No more ads and enhanced security with pfBlockerNG for pfSense
21 June 2021
pfBlockerNG provides in addition to your existing FW rules an inbound and outbound filtering against:
- commercial ads
- malicious sites
- botnet viruses
And is very easy to maintain and set up.
Install the package:
- Go to System -> Package Manager -> Available Packages -> Search for pfBlockerNG-devel
- Once installed go to Firewall -> pfBlockerNG
- You can go with the automatic installation or skip it and set it up manually
- On the pfBlockerNG -> General page -> enable "pfBlockerNG" and enable "Keep settings"
- IP tab:
- Enable de-duplication, CIDR aggregation and set ASN caching to 24 hours.
- Under IP Interface/Rules configuration set the "Inbound Firewall Rules" to WAN with blocking action and "Outbound Firewall Rules" to your desired interfaces to be "protected" by pfBlockerNG with rejecting action.
- Sub-tab IPv4 will allow you to configure IPv4 block lists
- Sub-tab IPv6 will allow you to configure IPv6 block lists
- DNSBL tab:
- Enable DNSBL
- Set mode to unbound
- Enable Wildcard Blocking (TLD)
- Enable Resolver Live Sync
- Under DNSBL configuration you can set the to-be-used interfaces to connect the DNSBL Webserver through "Permit Firewall Rules" (e.g. LAN and guest network).
- Sub-tab DNSBL Groups will allow you to configure DNS blocking groups and works both for IPv4 and IPv6
- Update tab do a "Reload" and run to download and update the configured blocking lists.
- Feeds tab allows you to select and automatically add new blocking lists for both IP and DNS. Be careful as some lists can be quite aggressive (e.g. blocking Google DNS).
- Reports will show you the blocked/ rejected traffic and can be handy to troubleshoot.
- Logs will give you almost the same as with reports, logs are presented in a "bulkier" fashion.
- Sync is only to be used if you have a secondary/backup firewall in place for the same network location OR if you maintain more then one site and you wish to delegate the same settings to all sites from the main site.