Skip to main content

Configuring pfBlockerNG for WAN Malicious Blocking

Login to pfSense, and head over to Firewall->pfBlockerNG.

Screenshot 2022-10-26 222306.png

Go to the IP Tab.

Screenshot 2022-10-26 223948.png

Check that CIDR Aggregation is Enable. This will optimize the block list in the long run.

Screenshot 2022-10-26 224048.png

Make sure Inbound Firewall Rules is set to WAN, and is default to Block. For Outbound Firewall Rules, choose the LAN interfaces, and this can be set to Reject instead of Block.

Save IP Settings when finished.

Screenshot 2022-10-26 224207.png

Check that Kill States is enabled. This will kill existing connections that are connecting to an IP in the Feed-list upon feed updates and reloads.

Screenshot 2022-10-26 231825.png

Next, head over to Feeds tab. This is where you can select from a list of possible feeds to add to pfBlockerNG. pfBlockerNG will refer to the DNS and IPs listed in those Feeds and block any traffic that matches the DNS or IP in the feed.

Screenshot 2022-10-26 224501.png

Choose your Feeds carefully. Some feeds may contain more false positive than others. You can hover over the information icon next to the categories to find out more information on them.

For WAN Malicious Blocking, I use the PRI1 group as it contains minimal false positives.

Screenshot 2022-10-26 224821.png

Click on the plus sign on the right to add individual feed, or click on the plus sign on the left to add the entire group of feeds.

Screenshot 2022-10-26 225104.png

Make sure each Feed is set to On so that pfBlockerNG will pull down data from the feeds. Click Save IPv4 Settings.

Note that the Pulsedive feed-list will require an API key. You can remove the feed if you do not have the API key.

Screenshot 2022-10-26 230438.png

Screenshot 2022-10-26 225538.png

Go back to the IPv4 tab. Under Action, select Deny Inbound, and Save.

Screenshot 2022-10-26 225758.png

Head over to the Update Tab, and click Run. This will pull down data from the Feeds to pfBlockerNG.

Screenshot 2022-10-26 225845.png

Screenshot 2022-10-26 230635.png

In the same Update page, select the Reload option and Run again. This will allow pfBlockerNG to reload with the new feed data from the update before.

Screenshot 2022-10-26 230746.png

That's it! You now have added some feeds to pfBlockerNG for blocking malicious traffics. If you head over to Reports tab, you will start seeing some block traffic already. This is normal as the internet is filled with bots constantly scanning things around.

Screenshot 2022-10-26 231206.png