For more information pfBlockerN: https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html
- Pfsense version: 2.4.5-RELEASE-p1
- pfBlockerNG version: 2.1.4_22
1. Requirement note:
We use DNSBL in Pfblocker-NG to filtering content with DNS, so pfSense (LAN address) should be the default DNS server which pointed into your client. If you dont want use pfsense as default dns server of client, you should config forwarder directly to Pfsense on your DNS server. In my case, i will use pfsense as DNS server for my client :) .
I assume everything is work normal, you can read in my previous post to do that.
2. Config Pfblocker-NG on Pfsense:
Step 1: Install pfBlockerNG:
Go To System > Packet Manager > Available Packages > search pfBlockerNG > Click Install
Step2: Config DNS Resolver:
Go to Services > Select DNS Resolver ( default DNS Resolver has enable after installed Pfsense )
I keep everything is default & for simple, i just add Host Overrides & Domain Overrides to tell pfsense lookup our local DNS
Don't forget allow your LAN network in Access List tab of DNS Resolver
Step3: Config pfBlockerNG:
Go to menu Firewall > Select pfBlockerNG
I wanna config DNSBL Feeds first so then we navigate to DNSBL > DNSBL Feeds
At DNSBL Feeds windows we click ADD button to define DNS GROUP that we wanna block
- For DNSBL Settings:
- I use List of all hosts file with 15 variants at here: https://github.com/StevenBlack/hosts
Go back to General Tab to enable pfBlockerNG:
- MaxMind License Key : you can register to get license MaxMind at here: https://www.maxmind.com/en/geoip2-services-and-databases
- I often use Geoip in case: we have some public servers under pfsense but we want to reject access to there servers from some location around in the world
Next, we need to force update & reload DNSBL DB: Goto Update tab then update & reload.
Final, we should restart both services dnsbl & unbound (DNS Resolver) before we go to testing on our client.
3. Testing on client:
At client side make sure DNS server on client pointed to Pfsense (Lan Address)
No comments:
Post a Comment