Tutorial: pfsense and pfBlockerNG Version 3

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
tom here from lawrence systems and i'd like to talk about my favorite plug-in for pfsense and that's pf blocker this is one that gets installed pretty much all the time whenever we're setting up a new pf sense they released a new 3.0 version well there's a few more minor changes coming but we'll get to that in a second but now that it's in the 3.0 i wanted to do a video kind of going over well how much easier it is to set up the defaults work much better and the wizard works great so this is the latest video on this particular topic the 3.0 series and it is the latest version as of december 10th 2020. one thing i want to get out of the way though this developer bb can 177 has a patreon page there are currently 875 people including myself donating to this particular project if you can afford a few extra dollars to throw at this project that would be greatly appreciated by the developer the project you know is a lot of time and a lot of effort put in by bb can for this plug-in and add-on for pf sense so if you can donate i just like to bring this up that it'd be greatly appreciated by bbcam177 if you can't donate and just want to use a product don't worry it's still free and no problem go ahead and use it it is great i really do recommend it which is why i'm doing this video all right now that that's out of the way let's first if you'd like to learn more about me or my company head over to lawrences.com if you'd like to hire a short project there's a hires button right at the top if you'd like to help keep this channel sponsor free and thank you to everyone who already has there is a join button here for youtube and a patreon page your support is greatly appreciated if you're looking for deals or discounts on products and services we offer on this channel check out the affiliate links down below they're in the description of all of our videos including a link to our shirt store we have a wide variety of shirts that we sell and new designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics you've seen on this channel now back to our content now there is a subreddit dedicated to pf blocker ng and that's where the full announcement with a whole lot of details for all the report tabs and all the fun things that were fixed in here or updated or refactored there's a lot of code changes behind the scenes not a massive change to the front end of it but we'll get to the wizard in a second how much better it works but here's all the list of changes and i'll leave links to this down below and of course if you have a lot of questions in q a they're probably already answered down here in this already done reddit post so read through this if you have a lot of q a and some finite detail i may not cover in here also only about an hour ago actually it says uh updated 19 minutes ago was this post right here pf blocker devil 3.0.0 underscore five update and there's a couple more minor changes coming now these are not available at this very moment at least for the time of making a video but probably by the time you're watching this because this will probably completed within a week that this will be added to pf blocker and one of the things that is important to know in the improvement for the threat lookups there's another reddit post about this i'll get to the threat lookups when we're at that part of the video but i do know some of them are non-functional because well some of those sites don't support the threat look up anymore so that has been pruned and that's part of what this poll update is for as well and no problem if you run the wizard now before this update and it'll fix itself later once you've set this up the updates don't seem to have any effect on it i set this up when it very first came out and now i've seen several updates now let's get into actually setting this up and installing it first thing that's important to know and this is the version right here pf blocker devil 3.0.0 underscore three now i bring this up because if you go to the available packages under the package manager in pfsense and we type in pf block there is a two series and this was a common thing i've seen on one of my last videos where people loaded the wrong version you want to load the three series not the two series i think in my other video there's an older version and you're going to get the idea there's usually two versions listed in there the old train and the new development package so that's one we want to start with here then from there the next thing you want to do is kick off the wizard now if you have already installed this there's not a wizard that will come up it'll just have all your settings the settings will transfer even if you're upgrading from the 2.0 to the 3.0 series and went through the normal double updates it will automatically pull the settings over but it does not prune broken feeds not the threat lookup but the actual feeds and you may want to consider just resetting this up if you've won goof things up two not sure what you did and change a bunch of settings can't remember what they were and you're not sure what's broken you don't want to take the time to troubleshoot it and i've actually done that myself where it's quicker just to reconfigure this and one of the nice things about pia blocker three the wizard just works so well let me walk you through how easy this is to set up so we're going to hit next and by the way you can also rerun the wizard by clicking the wizard tab after it's already configured you just go here click wizard and you can re-blow away all the settings and set it back up again i encourage people to do this like i said if you goof things up and you're not remembering what you did or what you changed just rerun the wizard it erases all the settings it will now complete figure all the default setup for plea background g this default configuration is for an entry level setup which is designed to assist beginners with pf blocker by the way the entry level is kind of understating it the entry level works really really well it's probably adequate for the majority of users especially home users now next the next thing we want to do is figure out which is our outside interfaces wan is the only interface on my demo machine but if you have more than one wan interface because you have failover you choose each one of those that you have public facing then we have our internal interfaces lan and lan 2 they call them outbound interfaces but they're the internal interfaces that you want to apply these rules to next vip address port and ssl port this is for the dns sinkhole and what you don't want is a conflict so my network is built on the 192 subnets therefore the address conflicts won't be there if you are using 10.10.1 for something already you're going to have an address conflict this is your opportunity to change that it's the same thing with ports if you have something on port 81 8081 and 8443 for example if you had moved pfsense to that port you are going to have trouble and this is why they give you the option to reassign these i'm not using either one of these ports i've actually got pfsense on five five five five if you look up at the top over here so yeah no conflicts next finish all right next thing it's going to do is reload and grab all the rules and download everything and pull all the updates so we'll let this complete real quick pf blocker has been successfully configured and updated and for some people this is as far as you need to go in the video it is set up it is configured it is at the base config but don't worry that actually works really well and i'm going to keep going on about customizing what the details mean for more advanced setups but you can stop watching here if this is all you want to do is get it activated get it basically working that's you know as far as you need to go this is the nice default setup that works now let's start diving into the settings here general one thing we have is the general tab where we have keep settings pf blocker and g enabled this is pretty basic and by default it wants to update every hour speaking of updates each time it updates which it's going to update again at nine it already made the entry for it so we got six minutes time remaining one thing that's important to understand and i'll reference this the changes you make in pf blocker and we're going to go make a change real quick but without doing this reload those changes won't be applied as firewall rules until this runs this is what the force reload option is and we can say do we make a change to the ip settings the dns bl settings pns blacklisting it's whichever change you make or both you have to rerun this for those changes to apply and let's walk through at least one common change that i do so i usually leave all of this at default which is perfectly fine but then i go down here and we have wan and lan and lan 2 and we're going to enable floating rules and we're going to enable kill states now floating rules is a function inside of pf sense where you can apply rules floating as in not specific to any interface i like the rules having the being over there because if they're over there well they're all in one place instead of having individual rules under each interface kill states means if there's a new update that comes through a new ip address added to the block list do you want to kill any states that are found connections between a device behind the firewall and that particular or the firewall itself and that particular ip address if you don't have this and the rule is added where another ip address that you were using or a connection was being used it will remain in use but it won't be able to start new states and new connections but the old connections will exist kill states is a way of dropping those connections upon firewall rule reload so we're going to save ip settings and we're going to go your firewall go to rules and right here is the block rule that was in place and here's the block rule under land two and here's the floating rules and notice they're not there no problem firewall pf blocker ng update we're just going to reload the rules i only need to reload the ip rules because that's the only thing we changed hit run it runs through very quickly because it doesn't have to do much goes through already has a download i didn't need it to download anything again then we go here firewall rules floating hey there's the floating rule land and land two there's no more rules in here this is why i like it in floating this is also a big confusing part of when people make changes and can't figure out why those changes weren't working or it started working later that's because you have to reload it each time you get the changes to apply all right now that we know that let's dive into the ip blocking one more thing that you may have noticed in here is max bind now requires a license key this did not require it before and there was some controversy with just giving away a free goip database so if you need to use the geoip functions then you will need to put a license key in here and let the angry comments go down below i'll leave a video link to the previous video i did on this people really seem upset that this company doesn't give away a automatically free without registering an email address licensed to a guip database i'm not here to solve that controversy i'm just telling you that you do have to register and acknowledge the email address you can't just give a fake one and get the license key set up there's an fyi on there and that's only if you're going to use the guip we're going to get into what that looks like now let's go to now that that's the only change on here ipv4 and by default we are only denying outbound now that's actually fine for the majority of users especially home users who may not be hosting anything on psense as in you don't have any ports open because by default the wan always denies everything coming at it so denying more doesn't help you in any way now you can tell it to deny inbound as well or deny both and it will then log more of it just so you're curious who's banging at the wan address of your particular firewall and don't take that personally because well you'll find that there's a whole lot of attacks going on it's not necessary they're targeting you as an individual personally maybe they are but seems unlikely more likely it is just these automated bots that send out massive amounts of scan looking and knocking on doors looking for well unlocked ports or vulnerable systems and it's a very automated scan and there's even companies that are just aggregating data so it's a showdown you'll see them show up in the logs as well so you don't necessarily need it but you can turn it on it's not really a big security change if you're not hosting anything if you are if you're a business and you want that turned on then yes then that does help because well it'll delist all these things in there and as i stated for any change you would have to go back and do the reload now let's look at the default list it has on here and here's what the rules look like now you can add your own custom rules they do have more feeds and i'll show you how to add to these feeds but they're pretty straightforward go here's copy that paste it and this is what the roll actually looks like not too many ip addresses in this one well actually there's kind of a lot they're just insider notation so they're blocks completely delisted and these are ones that for whatever reason spam house decided are on their drop list and this one seems to get a lot of popularity in terms of hits this is a pretty long list too now the system actually goes through and deduplicates these so if something on this particular list was also on another list it will go through and try to aggregate this to reserve memory this is actually some of the code rating that's been updated to make this a more efficient process because even though you're pulling from multiple blacklists there may be differing opinions they have but there's a lot of the same opinions they have of which ip addresses should be on this particular list and i think this default list works really well let's go ahead though and talk about what if you want to add one and we're going to go here and we'll click on alienvault and if you want to add one click the plus change the state to on and then it will add this one to the list now interesting this one's actually alienvault but they're just called reputation snort.gz so apparently it's probably part of a snort list it is gzip compressed and interestingly it will handle gzip compressed files and then it uncompresses them it's more efficient way to transport of course and now this list can be added now how does that actually work in terms of adding it go over here make sure this is state on as you notice it was defaulted off we just hit save and now if we go to the list same answers i maybe want to deny both and hit save hit ok now these lists are top down so it works like other firewall rules inside of pfsense so you can drag these around if you wanted this one to be matched first or match second um it's kind of just a personal preference however you want to do that you can also on a per list basis change the frequency maybe this one you only want it updated every four hours and hit save now once again you would have to go here go to the update this time because we changed the list we wouldn't just do a reload because we're not just changing rules we have to make sure it pulls so we run this and actually pull that particular list and when you look back through the logs you can see alien volt downloading update but these ones existed because there was no changes the system is also smart and you see us hey there's no changes to these lists there's really nothing to do they hash them and go hey do they match yes this last list is unchanged and well nothing really happens but now we did change the alien vault one so that one's been downloaded now let's dive a little further over here and look at goip now i don't feel like putting a license in this particular one but we're going to jump over to my system and show you what the geoip actually looks like once you pull it so here's the guip and one important thing is one you have to put a max mine license key second you have to do an update third you have to go here and edit these if you don't edit them they default to disabled then not just enabling them doesn't exactly turn it on so it's not like we're just blanket doing well antarctica asia or those ip addresses you actually have to edit each one and by default none of these are selected you have to do a control a or granularly go through each one of these country codes and decide which groupings that you want to block or not block and they can be select holding the control and pick very specific ones then you have to go down and hit save once you're in here you can go to each individual section there's more ip addresses than i expected in antartica and but either way if you didn't want to block the penguins in antarctica you could select which one of these is okay not to block i don't know how many attacks actually come from there that could be interesting anyways not to get off topic once you've done all this and done all these saves and configured the country blocking and features then you can go back over and we'll look at the geoip list here make sure this is saved make sure all these are set up the way you want then do the reload of note you notice how i am set up to deny inbound but not to die outbound home users please don't deny outbound this is a common well sometimes people want to call us for support and we look and find that they can't get to a lot of websites because they decided to deny everything thinking that would make it safer you're literally blocking entire countries you will be surprised sometimes how many websites you visit that are maybe not hosted in the country you thought they were or just where those servers are going to serve up the content from through the content delivery networks so if you start blocking everything outbound you're gonna have a bad time the deny inbound is because we host things and well we don't really have customers that need to touch our servers that we have things hosted on that are inside the us from outside the us so we choose tonight inbound and then granularly edit these kind of on as needed if we have a client in those particular places just an fy of how that works and it's important though because if you start really tuning this path where i said now you've got this basically set up home users and default users this is where people get themselves into trouble and sometimes if you goof this up beyond recognition click the wizard and start over now while we're into my system i'll take a look at the reports because the demo system is behind another firewall which means the reports are well empty and when you go to the reports page and then the alerts page here are some of the dies and i've blurred out some of my public ip address blocks that we have here attached to ipf sense of note though if you wanted to whitelist something it's actually pretty easy you can just click the little plus hit ok and it has the ability to create whitelist aliases this is a way you can create the rules and create a separate whitelist to allow something and when you do this it's going to create a whitelist right under the ip list over here and then you can put these ip lists above mentioned that it's top down and instead of a deny rule you can say a permit that way it'll process those i p addresses that you have in a custom white list because for some reason there are false positives that are on there this is some of the fine tuning that is pretty easy to do inside of here now the other enhancement to the reports is go here and we'll just look at the block stats real quick they've offer a lot of tuning that you can pull these report information fine tune what you do want these are actually not more to add this is invert so you can actually remove some of these things if i didn't want the event timeline for example so select things to hide that's what this is for i'm going to not select any of those it gives you some stats over time and i won't scroll down too far so i got to blur too many of the ip addresses but it will get really nice reports that are for understanding you know where some of these attacks came from what's the count which the goip location from that ip address and uh tons of them come from the u.s i'm not going to lie some of these things are just blocked that are end up being u.s pretty frequently so just because you block the other countries don't think that's any substitute for not locking things down and being secure all right let me go ahead and close this so that's the geoip pretty straightforward now we can go over here to dnsbl the blacklist i'm fine with the default function of this i actually sometimes turn it down a bit so here is the groups that it adds we have the easylist the ads collection and we have the malicious the problem is this is for example the easy list and these list formats you can find and spend some time in the subreddit because there are plenty of discussions about which is the best list and it's not for me to decide it's for you to decide and these are common lists that are well not just specific at all 2p a blocker they're common lists of things you may want to block you also get yourself in a headache of i want to block everything but every time i block everything all these different things stop working that i need to use yes that is a challenge um it's one of the reasons i actually at our office we don't have these on and i'm a big fan of like ublock origin in the browser to solve some of those problems because it's way easier to just unblock certain pages because the functionality page you have a use for so you can start by turning it all on and setting these sync holes up and then you can start working your way back to whether or not these lists are right for you or if they end up being too aggressive and causing well too much drama for you for all the sites they try to block and we'll go over here the reports dns block stats my laptop is behind this demo firewall that we're working on as you can see i'm logged in as a 192. and uh yep here is my computer hitting these different uh sites and yeah it's blocking quite a bit i already know one of the challenges i've had with it is uh it's blocks almost too much and then things stop working like i said it can be it can be a fine-tuning headache um people really want to block everything on the internet that isn't exactly what they want but you'll find a lot of websites especially new sites now if they catch you blocking some of this well they're going to tell you that yeah you can't block this or we won't show you the page i'll let you work on that i'm just throwing it out there it's pretty easy if you don't want to turn these on or off you go here and you can just disable them on an as needed basis maybe leave the malicious one or find any other feeds that make you happy finally i will get to the report the alerts and the threat lookup so let's click on that and as i said at the beginning we know there's a couple of them broken in here so in a few days maybe a week from december 10th when i'm recording this video there will be some more updates to this to solve this issue but right here we can look at 40 yard and virustotal and what this did was we took an ip and i artificially created this by just going through and finding an ip it's actually scan 95 security ipip.net and we'll see if this is really a bad list or not so go here we clicked on the lookup that brought us to here and from here it just sends us to each one of the pages with the lookup web filter lookup not rated in 40 os virus total has alienvault listing it as malicious and cins army which is actually where i pulled the list from has it as malicious let's actually do a lookup here because it came from ipip.net what is ipip.net let's make our own assessment here the only ip database based on real-time bgp asn data analytics they're a data analytics company clearly and being a data analytics company they know my location right here and have my ip address uh and my longitude latitude and they assume i'm in the detroit time zone what if they're correct on the longitudinal attitude i'm just going to say they're really far off on longitude latitude i am south of detroit down here they think i'm up here so we're going to go with maybe not the most accurate database but we know that they're not just a collection in aggregator so maybe we want to white list that and that's what i wanted to talk about specifically do your assessments use the threat lookup and then you can say all right i guess that ip is something i need uh it's a false positive and i want it added to my white list so we're going to go here we're going to click ok and we want to whitelist we're going to create a new whitelist we're going to give it a description pretty simple it's added right here and uh yeah test whitelist we could say youtube good description why did i add this hit save go here and we'd probably want to put this at the top there we go saving order change so now we have a permit outbound white list and then we'll start denying the other ones on there this is how you can edit those you can add more to it and if we wanted to you know go through actually if you go back even to the uh reports alerts it tells you where this is uh wait listed and we can also delete this out of the white list so it's now still matching in there matter of fact as long as we have the matching set up inside there it'll keep showing up and report and we can remove those from waitlist if we later want to and it'll go ahead and update that and this is where that kill state thing can be important because let's say you want to remove something there's a bunch of connections to it and you had it in that list this is where kill states when you reload it would actually kill any sessions that are going to that particular address now that covered how to unblock an ip address from the ip blocking what about the dns blocking well let's go here the same thing just a little further down in the reports yeah we're going to go ahead and waitlist yes removed cname domain add service on there now it's been removed so now it's got a little mark through it and once again we can go here exists right here you can kind of look back at it and remove it again if you want and if you want to see where that was added you go here to the dnspl scroll down there's the white list scroll down there's all the ones and then the ones that we have in here that were just added says allow google services there's a few other that are default in there because if you don't well there are a lot of false positives if you block dot apple source forge and then a handful of these other ones like amazon you're gonna have a hard time dealing with a few things because a lot of the internet runs on those services so wildcard blocking all of that in dropbox you can take these out you can edit this this is the way the default works but do it your own risk and it's your own peril if you turn off the internet or large sections of it the well large text internet will be unaccessible to you just want to throw that out there if you really want to be secure turn off the internet completely that's the best and most honest answer i can give so hopefully this is helpful for getting started and understanding a little bit of the tuning for pf blocker it's a great plug-in it's solid i like i said in the beginning if you can throw a few dollars and be a patreon supporter to support further development of this and if you want to have a more in-depth discussion about it my forums are okay but actually the reddit is going to be a really great place to have a conversation and talk about the latest developments of it and uh have a long debate about which lists are the best sometimes that pops up from time to time in there all right thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you'd like to hire us head over to lawrences.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums.lawrentsystems.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time
Info
Channel: Lawrence Systems
Views: 69,064
Rating: 4.985837 out of 5
Keywords: lawrencesystems
Id: xizAeAqYde4
Channel Id: undefined
Length: 27min 53sec (1673 seconds)
Published: Thu Dec 10 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.