Objectives
Set up pfBlockerNG on pfSense and configure firewall rules based on IP address and domain name.
Prerequisites
- NetGate unit/pfSense installed
Steps
Step 1: Install pfBlockerNG
Go to the pfSense Web Console (the default IP address is 192.168.1.1, then login with username admin and password pfsense).
Then, navigate to System -> Package Manager -> Available Package.
Find pfBlockerNG and click on Install to install the package.
Afterwards, verify that pfBlockerNG is installed by navigating to System -> Package Manager -> Installed Packages.
Step 2: Configure pfBlockerNG General Setting
Navigate to Firewall -> pfBlockerNG -> General.
On the General Settings tab, ensure that the Enable pfBlockerNG and Keep Settings boxes are checked.
Then, on the Interface/Rules Configuration tab, set Inbound Firewall Rules as WAN and Block, while Outbound Firewall Rules as LAN and Reject. Click Save.
Step 3: Allow/Deny Connection Based On IP Address
In order to be able to allow/deny connections based on IP address, you need to create a new firewall rule.
You can do this by navigating to the IPv4 tab and clicking Add. After clicking, you will be greeted with the following screen.
Enter the Alias Name and the List Description according to your needs.
Then, in the IPv4 Lists option, enter the source from which the IP blacklist will be based on.
Don’t forget to enter the Header/Label. Leave everything else as it is.
Next, click Save to save the firewall rule.
An example of an IP blacklist is available: –
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
This URL above shows a list of known blacklisted IPs which are recommended to be blocked.
Step 4: Configure DNS Block List (DNSBL)
In order to configure DNS Block List, you need to navigate to the DNSBL Configuration tab and tick on Enable DNSBL.
Next, in the DNSBL IP Firewall Rule Settings tab, set List Action to Deny Both and EnableLogging to Enable. Afterwards, click Save.
Step 5: Allow/Deny Access to Certain Webpages
In order to be able to allow/deny access to websites, you need to create a new firewall rule by navigating to the DNSBL Feeds tab and click Add to create a new firewall rule.
Then, enter the DNS Group Name and Description according to your preference.
In the DNSBL option, enter the source from which the domain name blacklist will be based on.
Don’t forget to enter the Header/Label.
Leave everything else as it is.
Next, make sure that you set the List Action option to Unbound. Afterwards, click Save.
An example of a domain name blacklist is available at: –
https://github.com/StevenBlack/hosts
The URL above brings you to a database site containing documents filled with sites such as gambling / pornography which are recommended for blocking within DNSBL.
Step 6: Update pfBlockerNG Configuration
Before your configurations are applied, you need to update pfBlockerNG. You can do this by navigating to the Update tab, and in the Select ‘Force’ option, choose Update. Next, click on Run to perform the update task.
Step 7: Change Default Image for Blocked Website
By default, pfBlockerNG shows a 1×1 pixel image when a user tries to access a blocked URL.
You can change this default image with another image of your choosing by editing a file via command line.
Ensure that you have SSH access into the machine. You can enable SSH by navigating to System -> Advanced -> Admin Access -> Secure Shell and ticking on Enable Secure Shell.
You can SSH into the machine via PuTTY or a Linux Terminal (ssh [email protected] and enter pfsense as password).
After gaining access to SSH, you will be prompted with a menu. Access the shell by typing “8”.
Then, type cd/usr/local/www/pfblockerng/www and edit the file index.php by using the command vi index.php. Alternatively, you can also install nano text editor in the system by using pkg install nano and edit the file via nano index.php.
Comment the line echo base64_decode(‘R0lGODlhAQABAJAAAP8AAAAAACH5BAUQAAAALAAAAAABAAEAAAICBAEAOw==’); by adding a double-slash (//) in front of it.
Then, you are free to add your own base64 encoded file on another line by entering echo base64_decode(‘yourbase64encodehere==’);
Encode your file via an online base64 encoder, available at https://base64.guru/converter/encode
Next, save the index.php file. This is done by typing :!wq in VI and Ctrl+S followed by Ctrl+X in nano.
Finally, verify by accessing one of the blacklisted URLs you have configured in Step 5. You should be greeted with the uploaded image/page upon access.