This guide is assuming a scenario where you’d like to use the pfBlockerNG-devel package by BBcan177 to filter content for specific clients on your network while allowing others to access the web normally. We should also note that content filtering can be applied in much simpler ways than via pfBlockerNG. We created this guide as a result of a solution we had to develop for a client that wanted the content filtering of CleanBrowsing DNS combined with the granularity and control of pfBlockerNG.
This guide still applies if you would like to implement pfBlockerNG for all of the networks behind your pfSense device, you only need ignore the section regarding enforcement for specific clients.
pfBlockerNG works by blocking content in two ways – DNS Blocking (DNSBL) and IP v4 & v6 blocking (IPBL).
For IPv4/IPv6, pfBlocker converts IP lists into Aliases and Firewall rules to match the pfBlocker setting for each list.
For DNS, pfBlocker converts domain lists into DNS-spoofing commands read by the Unbound (aka DNS Resolver). As such, using DNS Resolver as the primary DNS for your network(s) is required for pfBlockerNG to do any DNSBL content filtering. For more information, see our guide on setting up DNS Resolver (Unbound).
Getting Started
- Install pfBlockerNG-devel from the pfSense package manager (System->Package Manager->Available Packages->pfBlockerNG-devel->[+Install])
- Once the installation process has completed, navigate to Firewall->pfBlockerNG. This will guide you through a very short and to the point wizard. The only things to look out for here are the Port and SSL Port sections of step 3 – you want to make sure they are not being used by any other processes on your pfSense device. This will break pfBlocker and whatever processes are using that port. If you happen to be running Ubiquiti’s UniFi controller on your pfSense device, it’s already using port 8443.
- The wizard should drop you off in the update subsection of pfBlockerNG. Take a moment to review your settings in the following subsections of pfBlockerNG:
General:
✓ Enable pfBlockerNG
✓ Keep Settings
->Scroll to the bottom, click [Save]
DNSBL:
✓ Enable DNSBL
✓ Enable TLD (Warning: While this setting is very helpful for fully blocking your listed domains, it can run your pfSense device out of memory very quickly. Do not enable this setting on systems with 1GB or less of memory and read everything in the infoblock below this setting to make sure you understand the implications)
->Scroll to the bottom, click [Save]
A useful reminder: You’ll want to remember to click the blue Save button at the bottom of every menu in pfBlockerNG when you’ve made changes. It’s also important to remember that these changes will not go into effect until you’ve run an ‘Update’ operation under the Update subsection. You’re provided with a note indicating this on each page but it can be easy to miss.
Setup your Block Lists
Next, you’ll want to review your block lists for IPv4/IPv6 and DNS and possibly setup some new ones. By default, pfBlockerNG includes some pretty useful lists.
Lists Enabled by Default
The default IPv4 lists are from some of the best threat intelligence and cybersecurity groups in the world (CINS Army, Spamhaus, Abuse.ch) and keep malware that has reached an endpoint on your network from ‘calling home’ to pull down more assets or do more damage. Leaving these alone is a no-brainer
DNSBL EasyList
The default DNSBL lists found under ‘DNSBL Easylist’ are managed by AdBlock Plus and do well to block most ads across the internet from your entire network. These could create some issues if you use apps or services which depend on the ad servers and trackers blocked by the Easylist. This is fairly easily resolved by whitelisting individual domains and subdomains when and if this issue arises. This list would not be recommended for use with anyone doing work with marketing or advertising companies.
DNSBL Category
pfBlockerNG includes two category-relevant lists: Shallalist maintained by Shalla Secure Services and ‘UT1‘, a domain blacklist maintained by Toulouse1 Capitole University. Both include millions of domains and will extensively block for the categories you select.
To enable a DNS blocking by category:
- Change the dropdown for Blacklist Category from Disable to Enable.
- Select one or both of the lists in Blacklists by clicking on them.
- After you’ve selected a list, scroll down and click the + sign to expand the categories for that list. Check the lists you want to include in your DNSBL and click Save at the bottom. A general warning about the adult/porn categories on these lists: They are enormous lists and will chew up the memory on your pfSense device. Porn is one of the most obvious content types to block, but unless you have a pfSense device with >4GB of memory, we wouldn’t recommend enabling these categories on either list. A similar solution can be achieved by using a combination of forced Google SafeSearch and shorter custom block lists for porn — more on how to implement this later.
- Navigate back to the Update section and click Run to add your DNSBL categories to your list.
DNSBL Feeds (Community/Custom Lists)
This section of the DNSBL functionality allows you to add lists from the web or your own custom lists, which could include anything from lists maintained to protect against malware or phishing, specific ad networks or specific online services. A lot of good lists are already included in this section and these can be left enabled (Action: Unbound).
You can find more lists to add on our Lists for pfBlockerNG Ads, Malware, Youtube & More post or at other great resources like the pfBlockerNG subreddit.
To add a list to DNSBL Feeds:
- Under the DNSBL Feeds section, click [+Add]
- Give the feed a name (no spaces).
- Add your lists (source definitions). pfBlockerNG interprets a variety of text file formats, so don’t be concerned if your list source happens to have no extension. If you are manually adding domains (e.g. msn.net or some specific domain you want to block), scroll down to DNSBL Custom_List
- For each source, leave Format on Auto and change State to On.
- Scroll down to Settings and change Action to Unbound.
- Change Update Frequency to whatever makes sense for this list. For most community-maintained lists, Daily or Weekly is a good choice. For feeds that are only manual entries in the Custom_list section, this can be left at Never.
- Click Save DNSBL Settings and navigate back to your Update tab and click Run.
IPv4 & IPv6 Lists
As mentioned earlier, pfBlockerNG includes some useful IPv4 block lists that we can leave in-place without threatening our system resources or causing other problems.
There’s a great number of IPv4 & IPv6 resources available online for use with pfBlockerNG or other firewall applications. Many of these have to do with network security and administration.
Since the focus of this post is content filtering, I’ll mention a few lists we used to block access to Tor entry, middle and exit nodes. I added the following to a feed for IPv4 and/or IPv6 (as indicated in parenthesis) below. I followed the same steps as adding DNSBL Feeds above, set the action to Deny Both saved the feed and updated pfBlockerNG:
- BinaryDefense TOR (IPv4) list: https://www.binarydefense.com/tor.txt
- EmergingThreats TOR (IPv4 & IPv6) list: https://rules.emergingthreats.net/open/suricata/rules/tor.rules
- I-BlockList TOR (IPv4) list: http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gz
- Unlockforus TOR (IPv4) list: https://unlockforus.com/pfblockerng/tor_nodes_ipv4.txt (These are lists separated out from the commonly used dan.me.uk lists for this purpose, see this post for more information).
- Unblockforus TOR (IPv6) list: https://unlockforus.com/pfblockerng/tor_nodes_ipv6.txt
As a sidebar, I’d like to note that Tor blocking can also be achieved through DNSBL using lists created by the Tor Project and Dan.me.
Differences between IPBL and DNSBL
The primary difference between DNSBL and IPBL in pfBlockerNG is in their functionality, while DNSBL uses Unbound (DNS Resolver) to block network clients from accessing specified domains, IPBL creates firewall rules to block network clients from accessing IPs and to keep those IPs from accessing your network. You’ll notice this in the way the Action is applied. Where DSNBL only has Unbound or Disabled, IPBL has a variety of actions, Denying inbound, outbound, both or simply matching and logging the traffic. IPBL has as many modes of enforcement of a firewall rule because it uses firewall rules to block traffic, where DNSBL simply uses the DNS resolver to send the client a different answer.
Testing Your Configuration
There’s a variety of ways you can test your configuration for pfBlockerNG:
- Try to visit a website included in your DNSBL lists, you should arrive at your virtual IP (DNS Sinkhole) referenced in DNSBL settings (default 10.10.10.1). If SSL is not configured on your pfSense device and the browser is trying to load an SSL page, you’ll likely receive an SSL warning in your browser which works just as well (user is still blocked).
- Try an nslookup or dig of a domain in your DNSBL lists, it should return the virtual IP of your DNS Sinkhole (default 10.10.10.1)
- For IP blocking: simply try and ping an IP on one of your block lists. It should not be reachable.
Selectively enforcing pfBlockerNG for specific clients or networks
Unfortunately, filtering content for specific clients or networks in pfSense while keeping pfBlockerNG is not a simple task. If we wanted a simpler solution, we could’ve just added a Custom DNS server for our VLAN we wanted content filtered on. Unfortunately, doing this circumvents Unbound (DNS Resolver) and we lose the functionality of pfBlockerNG. To complicate matters more, Unbound does not allow you to specify different servers for the same lookup zone based on who’s querying the server.
Selective enforcement for DNSBL
A post on the NetGate forums lead us to the solution implemented in this post. Using lines added to your Custom Options field under Services->DNS Resolver in this fashion enables you to include pfBlockerNG’s configuration for specified clients/networks, but not others.
Please backup your pfSense configuration before proceeding, as changes to your Unbound configuration might crash your pfSense device if not implemented correctly.
server:
access-control-view: 192.168.10.0/24 bypass
access-control-view: 192.168.20.0/24 dnsbl
view:
name: "bypass"
view-first: yes
view:
name: "dnsbl"
view-first: yes
include: /var/unbound/pfb_dnsbl.*conf
In this example, we have network 192.168.10.x set to an Unbound view that does not include our pfBlockerNG DNSBL configuration. This means all the Unbound commands generated by pfBlockerNG are not referenced when a client in 192.168.10.x queries pfSense, so DNS queries go through unchanged. For the 192.168.20.x network, the entries are included and redirected to our sinkhole.
It’s important to note that you can use these entries in any CIDR notation that fall within your network topology. To filter content for a specific IP, you could specify 192.168.10.5/32 for example.
To take the filtering a step further, we can enforce Google, YouTube, Bing and DuckDuckGo SafeSearch:
server:
access-control-view: 192.168.10.0/24 bypass
access-control-view: 192.168.20.0/24 dnsbl
view:
name: "bypass"
view-first: yes
view:
name: "dnsbl"
view-first: yes
include: /var/unbound/pfb_dnsbl.*conf
local-data: "www.google.com 60 IN A 216.239.38.120"
local-data: "www.youtube.com 60 IN A 216.239.38.119"
local-data: "www.bing.com 60 IN A 204.79.197.220"
local-data: "duckduckgo.com 60 IN A 107.20.240.232"
These entries added in our “dnsbl” view force all clients in this group (192.168.20.x) to the SafeSearch address for each of the four services included. We have to add them here as adding them as a Host Override on the DNS Resolver configuration page would enforce them for all clients.
Selective enforcement for IPv4/IPv6
Selective enforcement for IPv4/IPv6 is more simply configured, provided you have VLANs on your network.
In your pfBlocker IP subsection, you simply need to select the networks you’d like content filtered on and deselect any networks you would like content to be unmodified on. Any networks selected will have rules created for any IPBL lists that have Action set to Deny Outbound or Deny Both.
If you don’t have VLANs or separate interfaces setup for clients you’d like to filter, this becomes a bit more complicated. Modifying the rules created by pfBlocker won’t work as they will be re-written when pfBlocker updates. You might try creating a rule to allow the clients you want through your IPBL lists and set it to supersede your pfBlocker created rules, but I have not tested this and I’m not sure it would work. pfBlocker-NG may just default to prioritizing its rules above your manually created rules.
Fortunately, this isn’t as much of an issue as most content filtering is done through DNSBL where IPBL is more focused on network security and service filtering. IPBL lists are far less likely to interfere with normal internet access.
Some closing thoughts:
Don’ts:
- As a network or IT administrator, you should be aware that stopping the services associated with pfblockerNG (pfb_dnsbl & pfb_filter) while Unbound / DNS Resolver is running will cause crazy things to happen, including breaking the DNS Resolver service on your device temporarily.
Don’t do this!
Instead, first remove any custom options you’ve implemented with this guide to do with pfBlockerNG from your DNS Resolver Custom Options field. Then in Firewall->pfBlockerNG deselect Enable pfBlockerNG from the General Settings page and click save.