PfBlockerNG on PfSense protects your network by filtering internet traffic based on lists of domains or ip addresses. The lists are usually provided by third parties. Setting up pfBlockerNG and getting it to work is relatively simple but there’s a lot of possibilities that may not seem obvious right away.
If you are using Active Directory and your clients are using one of the Active Directory DNS servers for domain name resolution then you must add pfSense’s IP address as the first forwarder, otherwise the pfSense DNS resolver is not resolving your clients’ requests and no filtering is taking place.
PfBlockerNG is a PfSense package. On your PfSense router go to System > Package Manager > Available Packages and install pfBlockerNG.
Go to Firewall > pfBlockerNG > General. We’ll first configure it, then enable it so leave ‘Enable pfBlockerNG’ not checked for now. The Cron settings determine when Cron is run; you determine the update frequency for list updates per list group.
Firewall > pfBlockerNG > DNSBL > DNSBL: in the DNSBL Virtual IP field enter an ip address from a private range not in use on your network. In most cases the default is ok. Check the rest of the settings; if this is a fresh PfSense installation the defaults will be fine. If not you will most likely know what you changed, e.g. your network interfaces’ names.
Under List Action choose Deny Both. Click the i button for more information.
Firewall > pfBlockerNG > DNSBL > DNSBL EasyList provides an interface to EasyList (https://easylist.to/) which is a simple ad blocker. If you want to use it, choose a DNS GROUP name, set a Description and pick a feed list (I believe the Privacy list covers ads commonly found in agressively advertising adult sites). Click the Add button and also select the other list if you like. Select the categories you’d like to filter, under List Action choose Unbound, set your update frequency and make sure you do not select Enable Alexa Whitelist because Alexa lists a bunch of ad servers, negating the filtering effect.
Note the ad circus on many sites.
Go to Firewall > pfBlockerNG > General, check Enable pfBlockerNG and click Save.
Click the Update tab, select Run, DNSBL and click Run.
After the update most ads will stop showing however sites look actively stripped of content (which of course they are).
There are a lot of blocklist providers (lists of lists to follow). For now we’ll try hpHosts’ adlist: https://hosts-file.net/ad_servers.txt (read their terms of service at https://hosts-file.net).
Go to Firewall > pfBlockerNG > DNSBL > DNSBL Feeds. Click Add. DNS GROUP name: hpHosts (more on that later). Description: hpHosts. DNSBL Source: https://hosts-file.net/ad_servers.txt. Header/Label: hpHosts_ad_server. The name, description and label are for your reference only. List action: Unbound. Update Frequency: Once a day (READ THE PROVIDERS’ TERMS OF SERVICE). Do not enable the Alexa Whitelist because that lists a bunch of ad servers.
Click Save, head over to the Update tab and click Run. Do this as little as possible to avoid hammering the providers’ servers.
Note that sites now look a lot better. That’s because pfBlockerNG is redirecting requests to ad servers to a local web server serving up a one-pixel blank image.
The advantage of blocking ads is that you can verify the blocking system is working. Also check the Alerts tab. HpHosts offers a LOT of lists, including a lot of malware subjects. It’s easy to include them all to pfBlockerNG: from Firewall > pfBlockerNG > DNSBL > DNSBL Feeds click the Edit icon next to the DNS Group we created earlier.
Click the Add button and enter any other lists you want to use. Find them on https://hosts-file.net/?s=Download and do read their terms of service. Click Save and do the Update thing or just wait for cron to update automatically.
IP lists work about the same as DNSBL’s, the difference being that they contain ip addresses instead of domains. In theory if you enter a list containing both ip addresses and domains (your standard hosts file) the IP list will retrieve its ip addresses while the DNSBL will retrieve the domains.
Here is a list of blacklist providers I found in the PfSense forums. There are probably a lot more. While I understand it may be a bit of work I still strongly recommend you research a list’s purpose, conditions and how actively it is being managed before you start using it.
http://adaway.org/hosts.txt open source ad blocker for Android
http://www.malwaredomainlist.com/hostslist/hosts.txt malware domain list
http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext not sure who makes this
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist tracks Zeus C&C servers
https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw pfBlockerNG’s maker’s list
https://hosts-file.net/?s=Download pick and choose your flavours.
http://malc0de.com/bl/IP_Blacklist.txt malware distributing ips
https://mirror1.malwaredomains.com/files/justdomains malware distributing domains
Regardless of your view on internet advertising it is probably a good idea to block known malware sources. I suggest you group sources based on update intervals but that’s really up to you.
Under Firewall > pfBlockerNG > DNSBL > DNSBL you can set the List Action to Alias Deny. This will pour the lists in a PfSense firewall alias, allowing a bit more granular control over who can go where and when. For example, you could create a rule that just blocks Windows machines from certain categories of sites from 9.00 till 17.00. Or route “non-essential” traffic through a different gateway.
The Alexa whitelist contains the top one million internet sites. You can use it to avoid false positives but do not use it if you want to block ads because Alexa also lists ad sites. There are a few tips and options in the Alexa section under the DNSBL tab; be sure to read them.
Yes, I see the irony of describing a system that allows you to block internet advertising, on a site that runs ads. I am writing these things for my own documentation purposes and there’s no reason someone else shouldn’t benefit from it. If you found it useful you could let me know by clicking an ad or two on my site ;)