How To Setup PfBlockerNG in PfSense

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone thanks for checking out another infosec hub video today we're going to talk about pf blocker the firewall functionality within p of sense this is a fresh installation and you already see a firewall here but if you want extended functionality it should go for pf blocker first let's go in here the firewall what's uh what comes out of the box net which is network address translation let's say for instance you have a game server running or a voip server or anything like that you need port forwarding so when you get calls coming from the internet to your server you can specify here that if a certain request comes in on the wan interface it should be directed to the lan interface to a certain ip address of the internal server on your network a certain port number and stuff like that you can set it up here rules has to do with firewall rules this is what you set up already um during the installation of pfsense you block these networks so on the van port we already have these rules set up on the lan port we have these rules set up anti-lockout rule so you're not locking out yourself to this web configurator default allow alarm and any rule open vpn reset one rule non-schedule floating rules no floating rules are currently uh defined and floating rules can you know be for either one lan or both but let's go to the package manager and we go to pf blocker i think there should be version 3.0 there right now let's see pf blocker we go for the p of blocker ng devil install so version 3.1 and not 2.1 so this is a different kind of version that i want to review with you guys so this will take a while again it will install p of blocker as a package and then we go over that together p of blocker is basically the function that you want to set up that's the reason that you have p of sense in the first place because p of sense sits at the edge of your network it has a when and lan interface so it sits at the edge and you want to have a firewall this is in the basis p of sense started out as an open source firewall and we have all these different kind of packages that came available over the years but the pf blocker that's the firewall that's exactly the one that you want and that what you need so now you can see that the psn speed blocker ng package has been successfully installed we go right into it and here is the p of blocker and g and this is the the wizard so we'll go to this together and you can always go back to the words at a later time so maybe you messed some settings up and things are not running no more you can go back to this wizard and it will automatically delete all the previous settings so you start with a clean slate basically so next select inbound firewall interface inbound is when and outbound is lan it's already set here by default but just know that inbound is coming from the internet which goes to the one outbound is the land going to the internet so that's from local area network to the internet this is from the internet when going to the land inbound when outbound lan next vip address so this has to do you can set this up here you see different ip range uh and this also has to do with the dns settings so we leave this default right now because i'm not using this 10 then 10 one range anyway we keep the port default the ssl port default and we use this white list um next finish with this we basically set up a pf blocker ng so let's give this a sec now all these changes will be applied to the firewall okay here we are the firewall works on rule sets as well and here status next schedule cron event will run at time remaining okay now it's grabbing information is grabbing rule sets select force option update reload we're gonna set it at reload so this means that it will reload all the list using the existing download files this is useful from where lists are out of sync white listing blacklisting suppression tdl it means that every time there's an update then it will reload the whole list so it forces the new rules onto the firewall basically alright so it's still downloading so it's grabbing all the information here you see guip process uh guip is interesting uh let's say for instance that uh you have a web server and you are under attack and these attacks are usually coming out of one or two or three countries you can block the entire range of that country the the the whole ip block of that country that's assigned to that country you can block it that's guip so it's quite it's quite good it's quite a powerful option so when these new firewall rules are downloading in the back i will show you the dashboard again here you have the firewall logs and now it doesn't really show any really real pip addresses because this is on a virtual machine and you see the pf blocker so you see here already like a set of rules uh 18650 rules and this is the basic rule set you have can have various aliases right so you can have for instance europe asia america also when it comes to guip if you use that and you see all these rule sets that are here in place and then you can see the kind of packets that went through there and that were blocked for instance okay you see download fail so it failed to download these but we'll go back to that it has maybe something to do with the fact yeah it should download anyway let's continue so we go to the general tab pf blocker must be enabled keep these settings so keep settings enable p block room attain the run state of installation okay here you can set some lock settings so to make sure that the locks are not getting too big and here if you have the time if you have the appreciation you can donate to bb scan who made this plugin because this is the devil plug-in and not the general pf blocker ng one this one is a little bit more extensive so ip all right the ip tab let's see we have here inbound outbound so that's all good we can enable floating rules so that the rules apply both for when and lan and we can hits kill states here so that means that when you know you have a connection open uh from your device to a certain ip on the internet for instance and a new um new rule set is downloaded then the connection will be interrupted right so those new firewall rules will be applied and that also means that the device that is connected at that moment that connection will be interrupted so the new rules over overwrite all active connections basically all right um guip we talked about this so max mind now requires a license key uh yeah go look it up the guip database for all the country blocks that i talked about earlier you need a license key um and i would set up asia i would set up africa um they even have one from antarctica pretty funny top spammers you should get so you get new rule sets um they they can be downloaded like every six hours every 24 hours depending on your preferences but you need a you need a license key for this if you want to use gip and i explained about what is ipv4 um here it says deny outbound that's kind of the default setting but you can deny both or uh you know whatever you want but just keep it like this basically the settings that you see right now would be enough for an office environment uh so what you saw earlier about installing this package and then downloading the rule sets which apparently i have a little bit trouble finding them because it's still updating and i didn't see anything happening they say the update process ended but but here you get it table download it's all in a text file let's see if i can show you that spam house if you're familiar with that they also keep let me just show you why not spam house right what is spam house for instance they maintain block lists of well-known ips and domain names that are attached to cybercrime um those kind of things and like just like snort in the previous video it's all based on a white community and they they feed the firewall and defeat snort which is the ids and the ips it's all based on the stixx txt files full of rules okay let's back out of here reports sync logs logs are important you want firewall logs log files master file original ip files log files ip block logs it will lock does not exist uh you can download them whatever you want to do so you can download logging from your machine and then probably with notepad plus plus you can go over certain ips you can see what's going on on your network what is being blocked and what not all right what else can i show you reports some filtering feeds emerging threats internet storm center security mass scan project honeypot you can bot fry bot free cybercrime dark list you can add them right this is adding add all right so this is nice you can you can add here also the spam house it's already added here feed exists but if you have for instance this is bought free in dutch cybercrime something internet storm center i'm not really familiar with those but you can add them to the list dark list dot d e add them to the list all right auto guip who is at reputation okay that's not found we go back uh general tab again we've been there i'm sorry ip placeholder ip address yeah this is basically it you see i do have internet connection here because there's an update available it's it grabbed it over the internet there is some traffic flowing through here so i still think it's uh it's wanting to download these uh rule sets but um yeah i can't really show you that but out of the box when you set it up and you go to the wizard and it downloads the basic rule sets and you click finish then it's already installed you can use it but you can add additional block lists you can add guip so for instance ukraine or iran or some countries in africa where known spammers are coming from hackers coming out of eastern europe or north korea china no matter what you can block the entire country based on guip it's effective but not super effective because those hackers will probably use anonymizing service or vpn servers so they it looks like they're coming out of another country but a lot of like automated bots scripts that run against your wan interface will be blocked on ip basis also so it's a very very nice package you have a lot of options and again if you mess up at the end of the day it doesn't work no more you can go back to the wizard and if you complete this wizard then you have um an entry-level configuration that's what they say here but actually um for most users that would be sufficient so hope this makes sense to you uh if you have any questions please let me know in the comments below this video i want to thank you for sticking around this long and going to the end of this video i hope it was useful and we hope to see you guys in the next one thanks for watching

Info

Channel: InfoSec Hub

Views: 414

Rating: undefined out of 5

Keywords: pfsense, pfblocker, pfblockerNG, next, generation, firewall, setup, open, source, freeBSD, 64-bit, GeoIP, blocklist, get, download, WAN, LAN, network, protection, protect, how, to, virtual, virtualbox, VM, machine, define, work, it, information, technology, top, spammers, block, blacklist, whitelist, supress, IP, address, log

Id: L2NSLt_tV58

Channel Id: undefined

Length: 16min 57sec (1017 seconds)

Published: Sat Oct 30 2021