This is an old revision of the document!

PFSense - pfBlockerNG - Install pfBlockerNG - Setup DNSBL Blocking

Enable DNSBL

Navigate to Firewall → pfBlockerNG → DNSBL.

In DNSBL:

Enable DNSBL: Checked.
Wildcard Blocking (TLD): Checked.

WARNING: Wildcard Blocking (TLD) uses a lot of RAM.

Do not enable this on systems with less than 8GB RAM!

This setting enables additional processing to block ALL sub-domains for advanced blocking.

For example, a list with sharewiz.net would also result in blog.sharewiz.net also being blocked if TLD is enabled.

In DNSBL Webserver Configuration:

Virtual IP Address: 10.10.10.1. This is the default IP address and should be fine. Only change if needed. Enter an IP address that is not in your internal networks, something like 10.10.10.10.
VIP Address Type: IP Alias. The default. Only change if needed.
Port: 8081. The default. Only change if needed.
SSL Port: 8443. The default. Only change if needed.
Webserver Interface: LAN. The default. Only change if needed. Select LAN or another internal interface to listen on.

In DNSBL Configuration:

Permit Firewall Rules: Checked.

NOTE:

If you ONLY have one LAN interface, leave this setting unchecked.
If you have multiple LAN interfaces, check this setting and select each interface to protect.

Scroll to the bottom of the page and click the Save button.

In DNSBL Whitelist:

See DNSBL Whitelist.
Enter the following white-list domains and modify as you like:

.play.google.com
.drive.google.com
.accounts.google.com
.www.google.com
.github.com
.outlook.live.com
.edge-live.outlook.office.com # CNAME for (outlook.live.com)
.outlook.ha-live.office365.com # CNAME for (outlook.live.com)
.outlook.ha.office365.com # CNAME for (outlook.live.com)
.outlook.ms-acdc.office.com # CNAME for (outlook.live.com)
.amazonaws.com
.login.live.com
.login.msa.akadns6.net # CNAME for (login.live.com)
.ipv4.login.msa.akadns6.net # CNAME for (login.live.com)
.mail.google.com
.googlemail.l.google.com # CNAME for (mail.google.com)
.pbs.twimg.com
.wildcard.twimg.com # CNAME for (pbs.twimg.com)
.sites.google.com
.www3.l.google.com # CNAME for (sites.google.com)
.docs.google.com
.mobile.free.fr
.plus.google.com
.samsungcloudsolution.net
.samsungelectronics.com
.icloud.com
.microsoft.com
.windows.com
.skype.com
.googleusercontent.com

In DNSBL IPs:

List Action: Deny Both.
Enable Logging: Enable.

Scroll to the bottom of the page and click the Save button.

Setup DNSBL EasyLists

Navigate to Firewall → pfBlockerNG → Feeds.

Scroll down to the DNSBL Category section.

Select the Easylist by clicking on the + key towards the left side.

NOTE: If you look toward the right, you will see another checkbox. This means the individual feed is enabled.

This subtle distinction is extremely important to understanding how aliases and feeds work. In addition, if a category ever has a problematic feed, you can always disable that feed instead of the entire category, i.e. we do not need to enable every feed for a particular category.

For example, if you want to add the EasyList Adware Filter or one of the language specific feeds, you would click the + sign to the far right and that would add the individual feed to the already existing EasyList group.