Setup Guide / Tutorial for pfBlockerNG 2.2.5 on pfsense with DNSBL & GeoIP Blocking

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
since 2015 PF blocker has been protecting assets behind consumer and corporate networks of PSN's open-source firewall so P of Locker I've talked about a couple times before I want to talk about the latest version I talked about about a year ago that they were developing the 2.2 series and they've really you know come a long ways the it seems very stable I've been using it we have it on our production machines here and so if you're gonna talk about it and go over how to configure and set it up a couple things I want to get away first please donate to them if you can spare a few dollars it always helps the developers of these open source projects you can see currently I am a $10 a month developer on this and maybe I should up a little more but I want to raise awareness of the project and ways awareness that you know open source code is free but the time that these people spend on it is valuable therefore show your appreciation by helping them out further reading there is a forum where you want to dive deep and discuss with the pfr developer and other people using it and you know find details of questions or is it possible to configure questions that is discussed right here under edit / r /p Locker ng so there's a pretty active discussion group you can see just a lot of posts in here and it it's very helpful you know if you have questions or are want to interact with the development team right here's where you can post some of those and dive deeper into it now I am running I've run in the past be a PF block or 2.1 series I've tried the 2.2 at the time I tried it over a year ago it was it was pretty good but I don't think it was really there as of right now it seems to be quite stable I haven't had any problems with it and it works great now if you already have P o'clock or 2.1 installed and you want to move to PF block or 2.2 it should keep all the settings but as I always say back up back up back up just in case it goofs up or you need to rerun something on there and make sure you understand the settings the concept I'm doing from here with our lab servers I'm going to be loading it fresh and that way it's not pulling any legacy settings and that way if you're a new user to pfSense this will be the getting started with a 2.25 version of PF Locker so first things first we click the install and then we click confirm and it downloads it so this parts really straightforward and simple Fastow and saw will vary greatly with the speed of your computer but now it's installed now a PF Locker which you're gonna go over here and it's gonna bring us to the wizard to get it set up couple quick items a lot of people asked us what if I'm running a Windows domain will PF blocker work well P a blocker has two pieces to it one does IP blocking based on firewall rules one does dns sinkhole so if you're running a Windows Active Directory Network the DNS server generally is set to be that Windows Active Directory server to have the least amount of problems with Active Directory but you can upstream from that tell the Windows server to talk to the PF blocker on pfSense and use PF sense for dns resolution so the computers will then go to the ad server and ad servers and can use this that will work for the DNS blocking the firewall blocking rules that block IP address is based on firewall rules because it is just IP blocking no problem that works whether it's on a Windows to me or not so depends on which piece of P apakah you're speaking to but if you're doing it as a I want to get to this IP address but then it is sync hold or blocked inside of P if blocker with a firewall rule it's going to work whether you have Windows or not but when you're running a Windows Active Directory server using DNS it will first try to resolve those addresses inside of Windows and then windows will then reach out with the Windows server where you shot to there so DNS sync Holling or as people like to say like you know blocking of some of the tracking sites that is only if the DNS in within your realm of network is set to this and it works with the DNS inside of PF sense so we're gonna hit and hit next on the wizard hopefully that answers the questions on there the PDF Locker wizard will configure a default setup for PF blocker and G all the things would be wiped if you don't any wrote any previous installs IP firewalls will be added to select outbound interfaces to block the worst offenders DNS BL utilizing DNS resolver adverts the worst known malicious domains will be blocked so this is basically what it's doing you select the inbound as in what's the external maybe you have more than one way on address because you have dual providers you would select all of the inbound external ones and then all of your internal interface just hold the ctrl key and press there so we have land and land to not creatively named in my lab I know the address the virtual IP address this is just make sure you don't have this network in use on your current system so if you have this IP the 10-10-10 one that is something you're already using like hey I use that IP don't then change it so you just change it here I'm not using this one so it's fine but just a word to the wise what I've seen people who have struggled with problems they coincidentally through a series of well just unfortunate um alignments of events here have had that as their route IP of their pfSense and because they change it to 10 10 tanks it's even fun and that is the VIP address for this but you can choose whatever you want here I'm gonna leave it at default cuz I don't have that network and import 881 8 443 make sure they're not in use on their local port upon which the DNS Oh a web server Willis protection the defaults is April 4 3 but this can be left well unless different port needs to be used when you change it here it changes it all the other places so I like that the wizard can do that for you make it simple and that's it finished it's setup magic takes a second here and it's set up but the first thing it has to do is get those lists of where those bad reputation IPS are so it's going to download easy privacy add away and a lot of other lists I'll let it finish this real quick update process ended and completed so here we go total table entries blah blah blah you can read scroll back through all the details but basically it's all configured and successfully updated so it's just seeing if there's any errors or doesn't seem to be any update process ended I don't see any major problem so the wizard is now finalized and he it says a message has been saved to the wizard log so if we need to see that let's go all the way to the beginning here and run through what it has here now right here is PF blockers enabled keep settings and this is the common settings for a lot of plugins that way if you ever had to remove it it has the options to well that you want these settings in here it will remove them or wipe them so that's pretty pretty straightforward there cron settings default every hour this updates down limit threshold No Limit if you need to adjust any of these these are in case you want a little more or some type of like hey you only tried this many times or how big you want the logs or leave it all the default for now but you can get the idea if you need or want more logs and have the space for it you can adjust all that here the same thing with all the cron settings you can change it from every hour two hours three hours whatever works for you here is where the IP reputation part starts so here's the IP settings and placeholder IP address ASN etc etc whether or not we want to reject or have it block on by default we wanted to block on the win and reject here reject versus block if you're not familiar with what the two rules do so when it blocks it gives no notice it just drops and goes away you don't even know you're you don't get any notice at all rejection well it tells you no you're not allowed to go here you won't reject on the internal ones that way there's actually some type of answer back but from the external side if someone's trying to get in blocking works better because you don't even want to waste your time sending back a notice at all to the person that they're blocked just let it go away and this is for the IP rules now the other thing I'm gonna change here from default is I like it to be floating rules and let me show you why so we're going to here to firewall rules and you'll see here's a roll under land and land - and there's two different schools of thought here if you do them under floating you can see the rules all in one place if you do them and for however many networks you create it will have a rule under each one of these you can then see where the things are coming from so all depends on how you want to consolidate things if you want to consolidate it under a floating rule that's where this check box does this and I kind of like it that way so it's everything's in floating role but if you want it granular based on each network you can put them under each network which is where they end up by default but remember when we started customizing or adding a bunch of things in here those rules start repeating throughout all the networks so just something to consider and think about when you're doing it as opposed to I just want them blocked and we go here and hit save IP settings now little move to floating rule by the way it won't automatically move to floating rule it won't do that until we go over here to update we'll just reload things real quick we'll hit run now he didn't do a download we just reloaded it I'm just gonna grab everything again and reprocess reload taskforce all update process ended all right and now the floating rules here and there's not a rule under each one of these so that's how that works in case you didn't know for every time you make a change it would have done it automatically on the hour but we can just go to the reload option and reload either just the IP or the DSMB else ID and run it again back over to the IPS so now we've moved over to a floating rule keep it pretty simple lets you customize how the rules work and I didn't save this but I'll turn it on now kill states when enabled after a crown vent force commands any block type he's found in the firewall states will be clear why do I do that well what happens is let's say you have a connection to some scary commanding control server from inside your network to said server well that server was not known to be a commanding control server and then an IP gets added to the list I'm one of those are really updates when you change a firewall rule and this is the way pfSense work it may not kit will change the rule but it won't block states of that rule running already so I block a port or a block an IP address but there's already an established TCP connection until that connection gets reestablished which it wouldn't because if there's a rule to stop it or that IP is and a block list then it wouldn't but the established state won't go away by saying kill States if I P address pops up in there if there's any computers that with establish connections it will break those connections because it'll reset any connections that match that rule so just something to think about when you're doing that geoip this is where you have to decide how you want to handle for example the top spammers in the geoip so we're gonna go ahead and we can say denied inbound Tenaya I bound deny both now there's a few more options here I'm not going to get into the details for specific just specific use cases but if you go deny both and we're going to go ahead and edit this rule a little bit more detailed here if you go to denying both that means no system can make an outbound connection to those now that may work fine for the top spammers which by the way you can hold the ctrl key click which ones or hit ctrl a and just grab them all and then we'll modify because we didn't hit save at the top here deny outbound or actual go ahead tonight both on spammers I think we're okay with this one then we'll hit save go back over here and we look at the geoip it's enabled and it says tonight both here and then let's go ahead and deny inbound from places we don't need so we'll go in denied inbound for this one but not outbound and the reason why is in this only really matters for inbound if you're hosting things you have ports open on your firewall so in our production environment you leave for my office for example we do have ports open for things we host I don't need anyone connecting from this particular country or let's say Antarctica we'll say list action I don't need inbound Asia and will same thing will deny inbound again Europe tonight inbound now if I were to deny outbound as well for example in Europe that's when I would start having a real problem and what do I mean by that well I would be able go any European website so I would actually be blocking my ability to talk to those things you don't realize maybe just how many sites may be hosted over in Europe and you know obviously if you're in Europe you do but um I've seen people where they've set these up and start breaking things right away by denying your ability to get there some servers some companies you may buy services from are hosted over in Germany they're hosted over in some place in Europe and if you do neither firewalls ability to outbound those now inbound this only matters if you have ports open because by default the way an interface MPF sense and a lot of home users if you're opening new ports this is your default rule is deny everything so it doesn't matter if you have this or not you're wasting time doing it because if you have no ports open well it doesn't matter now I do like denying all these for our inbound because like I said we do have hosting open Soyuz kept to think about the use cases when you're doing that same with you know deny all these weird proxy and satellite ones will go ahead and deny those to which is a long list so Paige Paige Paige so I'm just hitting control a to get those in tonight and bound and now we have all the different ones so let's do South America why not and like I said you can see that this is granular so you can filter and findings now once you've done all this once again you could wait an hour or we can go back over here and we'll just go ahead and reload just the IP side of it and it's going to update all those rules that's done there and a house back over here and look at the firewall rules and now you can see here's all the different blocks it creates an alias list for each one of them now this is also I mentioned running floating rules as you can see now I have this list of rules here in floating but these are still nice and clean these would then end up repeating in each one of the networks if you didn't do it as a floating rule so just some thoughts on that like I said for kind of my reasoning for why we do it so source and is cut these blocked and then these ones as destinations are blocked so here we go that's kind of the basic for the geoip blocking which is important now let's talk about the DNS BL side of this so this is where you DNS sinkhole this is name resolution vs. the other stuff is IP level blocking and the default feeds it has is easy feeds utilizing domains blocked the collection of advertisement domain feeds and collection of malicious domain feeds this is where you can also add more custom ones if you have some particular list you want things like that so these are some predefined ones that are pretty basic but it shows where they're pulling from you can follow this format if you know another one and there's other companies or other groups I should say not really businesses but they have these lists and this is where you can update or change these lists and be able to put like a specific list of things that you don't know you want resolve there and what these lists if you want to ever see what's inside of them they're pretty easy they're just basic text files so you can actually see it's blocking whatever this is whatever these domains are these are a list that these people maintain and this is a mail where domain lists so anything that tries to get there it's uh yeah some crappy website that these people have sinkhole but you have to be careful because maybe these lists have false positives them that is a risk you're gonna get with any ease list so take them fro their will and I've seen people debate and argue about who has the best list that's beyond the scope of this but can I get you an idea of what these look like like here's a ransom tracking list and these are sites for I'm assuming a bunch of yeah and they look pretty crappy to me because I if you're connecting to that site you probably have a problem in your network on there for sure so probably this list but it looks pretty valid to me but a they also have some category options if you want to try using the categories and they are pulled from these blacklist to enable and lets you do a little bit more filtering I've not done much testing with this but these try to group things into categories based on that now this is where they've done a great job and where these feeds are because you're seeing all those really where is all this coming from where's this data well they actually started filling them out in here and they made it a lot easier to add a list so this is this the wizard and the default ones that they have on here and they do have some warning so don't just click everything to not enable all the feats well you're gonna break stuff it'll be maybe more than your pfSense can handle but we have some ways ones like tail us snort and heard of snort and I've talked a lot about snorting threat lists from them the tailless security group they've got a great blog by the way you can then they're in here by default as one of the lists now all you have to do to add something to list let's go in here and let's say well here's the developer he has his own list and I think tor is in the list let's find that blacklist EE tor my AP's spam house add away abuse tracker Oh malwarebytes so this is actually mail or by test host in here this is actually kind of cool too so when you click on these links here they take you to some of the websites where these are so you can read more about what these rule sets are that you're adding in here so if you wanted to add that in their mail where domains ransom tracker where was it again we just go ahead and hit the plus alright save and now we have that one in there and we just say unbound once a day save it okay now it's going to pull that list in there as well so it's kind of cool it's that the way they do these feeds so you can figure out what feeds you want well don't you want to add in there and I believe tour is in here somewhere if you wanted to block some of the tour sites as well but you kind of get the idea for a lot of feed options in here and I thought this is cool too they even have like the alienvault list so if we are going to click plus on the alienvault list and it's an IP reputation let's not a dns ones we're going to hit save and we'll go ahead deny inbound from them save it okay every hour in once again they have a lot of fine tuning options if you want to do a couple specific things like only custom destination ports and block and things like that but once you've done this we're going to go back over here to the update go to reload and we'll reload both real quick key update process ended and we came back over here to our firewall rules let me see all the rules are up to date and here's you know all the things we blocked and etc etc quick behind the scenes you know if you're not familiar says I think I've done a video specifically on how the alias has worked in PF sense but you go here to the aliases and you can see how PF blocker pulls these so if you see it's pulling from each each PS and it's pulling from local host v v v PF blocker it runs its own internal web server so when it updates and pulls these aliases it actually pulls from a file it creates and then pushes a web server back to so I can pull and update the alias every time it runs one of those updates just a little behind the scenes of what's going on when it creates these it doesn't have to I can alike the fact that's not do anything magic it's exposed through the UI so to speak how it's doing it but when they say do not edit this alias tuna at the alias or you'll cause unexpected behavior npf blocker now PF Locker itself is fun to have up and running but I also spun up a box over here a Windows machine and I haven't done anything but boot it up and I wanted to show you what the report said like service here's not gonna be a lot in these reports there's not many alerts when there's no nothing behind it this is our lab server so the only thing behind it is one Windows box with this particular IP address 192 168 40 120 I like that just by starting it up the first thing it did was reach out and go settings that window dated up Microsoft which is the Microsoft tracking by the way this is another feature I really like the way they have this built in to be a Parker so here's our the fact that it was blocked and right here we can do threat lookup so we're gonna go ahead and open it in a new tab and we can look up that threat so what is and you know its reputation look up search string is settings that when data at Microsoft and it gives you what that information is it's actually a trusted website well don't you trust Microsoft at least it's trusted as and it's not doing anything malicious it's just telemetry data coming from Microsoft we're going to Microsoft's I should say and it got sinkhole they give you a few different places you can look things up and this is kind of cool because you can see how it's pushing this setting to here and then II one of these it's in taking you to their website and seeing if it's in their list like this one's not in the list here but you kind of get the idea but if we want to whitelist it let's say we want to send telemetry data to Microsoft that's pretty easy too you click the little plus button and it says whitelist settings Wendy to Microsoft note this will immediately remove the blog domain and associated cname from teen SPL and what listing action so we're gonna hit OK and then right here I don't it funny because it's in yellow here do you wish to wildcard whitelist and that means anything dot settings that Microsoft as opposed to just settings and we're just going to whitelist this but in case you want to do a series of potential prefixes that are in front of it that would wildcard it so we're just going to waitlist this in general and it says do you want to add a description yep m/s telemetry I think that's how you spell telemetry and now we've whitelisted this and when it does the reload it will be in here now so you may need to flush your browser cache yeah and this is one thing to once it's been sync hold sometimes it may get stuck in the browser for doing it and if we wanted to undo it real quickly we could go right here and trash that and so there is options to go back and you know fix it if you need to now if you wanted to go back and see that whitelist later not just in the alerts you go over here to DNS PL I'll scroll down here dn SPL white list and you can see somewhere within here hey look there it is for m/s telemetry so there is where you can edit the white list from the raw so to speak and no wrecks allowed this is let you you know put things in here for the white listing so you can do custom here alright now let's see what happens when we open up a browser because like I said the report looks kind of boring so let's open up the browser real quick let's see what happens when we go to some news site for example I would go to news.google.com surely that will take us somewhere or she launches into new jersey building second floor well that's the sad story why I have to pick that one but I bet there was some ad tracking that just occurred that's what really that was important about let's go ahead and update this oh man look at all the things that just tried to pop up right there so here's just by opening up a new set Google and then that other one link we clicked we can see right away there's a lot going on here and then we can dive over here to the stats and see oh man look at all the things the CD ends and the bat being and all the stuff that got tracked on there so you can see pretty quickly this alerts will fill up now the last thing I'm going to cover is because the question comes up of you know do I need to build a really fast beefy machine to run this or you know will my network choke if I don't have a super fast you know epic or AMD thread Ripper on my Pio sense here or some you know Zeon with 64 gigs of RAM is this thing a system hog no that's the last thing I want to cover here is my own PF sense so I'm going to go ahead and drag it over here so here's my system an SG 1100 and you can see that you know I'm running the latest release here and I'm using all of 24% of my memory to run this and it's got PF blocker installed so let's actually show you what happens when you run it at home obviously this you can see I do have some things open on my own home home system and yeah we've got some block and going on here well plenty of things being stopped and things that has deemed malicious and stuff like that so let's go over here and actually look at the stats and I may have to blur some things out here but let's look at the reports and we'll go over here to the stats page here Lodi SPL stats and between my kids and my wife use an Instagram we see that well graphs at Instagram some of that Tracking's been blocked some of the other stuffs been blocked so where ever all this is I have no it did at flurry calm settings when data look Windows machines calling out because the gaming systems when running Windows but you get the idea so it works perfectly fine even on SC 1100 they seem to have done a lot of coding to make this a very efficient project and I haven't really had any issues at all running my st 1100 at home there's one of the reasons I've talked about recommending the sg-11 hundreds like this is a lot of times what people want to do in for a pretty inexpensive box it it doesn't seem to have any problems handling it I don't have any problems playing any games but occasionally and you're gonna run into some of the games you may run into things you have to whitelist to not break things because they may require some of the servers that were on the blacklist so some fine tuning and using that little going through the alerts and white listing things as needed may be necessary but always gives you a good idea of the whole PF blocker system and as I said at the beginning if you can contribute it and donate to the project that'd be great it's a wonderful tool definitely a good add-on to pfsense one of my favorites for being able to you know block things coming inbound and block certain things going outbound that you may not want or syncing things via dns so if you want to dive deeper have some developer questions and things like that head over to there's reddit you can also participate in the PF locker ng forums over at the neck 8 as well those are both very for the more deep and technical things i mean i cover a lot in my forums but if you want to talk to a developer directly BB can one-77 is very active in those forums and does reply to a lot of it so if you have suggestions or product update ideas that would be the place to go and post that alright in thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you'd like to hire us head over to lawrence systems comm fill out our contact page and let us know what we can help you with and what projects you like us to work the other on if you want to carry on the discussion how to wrote of forum style or insistence calm or we can carry on the discussion about this video other videos or other tech topics and general even suggestions for new videos that are accepted right there on our forums which are free also if you like to help the channel on other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time
Info
Channel: Lawrence Systems
Views: 117,786
Rating: undefined out of 5
Keywords: pfBlockerNG, pfblockerng-devel, pfblockerng vs pihole, pfblockerng geoip, pfblockerng dnsbl, pfblockerng whitelist, pfblockerng setup guide, pfsense, firewall, router, pfblocker, tutorial, pfsense router, pfsense dnsbl, pfsense dnsbl blacklist, pfsense software, pfblockerng easylist
Id: OJ8HHwpGxHw
Channel Id: undefined
Length: 27min 59sec (1679 seconds)
Published: Sun Nov 10 2019
Related Videos
Tutorial: pfsense and pfBlockerNG Version 3
Lawrence Systems
82K
How we use PFsense with Snort & PFblockerNG
Frimley Computing
13K
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
589K
pfsense VS OPNSense
Lawrence Systems
101K
pfsense Firewall Setup and Features in Depth Version 2.4
Lawrence Systems
280K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
How to setup pfBlockerNG on pfSense
Frimley Computing
17K
Tutorial:Internet Filtering / Site Blocking Using pfblocker DNSBL on pfsense
Lawrence Systems
184K
How Imaginary Numbers Were Invented
Veritasium
9.6M
Beginner's Guide to the Bash Terminal
Joe Collins
1.8M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP Foundation
1.1M
Starting an IT Company Sales, Bids, Employees & My Thought On Business
Lawrence Systems
49K
UnIFi & pfsense Deployment, Setup and Planning with WiFi, VLAN & Guest Network
Lawrence Systems
143K
Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules & Alerts on pfSense 2020
Lawrence Systems
82K
The Common pfsense Packages / Plugins We Use and Why
Lawrence Systems
73K
Cloudflare 1.1.1.1 for Families & How to use it with pfsense
Lawrence Systems
41K
Suricata Network IDS/IPS System Installation, Setup and How To Tune The Rules & Alerts on pfSense
Lawrence Systems
225K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.