Wiki

User Tools

Site Tools

Trace: hybrid_outbound_nat_rule_generation setup_dnsbl_blocking
pfsense:pfblockerng:install_pfblockerng:setup_dnsbl_blocking

This is an old revision of the document!

Table of Contents

PFSense - pfBlockerNG - Install pfBlockerNG - Setup DNSBL Blocking

Enable DNSBL

Navigate to Firewall → pfBlockerNG → DNSBL and check the box for Enable DNSBL.

Optionally, if you have a lot of RAM, you can also enable TLD. This setting enables additional processing to block ALL sub-domains for advanced blocking. For example, a list with sharewiz.net would also result in blog.sharewiz.net also being blocked if TLD is enabled.

Locate the DNSBL Webserver Configuration section:

  • Virtual IP Address: 10.10.10.1. This is the default IP address and should be fine. Only change if needed. Enter an IP address that is not in your internal networks, something like 10.10.10.10.
  • VIP Address Type: IP Alias. The default. Only change if needed.
  • Port: 8081. The default. Only change if needed.
  • SSL Port: 8443. The default. Only change if needed.
  • Webserver Interface: LAN. The default. Only change if needed. Select LAN or another internal interface to listen on.

Locate Permit Firewall Rules within the DNSBL Configuration section:

  • If you ONLY have one LAN interface, leave this setting unchecked.
  • If you have multiple LAN interfaces, check this setting and select each interface to protect.
  • Scroll to the bottom of the page and click the Save button.

Locate the DNSBL Whitelist Section:

  • See DNSBL Whitelist.
  • Enter the following white-list domains and modify as you like:
  • .play.google.com
.drive.google.com
.accounts.google.com
.www.google.com
.github.com
.outlook.live.com
.edge-live.outlook.office.com # CNAME for (outlook.live.com)
.outlook.ha-live.office365.com # CNAME for (outlook.live.com)
.outlook.ha.office365.com # CNAME for (outlook.live.com)
.outlook.ms-acdc.office.com # CNAME for (outlook.live.com)
.amazonaws.com
.login.live.com
.login.msa.akadns6.net # CNAME for (login.live.com)
.ipv4.login.msa.akadns6.net # CNAME for (login.live.com)
.mail.google.com
.googlemail.l.google.com # CNAME for (mail.google.com)
.pbs.twimg.com
.wildcard.twimg.com # CNAME for (pbs.twimg.com)
.sites.google.com
.www3.l.google.com # CNAME for (sites.google.com)
.docs.google.com
.mobile.free.fr
.plus.google.com
.samsungcloudsolution.net
.samsungelectronics.com
.icloud.com
.microsoft.com
.windows.com
.skype.com
.googleusercontent.com

Locate DNSBL IPs section:

  • List Action: Deny Both.
  • Enable Logging: Enable.

Scroll to the bottom of the page and click the Save button.

Setup DNSBL EasyLists

Navigate to Firewall → pfBlockerNG → Feeds.

Scroll down to the DNSBL Category section.

Select the Easylist by clicking on the + key towards the left side.

Set EasyList Feeds to:

  • State: ON
  • Action: Unbound
  • Update Frequency: Once per day

Scroll to the bottom of the page and click the Save button.

Setup Custom DNSBL Lists

See pfBlockerNG DNSBL Lists.

Navigate to Firewall → pfBlockerNG → DNSBL → DNSBL Groups.

Click the Add button.

Give it a Name and Description.

Add in as many DNSBL Source Definitions as needed.

Set:

  • State: ON
  • Action: Unbound
  • Update Frequency: Once per day

For Example:

pfsense/pfblockerng/install_pfblockerng/setup_dnsbl_blocking.1611830750.txt.gz · Last modified: 2021/01/28 10:45 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki