pfsense: Blocking Threats With pfblockerNG Lists

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Tommy here from Orange systems and a question comes up quite a bit what should I be blocking in pf blocker NG and specifically how should I defend my firewall against threat actors and there's not an easy answer for this there's not a just click this button answer but I want to go through some of the common things you should probably be blocking and we're going to keep this narrowed in scope to protecting a psn's firewall that has inbound ports open because the default settings for PF sets unless you modify them if you just next and yes your way through a default setup it blocks all incoming things but as you may want to run services on your firewall or run Services behind your firewall it's probably important that you block certain things and there's no Silver Bullet this is all a cat and mouse game there's lots of lists out there but these lists are often developed because someone found a threat that the IP address was well attacking somewhere so there's not a guarantee that you won't be the first person to attack before some threat researcher updates a little list but this is a pretty good way to reduce the amount of noise that comes to your firewall when you have ports open now I'm going to show some general lists that I have here but there could be a future Beyond October 2022 where there's different lists so I want to talk about this in methodology as well so this list is what's available today there may be something available in the future but I want to make this video well a little bit future proof by showing you some of the thought process for how the process is done and how you can look at these things and some of the things you might want to avoid now PF blocker I've got plenty of videos on I'll leave linked down below about getting it set up and configured and this has nothing to do with tracking or ad blocking we're talking specifically about threats coming in or knowing how your system is beaconing out or a system on your network may be beginning out how to log those firewall rules and how to look that up and why that's so important now this is a relatively default setup we're going to show you what changes I made to it so if you just went through the wizard and you wanted to wonder what settings you change after the wizard runs and kind of gets it going these are the settings I did change download failure threshold normally is set to No Limit I set it so it will eventually fail and clear the widget fail downloads to reset this is something where if it fails too many times I don't want it to keep trying forever I will investigate and look at these for failed downloads hopefully you don't have any but sometimes lists go away and you don't want it just having an error constantly you're taking longer to reload it's something you should address and fix we'll show you how you see which lists are working and which ones are not going over here to IP deduplication that's enabled cider aggregation this is going to aggregate things so there's less blocks that are all separate and put them into larger blocks if possible Now by doing aggregation so you're having less rules and grouped in terms of using an entire cider block that you may want to block on there is a processor intensive process when it does this so if you have a really slow system that's running PF sense you may have a problem with this but it should be fine on most modern systems here suppression that's default Force Global IP logging placeholder IP address all those are defaults I do not have the max mind key in here I do recommend you put this if you want to use any of the Geo blocking and understand some of those IP addresses now we have block on the WAN and reject on land that's fine because we want to log these rules for the rejection and in the past I've used the floating rules to consolidate them under one spot I'm fine putting them under each individual you'll see why when we talk about some of the ways you can log it but either way it works is you can log it two different ways but I'm finally leaving that off right now this has left the default format and right here the kill States I do have enabled when enabled after a con job prevent of any Force commands any blocked IPS found in a firewall state so we clear now this is one of those things that the way firewall States work is if a state is connected and there's an established connection and you make a rule the rules will not break the established states by default unless you check the kill States button that way if something gets added to the IP list it'll suddenly get logged if not that state will remain until it expires but a new one can't be created it's just important to think about that now let's go over here to the feeds and show you how the feeds work this is a little bit tedious when you're setting up the feeds and this is the default feeds that it has in here is the PRI one feeds these are the ones that are very reputable that says it right here in the collections this is the only one that's enabled by default now enabled by default is because you don't want too many false positives and it does warn you do not enable all the feeds at once and this is a common mistake people seem to make is going well if they're on a threat list I want to protect against them and they immediately regret that because they find out well it kind of breaks the internet you have lots of things that just don't work there's tons of false positives you have to think about the source they've done a nice job of listing the feed website and the URL that pulls from the check boxes allow you to change any of these if there's multiple feed options and you can go to each of these sites and this is the important part I want you to think about is how you go through these sites so these are the lists that's available right now October 2022 but hey it may change a little bit and most of these are very reputable sites that's why they're listed in this PRI one and they're good ones to do Telos is the company that is the security company behind snort right now yes they are part of Cisco but they do provide free feed spam house famous for uh well preventing spam and lots of other blocking pulse Drive is a paid subscription so there's a click here to register if you want to add more subscriptions internet Storm Center emerging threats this one actually I found quite good it has a lot of Bad actors IPS listed on there a cins army that one's enabled by default all these are perfectly fine now to add another one we're just going to go and you can choose any one of these and let's say you want to protect against pox proxies or you want to use one of the binary defense ones we're just going to go ahead and you can click the Plus and then it brings you to the feed so you can actually edit the feeds now for each one you add it brings you back here and it's kind of a back and forth process when you go to the feed so I'm not going to save that particular feed let's go down here though and show you which ones I do add in there and that's going to be all the tour feeds the Tor feeds are where you're going to find a lot of problems because as much as I like Tor for its privacy and anonymity that's a hard word to say the problem is uh that's often where people go when they want to poke at things you spin up a VPN then you connect to the tour for the VP edit and you start poking at things you found on the internet and if someone has found your open port interesting well they may want to poke away at it here also Tor is a common way to get data out and exfiltrate things onto the network so we're going to show you how these rules protect you not just for inbound ports but can be used to protect your internal devices as well so these are the ones I have and because this is the Tor project bulk list and the internet storm senatorial list uh they're pretty solid red typical places I mean the tour project pretty much has all of them on there then I also have the emerging threat tour and the Dan dot me tour now this is where that aggregation comes in because undoubtedly just overlap with these lists but the overlap is then aggregated together so it minimizes the number of rules it says hey these are duplicated across these lists now that still can cause a problem if you check all the lists because well it has to de-duplicate more IPS that are on the list that crossover but Tor is a pretty important one to protect against now if you go through here there are categories for other things on here like stop forms man maybe you're running forums and these are some known Forum spams that you want to go through and maybe you want to check some of those and you just hit the plus and add each of those once you're done adding them before we actually run the update which is actually what enacts all the changes adding these doesn't automatically add the change it's the update process that does it we're going to go back over to IP ipv4 and we want to set these settings right here so I have this set to deny both and the default is not to deny both this is what I think you should do though you want to deny both inbound and outbound rules and deny both inbound and upload rules here for the tour ones I have so here's my PRI collection here's my tour collection frequency every hour let's go ahead and edit one just to show you what they look like as you're setting these up also when you add each feed the default state is going to be off you want to make sure the state is set to on for each of these so you change the state from the default to the on that way it's pulling each of these if you want and this is where it can hold these once it downloads so maybe you don't want them updating that's what those other options are for but for the most part you generally do so here's all those different block lists and by the way if you're wondering what's in one of these blacklists or if you're having trouble testing them you can actually just copy these paste them into a browser and see what they are pretty straightforward and simple in terms of like if you want to understand how they work and PF blocker automatically purchases them now after all these are set and we'll go ahead and look at the tour ones real quick as well same thing they're all right here there's a failed download in here so we'll have to look and see why that one failed and maybe we'll have to remove that one for the list but these are why I have those lists and looking and investigating why something failed so we'll go ahead and leave this one at default but we'll look at that later we're going to run an update again because after you add all the rules this is when the action takes place now it's going to tell me the next event it's going to run at this time so that's within three minutes but we're just gonna head and run it now and see what happens those exist update ended all these seem perfectly fine so these all worked so let's go back and look at the one that failed and figure out if we can re-enable that one so we're gonna hear IP ipv4 let's go ahead and edit that one oh and now it worked so it did download this time so the error is gone it was probably just a failed time it downloaded as long as it doesn't fail too many times before it you know stops looking at it there's not much you have to do and you can always go back here to the update and hit view again to view the last one on here and you can see each of the things that's on there and do the table usage count you can see the number of table stats that are on here this is because it deduplicates all this and tells you each of the files that are in here so pretty much you're all set as far as the rules go they're really easy to do but I want you to remember anytime you make any changes whether it's to the dnsbl the IP even if you want to enable or disable any of these features each time you have to run this now if you're not wanting to update it you can just do the reload and the reload just says reprocess whatever changes happen in pf blocker this is often where people think they have solved the problem and they check a box in here but then it didn't actually update the rules in the firewall this is the process that updates those rules now let's talk about out the rules themselves we go right here and we have the rules at the top here which are blocking so here's all those IPS here's those IPS for Tor so it's a pretty big list of anything inbound that hits my Wan so these rules are on top because it's a top-down process so I have ports open on the WAN but it'll first process through hey is any of these IPS matching and if all those IPS are skipped because none of them match it can then go on to the next rules this is really important because hey I have this port open and I don't want anything from Tor just poking away at Port you know 1050 that's actually something I was testing for xavix so each of these ports that I have open this would stop any of those now this is in my lab so it's actually not very useful this is only matters when your Wan has a public IP address but the concepts still work now let's look at the rules inside of here here's my land rules or my land two rules it creates a rule set under each one and one of the important things is it's traffic is logged because we want to know if any machine are trying to reach out to these IP addresses let's do a test real quick and see what the rules look like and if we go here and we'll just look at this right here here's the relay search so here's all the different relays that are available and we're going to try and ping one of these relays with a machine that is behind my firewall and show you what happens so there's the IP go over here you can see this IP is 192.168.40.150 so we're going to go ahead and ping a tour relay and we'll just let it keep hanging go over here switch back to the firewall and let's look at the rules so if we go to status system logs firewall hey there's those rules there's that IP address that we're paying and we see icmp rules we see this rules being tracked now if you're setting this to an external log server you can then build triggers because this is the rule ID and I've talked about using greylog which I use and you can do things to alert you that something's trying to get to tour and what this how this works is you'll take a rule ID like this and go to firewall rules and we'll show you where that rule ID is so when you look at any of these you'll see the tracking ID right at the bottom this is actually a field and if you watch my gray log video and you can do this other log servers as well you parse the tracking ID and then you can build alerts to say hey if anything from My Lan hits this tracking ID I should probably investigate it now it doesn't mean it's not a false positive that the Tor relay isn't something else besides a tour relay maybe someone's running a website on there that you're trying to get to but these are the triggers and help guide you through an investigation of what's connecting to what and this same rule applies when you're looking at anything that might be on this list here so if we see like this one here 1.12.57.74 all right let's go ahead and change that so we'll ping this 1.12.57.74 so there's that IP address it's failing go ahead and refresh this and we'll say yep we can see it's trying to send some packets here on this tracking ID so we do the same thing traffic we're going to system logs firewall hey and there it is hitting that right there so it's you can see the protocol it's icmp once again I don't know why it's hitting that I don't know much about this IP address or why it's on the block list but this is how you trigger those and then start an investigation and try to figure out whether or not that should be on a block list now this is also the reason you don't want to enable too many block lists because well you can kind of break things and spend a lot of time chasing your tail and that's really it for doing your block list it's a pretty simple process having these in sync holding them downside is false positives is going to happen and I gonna have to say that it's going to depend on each one of these feeds of how often they get updated or removed I bring this up because a lot of attacks happen someone takes over a web server or spins up a spot in some hosting company and then they release the ip1 they're done because they're like well we're on The Blacklist Let's uh dump This Server then someone else gets that IP address and no one realized that it needed to be removed from one of the said lists and feeds so it ends up going hey but we're just trying to to host a website to sell cookies and we can't sell our cookies because it's on this IP address that someone else used to use before us before they got shut down for doing whatever nefarious thing got them on the list in the first place this is why this is kind of still a cat and mouse game and all the feeds are always as I said reactive because well they get on these lists because they're discovered doing something it's not like the threat actors or someone knows ahead of time what these lists are going to be doing the final thing is whether or not you want to add goip blocking I have found this to be tedious if you do any type of international business and if you're doing anything like outbound it breaks a lot of things because the interdependency things cross borders a lot now there may be certain blocks that you could say hey I just never do the business with this group of ips because it's pretty dedicated and focused on one particular region so you may not have problems with it but kind of take that when you do the goip really think about that of whether or not it's going to affect things and once again log and watch all those rules so you can figure out what's hanging up and what's not working it is really tedious when websites if you really dig into them you look at your Chrome browser or whatever browser using and see all the connections a one single web page you may have and how many different IP addresses are in there you kind of get the idea of why certain page elements may fail to load but there's no Silver Bullet for all this but definitely blocking those inbound things this can pretty well with those PRI lists and a tour lists I found very few false positives and very few problems with those particular lists as you expand out to all the other ones in the list well that's where the headaches might come in and it becomes a little bit more of a manual process and you can always you know go through and prune those as you find the ones that are well just bad or not being updated anymore so hopefully this helps as to what to update also head over to Reddit r slash PF blocker NG um they have their own forums I'll leave a link down below where you can go through and they just use Reddit as their Forum if you want to ask questions about it I've suggest a lot of people go there that's where a lot of the discussion is happening in it and of course if you want to reach me and talk about this is always my forums forums.lorentsystems.com I'll see you over there and take care hopefully this helps thanks and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the Subscribe button and the bell icon if you'd like to hire a sure project head over to lawrencesystems.com and click the hires button right at the top to help this channel out in other ways there's a join button here for YouTube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and Designs come out well randomly so check back frequently and finally our forums forums.lorentsystems.com is where you can have a more in-depth discussion about this video and other Tech topics covered on this channel thanks again for watching and look forward to hearing from you
Info
Channel: Lawrence Systems
Views: 54,856
Rating: undefined out of 5
Keywords: LawrenceSystems, pfblockerNG, pfblockerng setup 2022, pfblockerng setup pfsense, pfblockerng 2022, pfblockerng geoip, pfblockerng devel setup, pfblockerng pfsense 2.6, pfblockerng pfsense setup, pfblockerng setup guide, pfblockerng pfsense, pfblockerng geoip match both, pfsense pfblockerng geoip, install pfblockerng pfsense
Id: oNo77CMoxUM
Channel Id: undefined
Length: 18min 30sec (1110 seconds)
Published: Wed Oct 12 2022
Related Videos
Tutorial: pfsense and pfBlockerNG Version 3
Lawrence Systems
175K
pfSense Firewall (totally) Rules! Basic rule setup...🤫
The Network Berg
69K
My pfSense Setup - VLANs, VPN, Firewall, DHCP
Raid Owl
38K
2023 Firewall Features Compared: pfsense | Arista | UniFi | Sophos | Fortinet | Meraki & What We Use
Lawrence Systems
71K
Build an up-cycled pfSense router for VPN, DNS, and more!
Jeff's Home Hacks
21K
Which VPN To Use In pfsense?
Lawrence Systems
55K
How to Configure Traffic Monitoring with ntopng on pfsense
Lawrence Systems
82K
Setup Guide / Tutorial for pfBlockerNG 2.2.5 on pfsense with DNSBL & GeoIP Blocking
Lawrence Systems
133K
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
1M
Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules & Alerts on pfSense 2020
Lawrence Systems
149K
Why I Prefer DNS Blocking Over Squid Proxy Filtering in pfsense
Lawrence Systems
46K
Tutorial:Internet Filtering / Site Blocking Using pfblocker DNSBL on pfsense
Lawrence Systems
208K
Tutorial: pfsense OpenVPN Configuration For Remote Users 2020
Lawrence Systems
227K
Discover the Secret to Setting Up pfBlockerNG on pfSense NOW
GaryH Tech
4.5K
pfSense Firewall - pfSense Administration Full Course
Knowledge Power
229K
How to Setup The Tailscale VPN and Routing on pfsense
Lawrence Systems
47K
PFSENSE WEB FILTER WITH PFBLOCKERNG - Filter Ads and Malicious Websites
Open School Solutions
37K
pfsense VS OPNSense
Lawrence Systems
244K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.