22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.

io

🏠 Network Security Tutorials Firewalls pfBlockerNG Guide

On this page

pfBlockerNG Guide
pfBlockerNG is an excellent Free and Open Source package developed for pfSense® software
that provides advertisement blocking and malicious content blocking, as well as geo-blocking
capabilities.

By installing pfBlockerNG, you can not only block ads but also web tracking, malware and
ransomware. When you use pfBlockerNG, you gain extra security and privacy. It will do this for
your entire network by utilizing a feature known as DNSBL (short for Domain Name System-
based Blackhole List). pfBlockerNG also allows you to block internet traffic from specific IP
addresses. These IP addresses may belong to specific countries and regions, which can be very
useful in protecting your network from all of those hackers attempting to gain access to it.

TIP

If you want to also add Next Generation Firewall capabilities to your open source firewall,
check out ZENARMOR (previously Sensei). Zenarmor is a plug-in that upgrades your open
source firewall to a NGFW in a matter of seconds.

Some of the available features are: Application/User based blocking, Web/Content Filtering,
Enterprise-grade Network Analytics, Policy-based filtering, Ad Blocking, Real-time Cloud
Threat Intelligence, Active Directory Integration, Cloud-managed central policies and many
more.

Zenarmor Free Edition is forever free for open source firewalls.

Check out the Product Page for more information, or Try it here for free.

What is pfBlockerNG?
pfBlockerNG is a pfSense® software package created by BBCan177 and used for IP/DNS-based
filtering. It is based on the previous work of Marcello Coutinho and Tom Schaefer. The project's
goal was to extend pfSense's core firewall functionality by allowing users to control and manage
inbound and outbound access through the firewall using IP and DNS control lists.
https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 1/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

pfBlockerNG gives pfSense® software the ability to make allow/deny decisions based on items
like the geolocation of an IP address, the domain name of a resource, or the Alexa ratings of
specific websites.

Most of the pfSense® software users think that pfBlockerNG is a fantastic package and a
pfSense® installation would be incomplete without it.

History of pfBlockerNG
Since 2014, pfBlockerNG has been protecting assets behind pfSense® software consumer and
corporate networks. The desire to create a unified solution to manage IP and Domain feeds with
rich customization and management features drove the development of pfBlockerNG. BBcan177
an independent developer created, designed, and developed pfBlockerNG. It is still being
supported and maintained by BBcan177.

Before pfBlockerNG was born, the pf-blocker developed by Marcello Coutinho was widespread
among the pfSense® community. Pf-blocker was the successor of the Country Block
developed by Tom Schaefer. On Oct 27, 2011, Country Block ended and the pf-blocker took
over. The package was designed to keep a mail server from being flooded with spam. However,
pf-blocker was unable to process the required feeds, and when large IP feeds were added, it
crashed. BBcan177 had offered to assist the developer in adding some additional functionality,
but he got nothing in return. As a result, Pf-blocker life was very short and the last commit to the
pf-blocker GitHub repository was on Jun 20, 2014. Fortunately, pfBlockerNG was released on
Nov 30, 2014, and pf-blocker ended.

BBcan177 takes a lot of responsibility for developing pfBlockerNG and making sure that it is
thoroughly tested before release and that any issues are resolved as soon as possible.

It's worth noting that BBCan177 has a Patreon campaign where you can easily donate a few
dollars to ensure he keeps up with and improves the package. We strongly encourage you to
donate if you are using pfBlockerNG in a production environment.

At the time of writing this article, the latest version of pfBlockerNG-devel package is v3.0.0_16
released on April 8th of 2021.

Features of the pfBlockerNG

pfBlockerNG includes a wide variety of features such as country blocking, IP/DNS blacklisting,
and IP reputation blocking to protect your network from unwanted traffic. We will cover the

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 2/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

pfBlockerNG features briefly below.

IP Blocking
pfBlockerNG allows you to create firewall rules based on IPv4 and IPv6 address spaces. So that
You can control both incoming and outgoing traffic on single or multiple interfaces. You can also
restrict the IP address according to geolocation. Geolocation is the identification or estimation
of an IP address's real-world geographic location. MaxMind , an industry leader in the accuracy of
IP geolocation provides and maintains lists that are used by pfBlockerNG. Websites host content
and media on servers all over the world, so be cautious about blocking too much. Inadvertently
blocking some of these IP addresses may result in broken websites or unavailable downloads.

DNS Blocking
pfBlockerNG can also control DNS Resolver access to prevent access to malicious websites
such as advertisements, threats, and malware. Domain blocking is a very effective method to
filter tracking domains, malicious domains, and advertisements. Your DNS requests are checked
against a blocklist as you browse the internet. If a match is found, the request is denied. It's an
excellent way to block ads without using a proxy server.

Domain names gathered from various blacklist sources or manually entered are used to
generate optimized DNS Resolver blocklists. You can subscribe to popular user-maintained
blocklists as well as use prebuilt EasyLists .

INFO

The EasyList filter lists are sets of rules originally designed for Adblock that automatically
remove unwanted content from the internet, such as irritating advertisements, bothersome
banners, and inconvenient tracking. It is the most commonly used list by many ad blockers
and serves as the foundation for over a dozen combination and supplementary filter lists.

Inbound traffic filtering

pfSense® software blocks all inbound traffic by default. Therefore, there is no need to apply a
rule to inbound traffic for additional protection unless there are open ports on your firewall.
However, you may occasionally have a number of ports open, exposing a VPN endpoint and
several self-hosted services. If this is the case, then it is advisable to use the custom IP list and
GeoIP restriction features of pfBlockerNG to limit access.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 3/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Outbound traffic filtering

Outbound blocking is available in pfBlockerNG to prevent users from accidentally visiting
malicious websites. When combined with logging, this is a useful method for identifying
potentially compromised devices.

Policy-based routing
pfBlockerNG allows you to create policy-based routing firewall rules that direct traffic away from
specific gateways or gateway groups.

Malicious DNS Blocking and advert limiting

DNS blocking to networks served by the DNS Resolver is also supported in pfBlockerNG to
prevent access to tracking and/or malicious sites. Be cautious of the possibility of introducing
false positives.

Spam Filtering
If you have a mail server on your network, pfBlockerNG is an excellent package to use. You can
prevent spam from reaching your server by including a spam blacklist, such as Spamhaus .

Whitelists
If you want a domain not to be blocked, pfBlockerNG allows you to add it to the whitelist.

SafeSearch
SafeSearch can be configured for the most popular search engines. You can also use Firefox to
block DNS over HTTPS and set YouTube restrictions.

How to Install and Configure pfBlockerNG

You can easily set up and configure the pfBlockerNG package on your pfSense® software
firewall by following these steps:

1. pfBlockerNG package installation

2. pfBlockerNG initial configuration

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 4/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

pfBlockerNG package installation

To install the pfBlockerNG package, you may follow the instructions given below.

1. Access your pfSense® software WebGUI.

Figure 1. pfSense® Software CE GUI sign-in page

INFO

Default username and password for pfSense® software is admin and pfsense . It is
strongly recommended that you change your password with a strong one.

2. Navigate to the System -> Package Manager -> Available Packages .

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 5/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 2. Accessing Package Manager on pfSense® Software CE GUI

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 6/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 3. Accessing Available Packages on pfSense® Software CE GUI

3. Type pfblockerng into the search field and then click search .
4. Click install on the version with -devel at the end of the package.

Figure 4. Search and install pfBlockerNG-devel package

5. Click Confirm to let the package install. This will take some time because it needs to
download several files and databases.

Figure 5. Confirmation for installing pfBlockerNG-devel package

6. Once the installation is complete, you should see success after a few minutes.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 7/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 6. pfBlockerNG-devel package installation completed successfully

pfBlockerNG initial configuration

1. Click on the Firewall drop-down menu on your pfSense® software GUI.
2. Click on pfBlockerNG to start the configuration wizard.

Figure 7. Accessing pfBlocker menu on pfSense® software GUI

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 8/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

3. Click Next to continue.

Figure 8. pfBlockerNG setup wizard

4. Click Next to proceed to the configuration. This will remove all settings if you have
previously configured pfBlockerNG and install the following components:

IP: Firewall rules will be defined for the WAN interface to block the worst-known attackers.
DNSBL: DNS resolver will be utilized so that advertising and other known malicious domains
are blocked.

Figure 9. pfBlockerNG component installation notice

5. Select [WAN](/docs/network-basics/what-is-wan) for Inbound Firewall Interface and

[LAN](/docs/network-basics/what-is-lan) for Outbound Firewall Interface to complete

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 9/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

the IP Component Configuration. If you have more than one internal interface, you may
select all the ones you wish to set up pfBlockerNG for.

Figure 10. pfBlockerNG IP Component Configuration

6. Click on Next to proceed to the configuration.

7. Enter an IP address that is not used in your networks for VIP address and leave the port
and ssl port as default. pfBlockberNG DNSBL web server will run on these IP addresses. If
your LAN is 10.1.1.0/24, the VIP address should not be in this range. Here in our example,
we leave the address at 10.10.10.1. Also, you may enable IPv6 DNSBL and DNSBL Whitelist
options.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 10/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 11. pfBlockerNG DNSBL Component Configuration

8. Click on Finish to finish the wizard. The setup is now complete.

Figure 12. pfBlockerNG initial configuration finalize

9. The pfBlockerNG update page then appears, and all activated blocklists are automatically
downloaded and activated. Also, you may select the Cron option for regular updates.

Figure 13. pfBlockerNG update settings

Congratulations! You now have a basic pfSense® web filter running with pfblockerNG!

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 11/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 14. pfBlockerNG installation is complete

General Settings of pfBlockerNG

To view or change the general settings of the pfBlockerNG, you may navigate to Firewall ->
pfBlockerNG -> General`.

Make sure that pfBlockerNG is enabled on your pfSense® software firewall. You may leave the
settings on this page at their default values.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 12/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 15. General Settings of pfBlockerNG

IP Filtering
Even if the firewall is not configured with open internet facing ports, local users may
inadvertently initiate connections to malicious servers and this may be a high-security risk for
your network. To reduce the likelihood of this happening, you should restrict access to known
sources of Ransomware, malware, botnets, and Command & Control (C&C) servers. Through the
bundled PRI1 feed, pfBlockerNG provides regularly updated blocklists.

In this section, we'll explain how to enable the IP feed (PRI1-PR5 groups) on pfBlockerNG and set
up a firewall rule to prevent outbound traffic from accessing any addresses in that group.

IP Configuration

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 13/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

You should navigate to the Firewall -> pfBlockerNG -> IP and ensure the following settings
on IP Configuration` pane.

1. Enable De-Duplication. This option provides reducing the list size by detecting and removing
duplicate entries
2. Enable CIDR aggregation. This option optimizes CIDRs. Because CIDR aggregation is
processor intensive, you may need to disable it if your firewall does not have enough power.
3. Enable Suppression. When enabled, RFC1918 and loopback addresses are filtered.
Suppression makes sure that your local subnets are not blocked. Also, pfBlockerNG
removes any deny list entries that match those specified in the Suppression list which can
be manually or automatically populated from the pfBlockerNG alerts tab.
4. You may leave other settings as default. But, ensure that the Placeholder IP address is not
used in your network. Also, you may enable ASN reporting, When it is enabled the Alerts and
Statistics tab will report the ASN for the Block/Reject/Permit/Match IP entries. The ASN
details are collected from BGPview.io and cached for 1 week (can be configured for
24,12,4,1 hour caching)

Figure 16. IP Configuration pane of pfBlockerNG

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 14/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

5. Click Save IP Settings button at the end of the page

MaxMind GeoIP configuration

With pfBlockerNG's GeoIP feature, you can filter traffic to and from entire countries or continents.
pfBlockerNG accomplishes this by utilizing the MaxMind GeoIP database, which requires a
license key. This license key is completely free. The MaxMind License Key field description
includes a link to the MaxMind registration page.

To obtain your license key, fill out the registration form on the MaxMind sign-up page.

Figure 17. MaxMind GeoLite2 Sign Up page

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 15/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 18. MaxMind Managing license keys

After generating a license key, enter it in the MaxMind License Key field on the pfBlockerNG.

You may select MaxMind localized language as you wish. The following languages are available:

English
French
Brazilian Portuguese
Spanish
German
Japanese
Simplified Chinese

Also, you may disable the MaxMind monthly CSV GeoIP database cron update.

Figure 19. MaxMind GeoIP configuration

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 16/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

IPv4 Suppression List

pfBlockerNG allows you to add the IP addresses (only for /32 or /24) that should never be
blocked to the suppression list. You can add one IP address per line. You must run Force
Reload-IP after manually adding an IP address to this list, for changes to take effect.

Figure 20. IPv4 Suppression list

IP Interface/Rules Configuration
According to the settings in the IP Interface/Rules Configuration pane, pfBlockerNG defines
firewall rules automatically. In this pane, you can specify which inbound and outbound
interface(s) pfBlockerNG's IPv4, IPv6, and GeoIP filtering apply to. To determine the inbound and
outbound interfaces you may follow the next instructions.

1. Select WAN for Inbound Firewall Rules to apply auto rules to the inbound interface.
2. Select LAN for Outbound Firewall Rules to apply auto rules to the outbound interface.
3. Enabling the Floating Rules option may be useful if you have more than one outbound
interface. Floating rules are special firewall rules that take precedence over regular firewall
rules. This ensures that pfBlockerNG begins filtering traffic as soon as it enters the firewall.
Another advantage is that pfBlockerNG will generate the floating rules for you.
4. Enable Kill states . Since IP blocklists are updated several times per day and you should
allow pfBlockerNG to immediately kill any connection to a blocked IP.
5. You may leave other options as default.
6. Click on the Save IP Settings button at the bottom of the page.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 17/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 21. IP Interface/Rules Configuration on pfBlockerNG

Enabling IPv4 Filtering

On pfBlockerNG PRI1 feed is enabled by default. Feeds are publicly available blocklists that
pfBlockerNG is configured to synchronize with on a regular basis. To view the list of enabled IPv4
feeds, navigate to the Firewall -> pfBlockerNG -> IP -> IPv4 .

Figure 22. Enabled IPv4 feed on pfBlockerNG

PRI1 feed has a fairly broad coverage but is designed to avoid false positives, so there is a
greater chance that it will miss genuine threats. To harden the security on your network, you
should enable additional IPv4 feeds on your pfBlockerNG. To view the list of available feeds on
the pfBlockerNB, navigate to the Firewall -> pfBlockerNG -> Feeds .

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 18/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 23. IPv4 Category feeds(PRI1-5)

At the time of writing, the available Number of Feeds per Category Type is given below:

Category Number of Feeds

IPv4 92

IPv6 14

DNSBL 140

Table 1. Number of Feeds per Category Type

IPv4 Category feeds are divided into five groups(PRI1-5). These PRI groups are Known
Ransomware, malware, botnets, Command & Control (C&C) servers, bots, web scripts, phishing &
https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 19/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

compromised servers, malicious IP's found attacking SSH, SMTP, IMAP, TELNET, FTP endpoints
and other known originators of malicious behavior. In general, the lower the number, the more
pfBlockerNG tries to avoid false positives. Therefore you should be prepared for some websites
to be unreachable unexpectedly if you enable the more restrictive lists (PRI3 and above). In such
cases, some troubleshooting and possibly whitelisting of false positives will be required. There
are also a variety of feed groups aimed at blocking specific types of malicious or undesirable
traffic such as:

Scanner (Internet Storm Center)

Mail (Known sources of spam; useful for protecting mail servers)
Forum Spam
Tor nodes(Known Tor exit points; not inherently dangerous but you may want to isolate
users anonymizing their traffic.)
Internic (Contains root name servers needed to initialize the cache of Internet domain name
servers)
Proxy IP
Torrent IP
Public DNS
DOH (DNS over HTTP)
VPN
BlocklistDE

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 20/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 24. Other IPv4 Category feed groups

You may enable IPv4 category PRI3 group feeds on your pfBlockerNG by following the next
steps.

1. Scroll down to the PRI3 group header and click the + icon next to the group name. This will
redirect you to the settings page to add the rule.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 21/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 25. Adding IPv4 category PRI3 group feeds

2. You may set the name and description, or leave them as default.
3. Select ON option in the State drop-down menu for all feeds in the IPv4 Source
Definitions pane. You may also select HOLD option if you wish to download the list once
but exclude it from automatic updates. We will not enable the BBC_C2 feed as it requires an
API key.
4. You may also click the Enable All button at the bottom of the IPv4 Source Definitions
pane to enable all feeds.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 22/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 26. IPv4 source definitions for PRI3 group

5. Scroll down to the Settings pane and select one of the Action options you wish to take
when an IP address is matched.
6. Select Deny Both in the Action drop-down menu to apply the rule to both inbound and
outbound connections.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 23/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 27. IPv4 category settings to add PRI3 feeds on pfBlockerNG

7. Leave other settings as default.

8. Click on the Save IPv4 Settings button.
9. Congratulations! You have successfully enabled IPv4 category PRI3 feeds on your
pfBlockerNG to protect your network.
10. You may also apply PRI feeds rule to both inbound and outbound connections by selecting
Deny Both in Action drop-down menu and clicking the Save button on IPv4 Summary pane.

Figure 28. IPv4 category settings

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 24/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

You can follow the similar steps given above for enabling other PRI groups, IPv6 and DNS
blocklists, just add the alias group, select the lists you want to enable, and choose the action to
be taken when an item is matched. However, be aware that there is a memory and processing
impact with each list enabled and you may overload your hardware.

Verifying IPv4 Filtering

By following the given steps below you may verify IPv4 filtering on your pfBlockerNG. Before
starting to test IPv4 filtering you should ensure that pfBlockerNG settings are updated. If it is not,
you may Force Update by clicking on the Run button in the Update Settings under Update tab
of the pfBlockerNG.

1. Navigate to the Firewall -> Rules -> Floating .

2. Ensure that the firewall rules for blocking IPv4 category PRI3 groups are added.

Figure 29. Firewall floating rules on pfSense® software for blocking IPv4 category PRI3 groups

3. Hover your mouse over the Source pfB_PRI3_v4 to view the blocked IP lists.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 25/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 30. Viewing IPv4 PRI3 alias details

4. Note one of the IP addresses from the list to try to access for testing IPv4 filtering. We will
select 1.0.221.21 for testing
5. You may open your browser and enter the IP address you select from the list to the search
bar or ping the IP address from the CLI prompt. You should see that the IP address is not
reachable.

Figure 31. PRI3 ip address is not reachable

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 26/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

6. To view that IP address is blocked by pfBlockerNG you may check the related firewall logs
click on the Related log entries icon at the top right corner of the page.
7. Search for the IP address that tries to access, such as 1.0.221.21 . You should see the
related logs showing the PRI3 IP address is blocked by pfBlockerNG as given in the figure
below.

Figure 32. Firewall log showing PRI3 ip address is blocked by pfBlockerNG

GeoIP Blocking
GeoIP feature of the pfBlockerNG can be useful for restricting access to specific regions. This
will not be useful in all circumstances because not all regions are malicious. However, if all of
your expected traffic comes from a specific geographic region, allowing traffic from other
regions is pointless because it exposes you to additional risk for no real benefit. In most cases,
you'll only need to block inbound access based on GeoIP data. This allows your local users to
access any websites all over the world while blocking inbound access from regions where you
don't expect traffic.

To enable GeoIP Blocking on your pfBlockerNG,

1. Navigate to the Firewall -> pfBlockerNG -> IP -> GeoIP .

2. Select Deny Inbound in Action drop-down menu for Top Spammers -a list of countries that
have been identified as a frequent source of online attacks- and Proxy and Satellite -well
known anonymous proxy and satellite providers-.
3. You may also select one of the continents where you never expect legitimate traffic to
originate.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 27/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 33. GeoIP blocking on pfBlockerNG

4. Click the Save button.

Instead of blocking a whole region, you may block specific countries. To block a country in a
region;

1. Click on the pencil icon next to the region.

2. Select the countries that you wish to block.
3. Enable List Action and Logging
4. Click on Save .

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 28/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 34. Blocking countries using GeoIP on pfBlockerNG

DNS Blocking
You may block advertisements and some malicious sites such as Malware, Porn, Gambling, etc.
by pfBlockerNG which has DNS blackholing capability. When you enable the DNSBL feature on
your pfBlockerNG, the DNS requests against a list of known ad networks and trackers will be
blocked at the DNS level on your network.

To be able to use the DNS Blocking feature of the pfBlockerNG, you should make sure that your
client devices are configured to use the pfSense® software firewall as their DNS server. If you

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 29/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

are using a standard pfSense® software configuration, this will be set automatically. However, if
you have configured an alternative DNS server, such as a Pi-hole, you should check the DNS
configuration on pfSense® software and configure client devices to use it.

1. Navigate to Services -> DNS Resolver -> General Settings and check that the DNS
resolver is enabled.

Figure 35. Enabling DNS resolver on pfSense® software

2. Navigate to System -> General Setup and check that external DNS resolvers are configured
as these will be required to forward DNS requests that aren't blocked. You may add Google
DNS server, 8.8.8.8 , as external DNS and click the Save button.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 30/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 36. Adding DNS server on pfSense® software

3. Navigate to Services -> DHCP Server and select all the interfaces for which you want to
enable blocking and ensure that nothing is listed under DNS servers. If you have a
configured static DNS, set them to your pfSense® software firewall's IP address.

1. Navigate to the Firewall -> pfBlockerNG -> IP`

2. Enable DNSBL .
3. Select Unbound python mode for DNSBL mode setting.

TIP

Unbound python mode requires substantially less memory than the unbound mode . It allows
for some advanced options too.

4. Ensure that the following options are enabled:

Wildcard Blocking TLD

DNS Reply Logging: This will show you all the DNS queries which are answered by Unbound.
DNSBL Blocking
HSTS mode
CNAME Validation checked: This option must be enabled to make sure that an ad domain
cannot bypass DNSBL by using a different DNS name.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 31/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 37. DNSBL settings on pfBlockerNG

5. Scroll down to the DNSBL Webserver Configuration pane. Make sure that the Virtual IP
address is correct and It is not already used in the Network. You may leave other settings as
default.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 32/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 38. DNSBL webserver configuration on pfBlockerNG

6. Scroll down to the DNSBL Configuration pane.

7. Enable Permit Firewall Rules and select LAN interface. This will create rules in the
Floating in your Firewall and enable pfBlockerNG for selected networks(LAN).
8. Select DNSBL Webserver/VIP for Global Logging/Blocking Mode. So that Domains are
sinkholed to the DNSBL VIP and logged via the DNSBL WebServer. You may leave other
settings as default.

Figure 39. DNSBL configuration on pfBlockerNG

9. Click Save DNSBL Settings button at the bottom of the page.

Enable some DNSBL feeds

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 33/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

On pfBlockerNG ADS_Basic feed is enabled by default. To view the list of enabled DNSBL feeds,
navigate to the Firewall -> pfBlockerNG -> DNSBL -> DNSBL Groups .

Figure 40. Enabled DNSBL Group feed on pfBlockerNG

ADS_Basic feed, also known as StevenBlack_ADs, has a fairly broad coverage but is designed to
avoid false positives, so there is a greater chance that it will miss genuine threats. To harden the
security on your network, you should enable additional DNSBL feeds on your pfBlockerNG. To
view the list of available feeds on the pfBlockerNB, navigate to the Firewall -> pfBlockerNG ->
Feeds .

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 34/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 41. DNSBL Category feeds

At the time of writing, there are 140 DNSBL Category Feeds available. There are also a variety of
feed groups on pfBlockerNG aimed at blocking specific types of malicious or undesirable traffic
such as:

EasyList
ADs
Email
Malicious
Phishing
BBCAN177
STUN
DoH

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 35/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Torrent
BBC
Malicious2
Cryptojackers
Compilation
Firebog_Suspicious
Firebog_Advertising
Firebog_Trackers
Firebog_Malicious
Firebog_Other

You may enable different DNSBL feeds as you wish on your pfBlockerNG by following the next
steps. Here, we will enable EasyList group feeds on our pgBlockerNG as an example. We also
recommend you add the Steven Black feed is one of the best-maintained blacklist databases on
the internet.

INFO

EasyList is the primary filter list that removes the majority of advertisements from
international webpages, as well as unwanted frames, images, and objects. It is the most
commonly used list by many ad blockers and serves as the foundation for over a dozen
combination and supplementary filter lists.

CAUTION

The more feeds you enable, the more likely it is that you will disrupt internet access for
users on your network. Then you must whitelist specific domain names.

1. Scroll down to the EasyList group header and click the + icon next to the group name. This
will redirect you to the settings page to add the rule.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 36/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 42. Adding DNSBL category EasyList group feeds

2. You may set the name and description, or leave them as default.

Figure 43. Setting name and description for newly added DNSBL feed

3. You may click Enable All button at the bottom of the DNSBL Source Definitions pane to
enable all feeds. But, we will enable some of the feeds such as EasyList , EasyList_Adware ,

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 37/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

EasyList_Spanish , EasyList_Turkish and EasyPrivacy . Select ON option in the State

drop-down menu for the related feeds in the DNSBL Source Definitions pane. You may also
select HOLD option if you wish to download the list once but exclude it from automatic
updates.

Figure 44. DNSBL source definitions for EasyList group

4. Scroll down to the Settings pane and select one of the Action options you wish to take
when a domain name is matched.
5. Select Unbound in the Action drop-down menu.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 38/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 45. DNSBL category settings to add EasyList feeds on pfBlockerNG

6. Leave other settings as default.

7. You may add your own domain name list that you wish to block by clicking on + sign icon.

Figure 46. Custom DNSBL list on pfBlockerNG

8. Enter domain name to be blocked. We will add dnsbltest.com domain for verification of
DNSBL blocking on our pfBlockerNG.
9. Click on the Save DNSBL Settings button.
10. Congratulations! You have successfully enabled DNSBL category EasyList feeds on your
pfBlockerNG to protect your network.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 39/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 47. DNSBL Groups summary on pfBlockerNG

You can follow the similar steps given above for enabling more DNSBL groups, just add the alias
group, select the lists you want to enable and choose the action to be taken when an item is
matched. However, be aware that there is a memory and processing impact with each list
enabled and you may overload your hardware.

Forcing to reload the DNSBL on pfblockerNG

You may need to force reloading the DNSBL list. To activate the newly enabled DNSBL settings,
follow these steps:

1. Navigate to the Firewall -> pfBlockerNG -> Update

2. Select Reload in Force option.
3. Select DNSBL in Reload option.
4. Click on Run .

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 40/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 48. Forcing to reload the DNSBL list on pfblockerNG

Verifying the DNSBL Blocking on pfBlockerNG

You may verify your DNSBL Blocking settings on pfBlockerNG by following the next steps easily.

1. Open your favorite browser and enter the domain name that you added to the Custom
DNSBL list. It is dnsbltest.com for our example.
2. You should see the default blocking landing page of pfBlockerNG given below.

Figure 49. DNSBL blocking landing page of pfBlockerNG

3. Also, you should see the related blocks on pfBlockerNG alerts. Navigate to the Firewal l >
pfBlockerNG > Reports -> Alerts .

4. Search dnsbltest.com on the DNSBL Python pane.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 41/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 50. DNSBL alerts in pfBlockerNG

5. Another verification method for DNSBL is viewing the DNSBL Block Stats page under
Reports tab of pfBlockerNG. You may see the related blocks in Top Blocked Domain or Top
Blocked Evaluated Domain , if the blocked domain is on the top blocked domain list in your
firewall.

Figure 51. Top Blocked Domain and Top Blocked Evaluated Domain

INFO

You may add your custom pfBlockerNG block web pages to

/usr/local/www/pfblockerng/www/ on your pfSense® software. Then activate it in the

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 42/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Blocked Webpage option of DNSBL Configuration pane.

6. Lastly, you may check the result of the DNS query for dnsbltest.com domain in your
network. Your pfSense® software DNS resolver should return the Virtual IP
address(10.10.10.1 by default) of the DNSBL Web server as a result.

Figure 52. nslookup for dnsbltest.com returns VIP of DNSBL server on pfBlockerNG

Ad-Blocking Verification

To verify the ad-blocking feature of the pfBlockerNG, you may connect to the yahoo.com website
on your favorite browser. You should see empty spaces in the place of advertisements on the
page as given below.

Figure 53. yahoo.com page with ad-blocking (ads in the red rectangles are blocked)

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 43/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 54. yahoo.com page without ad-blocking

DNS over HTTPS/TLS Blocking

pfBlockerNG allows you to block DNS over HTTPS/TLS packets on your network. It includes a
comprehensive list of known public DNS servers that support DNS over HTTPS. Since DNS over
HTTPS is a serious privacy and security risk, you should enable DoH/DoT(DNS over HTTPS/DNS
over TLS) feature on your pfBlockerNG. Otherwise, some of your users in your network may
bypass pfBlockerNG's adblocking and pfSense's DNS server.

To enable DoH/DoT Blocking you may follow the steps listed below.

1. Navigate to the Firewall -> pfBlockerNG -> DNSBL -> DNSBL SafeSearch .
2. Select Enable for DoH/DoT Blocking in the DNS over HTTPS/TLS Blocking pane
3. Select all the DNS servers from the DoH/DoT Blocking List you want to block.
4. Click Save button at the bottom of the page.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 44/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 55. Enabling DoH/DoT on pfBlockerNG

Enabling SafeSearch and YouTube Restrictions

pfBlockerNG has a SafeSearch feature which will force Search sites to utilize the "Safe Search"
algorithms. At the time of writing, SafeSearch is supported by Google, Yandex, DuckDuckGo,
Bing and Pixabay.

pfBlockerNG also allows you to use YouTube Restrictions on your network. YouTube Restricted
Mode filters out potentially mature videos while leaving a large number of videos still available.
You may use the following settings for Youtube restrictions on your pfBlockerNG:

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 45/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Strict: This setting is the most restrictive. Strict Mode does not block all videos, but works
as a filter to screen out many videos based on an automated system, while leaving some
videos still available for viewing.
Moderate: This setting is similar to Strict Mode but makes a much larger collection of
videos available.

To enable SafeSearch and YouTube Restrictions you may follow the steps listed below.

1. Navigate to the Firewall -> pfBlockerNG -> DNSBL -> DNSBL SafeSearch .
2. Select Enable for SafeSearch Redirection in the SafeSearch settings pane.
3. You may select Moderate or Strict to enable YouTube Restrictions.
4. Click the Save button at the bottom of the page.

Figure 56. SafeSearch settings on pfBlockerNG

Whitelisting
While you shouldn't have too many problems as long as you don't get too innovative with your
blocklists, rightful services may be blocked in some cases. This may be a result of genuine false
positives, but it can also be an indication that a legitimate site has been hacked and is now
sending malicious traffic, so always be careful before whitelisting. Because the blocklists are
frequently updated, these issues are often temporary.

When you need to whitelist something on pfBlockerNG, you can follow the next steps below:

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 46/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

1. Navigate to Firewall -> pfBlockerNG -> Reports -> Alerts .

2. Look through the list of recent blocks and add the offending item to the whitelist by clicking
the + icon next to it. For example, we will add the dnsbltest.com domain that we use for
DNSBL testing to the whitelist. This will pop up a confirmation message.

Figure 57. Domain Whitelisting on pfBlockerNG

3. Click OK .

4. It will ask you if you want to whitelist this domain only or add a wildcard for the domain.
Select as you wish.

Figure 58. Domain Whitelisting on pfBlockerNG-2

5. Then, you will have the option to add a description. To enter a description click on Yes and
then enter a description.

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 47/48
22/05/22, 17:49 pfBlockerNG Guide - sunnyvalley.io

Figure 59. Enter a description for whitelist

6. The pfBlockerNG will no longer block the whitelisted domain.

Figure 60. Whitelisting completed successfully

https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng 48/48