How to setup pfBlockerNG on pfSense

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi and welcome to another technology video so in this video we are going to be focusing on pfSense and we're going to be running through the setup of PF blocker ng that's the devil version it's the latest version so just to go through current build at the moment we are running a fanless a 3/8 gig device running pfsense as the latest 2 4 5 release which is p1 which was released on the 9th of june and we're going to be walking through the step-by-step process of setting up a PF blocker ng so without further ado let's get started first thing you want to do is you want to navigate to your package manager and as you can see we've got no additional packages installed we're going to go to available packages and we're going to search for PF ok ok as you can see here we've got two versions we're going to be using the latest version and we're just going to go through and install that so just step through the installation this will then install all the dependencies and packages that you need ok that was quick excellent right so to get started you want to navigate to your firewall option here and then go to PF block at ng and the first thing you're presented with is a wizard so we're going to run through the wizard very easy to do click on next and we're gonna click on next we're going to select our inbound or outbound interfaces the inbounded faces your one interface that's traffic coming in to your network and the outbound interface is your LAN interface and that's the connection from your land that's then going out to the Internet and in between is obviously the firewall if you're running bespoke VLANs or IP addressing and you want to make sure that your VIP address here doesn't clash with any other network that you're running on your environment and the same for the ports if it is then you want to choose a port or choose and a VIP address that doesn't clash for us it doesn't we're using standard 192 168 0 / 24 addressing for our network which is at home so basically it's a flat network there's no VLANs no specific routing or anything like that in place so once you've clicked through the wizard click on finish and that will get things set up for you just takes a couple of seconds and then the first thing it's going to do is going to go down and download all of the lists that it's configured as part of the standard option so we're going to let that run through and once that's completed we're going to go through and we're going to set up all of the different options as you can see here we've got a downloading update 404 not found I won't worry about that occasionally if it can't talk to the remote host then you'll get errors in the downloads but it's not a problem it will keep retrying and eventually it'll go through the nice thing about this is if there are any duplicates it will filter those out as you can see on that list there there's there's a whole load of duplicates and here as well and it will remove the duplicates so it just presents you with the unique addresses so this will build up a database and it will go through and sort out all of the addresses in there okay so that's completed it will confirm your table entry size for your firewall you can see here the hard limit is 400,000 that's all we need to don't need to pay attention to that at the moment really okay so the first thing we want to go do is go to our general and you want to make sure that PF blocker ng is enabled we've accepted all the defaults here we don't change any of these we just leave things alone and we haven't had any problems at all with that so the next thing you want to do is go to your IP options and make sure that it's enabled CIDR aggregate aggregation so that basically looks at smaller IP ranges and if it deems that actually it can fall into a larger one then it combined that into a larger block that we don't use that and suppression so this will stop your private addresses from being blocked as you can see here it's all self-explanatory really placeholder IP address so again you want to make sure that this is not in use on your network it's a loopback address effectively so you don't need to worry so much about that we don't force the global IP logging we are not using a SN reporting this bit here is fairly important if you want to use IP reputation or the Geo IP facility on here so if you want to block countries from accessing your system then you can do that here you need to do that on the Mac's mine database on the Macs mine website create yourself an account it's completely free and you will create yourself as part of that a license key so I'm going to add that shortly okay so the inbound firewall rules again any traffic coming in you just want to block it so in other words drop the traffic you do have the ability to reject it as well but what that does it tells the remote website that you have blocked them basically or you have rejected their packet from coming in you don't want to do that you just want to drop that the traffic silently and if you're using it for your language we are we want to reject it because actually what we want to do is we want to throw a notification back to the client if it's in the browser but it also gives you the ability to investigate issues on your on your land so you want to reject that because then it tells the client actually that it's not being allowed we are going to be using floating rules so tick this option here and that's going to create a firewall rule for the ipv4 list as a floating rule otherwise what it'll need to do is to create lists on your land and your land side of the firewall so if you use a floating rule then it'll cover it from across both of them the firewall root file will rule order we leave alone we're not changing that at all and for our firewall auto rule suffix we have it as the default we haven't changed that at all and again the kill states will leave that as it is there so once you're done with that save your IP settings I'm now going to add the max mind King which I'll have to blur out obviously just move that over there and to my max mind key and I've left the check to disable max mine CSV updates don't use that and it works fine for us but we're not actually using an NGO IP but we do like to have the IP or reputation page there so once you've done that click on save settings under the IP section we can then move to the ipv4 lists so automatically enabled is the priority one collection now this is important because if you've got any infected clients on your LAN you don't want to talk to those remote hosts excuse me and you want to set the action to deny both so you want to deny inbound and outbound so you want to stop traffic from getting there and you want to stop stop traffic coming from there as well we're going to update that list every hour so click on save and ok that we can go through the lists in a minute ipv6 we're not using ipv6 on our network so we leave that blank and geoip again as I explained earlier we're not actually using any of that functionality but you've got the ability to go in here and configure any of the lists that you want it's it's hugely extensive so this you probably want to do this if you've got a web server for instance that's only serving the UK you might want to block all the different countries from getting to it and then under the IP reputation in here again you've got the ability to either have lists based on the country exclusion or anything else that you you might want to use so proof point which is effectively web since they've got an IP reputation here and they create in nice easy-to-understand lists for you so if you for instance if you want to block deed known DDoS attackers then you would select that list here and anything any IP that is in those lists it will block it but we're not using that at the moment we may well do in the future if we decide to run a web server here ok so now we move on to the DNS BL settings so again we've got to make sure that it's enabled top-level domains if you want to block that that's fine what it does there it'll block the the root of that domain so if you block back then or it'll also block everything else underneath that's all the subdomains as well here's that virtual IP address that we we saw earlier we're not changing any of the settings in here and our web server interface is running on the land side if you want to make sure that your web server is always available then you want to tick this box and that will create a floating rule for you to access it this next section here is you can actually load your own block page onto the system again we've we're just accepting the default but if you wanted to do that then create your own block page and you'd need to load it up under this location on your pfsense box dns BL whitelist so you automatically get a whitelist included here we've actually previously used this so we've got our own whitelist which is based on all of the lists that we use so I'm going to copy that in here now so that I don't have to mess around with this white listing stuff in the future it's it's only got a few in here so because we use it at home we don't have lock things on the MSN network or some of the Google ads and Google items that we've got listed down here mainly because it stops YouTube working correctly once you've got your settings configured I'm not going to go through any of these because we don't actually set any of these options in here at all these are basically whitelist and exclusion lists the only one that we do is for our DNS PL whitelist is we've we've got some additional stuff in there which is why we pasting that in once we've done that we save that and then we can go to our groups so the groups are various lists that we're using however we're not using these top two so I am going to delete these and I'll go through the lists that we are using shortly we aren't using this malicious which is made up of a load of different lists and we'll go through those in a minute my DNS PL categories again if you wanted to use either of these lists so what these do it basically groups together domains into categories and then you can block a whole category if you want to it's quite extensive ut1 list again the only one you might want to do is this malware list in here but it's really up to you we don't use any of these lists we tend to rely on the domain blocking and the feeds that are already in place and then the DNS PL safesearch we don't use this but if you wanted to redirect to safe sex always make sure that when you're on Google or whatever actually the results are filtered so it just forces safe search on those browsers update settings so it will create its own cron job based on how often you tell the lists to update this will Chrome will eventually sort itself out and it will tell you how long till the jobs are set up based on what you've configured the reports option is used for looking at the alerts and then the feeds of the part that we were now interested in so there's a few things to just to run through here so the first one is the ipv4 abuse ransom tracker is no longer in use that was discontinued at the end of December 2019 so if you tick that if you click on the tick box here and go through you will find it in here somewhere there it is ransom tracker booster ch so that list is no longer in use so if you delete that list and then save it then when you come back to your feeds you'll now see that that's got a plus next to so in other words it's deselected it everything else in here we want to keep in terms of the Priority One ipv4 list and then we want to scroll down and we'll have a look at the other lists shortly so the other lists that we want to do are the malicious list which was on the dns BL area so as you can see on the left hand side down down here it'll show you what the lists are whether it's DNS BL ipv6 ipv4 etc so we're only using the ipv4 list as mentioned we're not using these easy lists because we've deleted them so that's why you can see a tick next to all of them this is what we are interested in though under the DNS BL malicious group so if you tick this box tick this tick here it will select everything in the list but as I mentioned the ransomware trackers are no longer in use so we've got abuse dom BL and abuse URL BL so i'm going to tick this box you can see them here i'm going to remove those two lists again because then they're no longer in use and update frequency is once a day on those and then we're going to save that and then we can go back to my again scroll all the way to the bottom back to around malicious area and as you can see here the to ransomware trackers are now not selected which is correct and we also want to untag MVPs most of the stuff for home is contained in these lists and it's a real pain having to go through them and whitelist them all the time so for us we don't need it you may want to use that though so all of these lists are based on our experience for home use if you're a business then perhaps you might want that list blocks the frost we're going to delete that and then we're going to save that again and then we're going to go back to our feeds scroll all the way down and we're going to select a couple of other lists so we're not using any of the phishing lists but you could use those we are going to select this one here so this is BBK 177 we're going to select that and the action here you want to set it to unbound so that it is part of the DNS activities uses the unbound DNS server because it's looking up domains and you want to put the state on which means that it's going to update and it's going to use that list and then you set your update frequency to once a day and then save your settings and then we go back to my feeds scroll down again so you can see now that that list is ticked and we want to also now use this one here called URL shorteners I set that state to on set the action to unbound and then save those settings go back to our feeds again scroll all the way down so there's our URL shorteners now ticked and the final one that we use is this coin block are all crypto jackers we're not ticking the box here because that's going to select all of them and for our experience we only want to use the coin blocker all list so we tick this over on the side set our state to on select unbound leave our list as once a day save those settings so now when we come back to our groups you can see here we've got crypto jackers URL shorteners and these other two here at the URL shorteners list is the default is weekly again we don't need to to change that and in our whitelist that I showed you earlier if I just bring that in here the whitelist we're actually using a URL shortener whitelist for YouTube videos so that's all there is to it the next thing that you want to do is to make sure that you've got all of the relevant lists so if we click our Update button there we go cron is now scheduled to as next going to run it at midday 49 minutes time you can either choose if you choose upload you can so reload you can either reload your various lists here or you can update the whole system so it'll update all of the all of the lists so in other words what it's going to do is going to relook at all of the lists that you've got any list that you've removed it's going to delete those from the database any list you've added it's going to download those lists and then add them to the database and then it's going to reload your unban resolver so once that's completed which it has done we can now go back to our dashboard and the thing that we are going to check I'm just going to remove all of those we like to have ours at the top here so we can see what's going on so we've moved that up to the top and because you've moved it you no need to save your dashboard but these will start looking at all of your traffic and blocking accordingly anything you've got configured in your whitelist remember you've got the ability to bypass so let's go back quickly and show you how you would potentially wipe this something so if you go to reports and under alerts you can see what we've currently got locked if you wanted to whitelist something you just simply click on the plus sign and that will then give you the white listing a bit ability there so we've got a couple here if you want click on the I that's going to you can then have the ability to look up that domain against the threat domain list and if you want a whitelist it then you can click on the plus sign and then over on the right-hand side here or tell you which feed it's on okay so that's all there is to it if you've got any comments leave them in the description field below and if you found that video useful give it a thumbs up and don't forget to subscribe to our Channel and have a look at our open source playlist because we've got a whole load of other pfSense videos that you might find interesting on there laughs and that just like to say thanks for watching
Info
Channel: Frimley Computing
Views: 17,028
Rating: undefined out of 5
Keywords: pfBlockerNG, pfSense, how to setup, step by step, how to guide, DNS sinkhole, DNS blackhole, blocking bad domains, malware domain blocking
Id: G9_a-7wQ_QU
Channel Id: undefined
Length: 22min 54sec (1374 seconds)
Published: Fri Jun 19 2020
Related Videos
Tutorial: pfsense and pfBlockerNG Version 3
Lawrence Systems
82K
Setup Guide / Tutorial for pfBlockerNG 2.2.5 on pfsense with DNSBL & GeoIP Blocking
Lawrence Systems
117K
pfSense Firewall - pfSense Administration Full Course
Knowledge Power
30K
Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules & Alerts on pfSense 2020
Lawrence Systems
82K
How we use PFsense with Snort & PFblockerNG
Frimley Computing
13K
Configure pfsense as OpenVPN Client in a Site to Site VPN using Netgate SG-1100
Smarthome and Theater Systems
4.1K
Install OpenVPN on pfSense - The Complete Step-by-Step Guide
Stefan Rows
9.9K
How To Setup PfBlockerNG in PfSense
InfoSec Hub
414
The Common pfsense Packages / Plugins We Use and Why
Lawrence Systems
73K
Virtualization Lab Network Setup / Demo using XCP-NG, UniFi, pfsense and Xen Orchestra
Lawrence Systems
28K
pfsense OR OPNsense? YOU DECIDE!
Willie Howe
52K
2020 pfSense 2.4 Limiter Tutorial: Limiting bandwidth per-IP on your network devices
DATApush3r
9.1K
DIY Home Rack Build
Lawrence Systems
390K
How to block website categories using pfBlockerNG
Frimley Computing
6.4K
Netgate pfsense SG 1100 Review & Speed Tests
Lawrence Systems
59K
pfSense Site to Site VPN
Crosstalk Solutions
73K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.