts/hosts;
    - Name: Adaway, URL: https://adaway.org/hosts.txt;
    - Name: AdBlockPlus, URL: https://gist.githubusercontent.com/BBcan177/b96dd281c5acd5327825a22c63f9f9c9/raw/94c1585a189347e35c0070a9e4de76fde2adb271/liste_fr.txt;
    - Name: MalwareJustDomains, URL: http://mirror1.malwaredomains.com/files/justdomains;
    - Name: MicrosoftDomains, URL: https://jasonhill.co.uk/pfsense/microsoft_domains.txt;
    - Name: YouTubeVideoAds, URL: https://jasonhill.co.uk/pfsense/ytadblock.txt;
    - Name: MalwareImmortalDomains, URL: http://mirror1.malwaredomains.com/files/immortal_domains.txt;
    - Name: MalwareHosts, URL: http://www.malwaredomainlist.com/hostslist/hosts.txt;
    - Name: Malvertising, URL: https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt;
    - Name: hpHostsAds, URL: http://jasonhill.co.uk/pfsense/ad_servers_dnsbl.txt;
    - Name: Cameleon, URL: http://sysctl.org/cameleon/hosts;
    - Name: RansomwareDomainBlocklist, URL: https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt;
    - Name: DNSBLMalicious, URL: http://winhelp2002.mvps.org/hosts.txt;
    - Name: OpenFish, URL: https://www.openphish.com/feed.txt;
    - Name: Phishtank, URL: http://data.phishtank.com/data/online-valid.csv;
    - Name: MoneroMiner, URL: https://raw.githubusercontent.com/Hestat/minerchk/master/minerlist-all.txt ;
    - Name: spam404, URL: https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt;
    - Name: Malc0de, URL: https://malc0de.com/bl/BOOT;
    - Name: AbuseCh, URL: https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist;
    - Name: StevenBlack, URL: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts;
    - Name: DisconnectTracking, URL: https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt;
    - Name: DisconnectAds, URL: https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt;
    - Name: CoinlistBrowser, URL: https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser;
    - Name: Princeton, URL: https://gist.githubusercontent.com/BBcan177/b6df57cef74e28d90acf1eec93d62d3b/raw/f0996cf5248657ada2adb396f3636be8716b99eb/MS-4;
    - Name: ISClow, URL: https://isc.sans.edu/feeds/suspiciousdomains_Low.txt;
    - Name: DShieldMedium, URL: https://dshield.org/feeds/suspiciousdomains_Medium.txt;
    - Name: DShieldHigh, URL: https://dshield.org/feeds/suspiciousdomains_High.txt;
    - Name: WindowsTelemetry, URL: https://raw.githubusercontent.com/WindowsLies/BlockWindows/master/hostslist;
    - Name: Quidsup, URL: https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt;
    - Name: AdGuardDNS, URL: https://v.firebog.net/hosts/AdguardDNS.txt;
    - Name: CoinlistHost, URL: https://zerodot1.gitlab.io/CoinBlockerLists/hosts;
    - Name: CoinlistHost_optional, URL: https://zerodot1.gitlab.io/CoinBlockerLists/hosts_optional;
    - Name: AirelleHrsk, URL: https://v.firebog.net/hosts/Airelle-hrsk.txt;
    - Name: PrigentMalware, URL: https://v.firebog.net/hosts/Prigent-Malware.txt;
    - Name: PrigentPhishing, URL: https://v.firebog.net/hosts/Prigent-Phishing.txt;
    - Name: ShallaMal, URL: https://v.firebog.net/hosts/Shalla-mal.txt;
    - Name: ISCmedium, URL: https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt;
    - Name: ISChigh, URL: https://isc.sans.edu/feeds/suspiciousdomains_High.txt;
    - Name: StevenBlackAds, URL: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/UncheckyAds/hosts;
    - Name: StevenBlackKAdHosts, URL: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts;
    - Name: StevenBlackSpam, URL: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts;
    - Name: W3KBL, URL: https://v.firebog.net/hosts/static/w3kbl.txt;
    - Name: BillStearns, URL: https://v.firebog.net/hosts/BillStearns.txt;
    - Name: Spammers, URL: https://raw.githubusercontent.com/piwik/referrer-spam-blacklist/master/spammers.txt;
    - Name: Dawsey21, URL: https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt;
    - Name: Vokins, URL: https://raw.githubusercontent.com/vokins/yhosts/master/hosts;
    - Name: AirelleTrc, URL: https://v.firebog.net/hosts/Airelle-trc.txt;
    - Name: PrigentAds, URL: https://v.firebog.net/hosts/Prigent-Ads.txt;
    - Name: StevenBlackHosts, URL: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.2o7Net/hosts;
    - Name: ChefKoch1, URL: https://gist.githubusercontent.com/CHEF-KOCH/080efada22b9659ef61241029122873b/raw/7f9bd984d3c46b3dba2de7606da579bc0ac6780c/Canvas%2520Font%2520Fingerprinting%2520pages%2520%255B2017%2520Edition%255D;
    - Name: ChefKoch2, URL: https://gist.githubusercontent.com/CHEF-KOCH/5a7b1593d1880f906b12a3c87cee4500/raw/3ba028508feb2ef67a3d7ab75f428fd284223e8b/WebRTC%2520tracking%2520list%2520%255B2017%2520Edition%255D.txt;
    - Name: SamsungSmart, URL: https://v.firebog.net/hosts/static/SamsungSmart.txt;
    - Name: EasyPrivacy2, URL: https://v.firebog.net/hosts/Easyprivacy.txt;
    - Name: GiftCardKiller, URL: https://raw.githubusercontent.com/TakoYachty/Gift-Card-Killer/master/Mega%20Untrusted%20Hosts%20Blocker.txt;
  - List Action: Select Unbound
  - Update Frequency: Select Once a day
  - Weekly (Day of Week): Select Monday
  - Enable Alexa Whitelist: Not checked
- In Custom Block List section, I don't change anything
- Click on the Save button once all field are filling
To configure DNSBL feeds, go to Services > pfBlockerNG > DNSBL > DNSBL EasyList
- In DNSBL - EasyList section, fill the following fields:
  - DNS GROUP Name: Enter EasyList
  - Description: Enter DNSBL Easy list
  - EasyList Feeds:
    - Select ON, EasyList w/o Elements, enter EasyListWOElements
    - Clicl on + Add button
    - Select ON, EasyPrivacy, enter EasyListWOElements
- In DNSBL - EasyList Settings section, fill the following fields:
  - Categories: Press CTRL or CMD (for Mac users) + click to select following categories:
    - EASYLIST Adservers
    - EASYLIST Adservers Popup
    - EASYLIST Adult Adservers
    - EASYLIST Adult Adservers Popup
    - EASYPRIVACY Tracking Servers
    - EASYPRIVACY Tracking International
  - List Action: Select Unbound
  - Update Frequency: Select Once a day
  - Weekly (Day of Week): Select Monday
  - Enable Alexa Whitelist: Not checked
- Click on the Save button once all field are filling

7. GeoIP

TODO

8. Update/Apply configuration

Once reputation, IPv4 and IPv6 black list, DNSBL and GeoIP are correctly configured, you need to apply configuration.

To do it, go to Services > pfBlockerNG > Update
In Update Settings section, fill the following fields:
- Select 'Force' option: Select Reload
- Select 'Reload' option: Select All
- Click on Run button

9. Verifications / Troubleshooting

General

To check if pfBlockerNG is running, go to Status > Services
- Service: dnsbl
- Descrption: pfBlockerNG DNSBL Web Server
- Status: Green

Reputation

TODO

IPv4

TODO

IPv6

TODO

DNSBL

To verify DNSBL is blocking somethings, from your laptop client, type the following command:

nslookup adservices.google.com
Server:   <Your DNS IP Address>
Address:  <Your DNS IP Address>#53

Non-authoritative answer:
Name: adservices.google.com
Address: 10.66.66.66 ---> It is the DNSBL Virtual IP

You can also go to a site with a lot of adverts, for example, www.yahoo.com. With your favourite packet capture software, Wireshark, run it on your client laptop while you navigate on Yahoo. In your packet capture, you probably see the following DNS request/response:

No.     Time           Source                Destination           Protocol Length Info
    193 3.642003       <CLIENT IP ADDRESS>   <DNS IP ADDRESS>      DNS      81     Standard query 0x2e50 A y.analytics.yahoo.com
    196 3.644553       <DNS IP ADDRESS>      <CLIENT IP ADDRESS>   DNS      97     Standard query response 0x2e50 A y.analytics.yahoo.com A 10.66.66.66

Finally, you can check log files.
- To do it, go to Services > pfBlockerNG > Logs
- In Log/File Browser selections section, fill the following fields:
  - Log/File type: Select Log File
  - Log/File selection: Select one of following:
    - pfblockerng.log: to see if update jobs are ok
    - error.log: to see if anything is wrong
    - dnsbl.log: to see all blocked requests
    - extras.log: to see other things
    - maxmind_ver: to see MaxMind GeoIP database update

GeoIP

TODO