Setup Guide / Tutorial for pfBlockerNG 2.2.5 on pfsense with DNBL & GeoIP

2 Likes

@LTS_Tom thanks for another great video!

If you’re using the Talos feed for pfBlockerNG does it make Suricata redundant, or are they doing different things?

This is only the IP blocking, IDS/IPS uses signatures.

1 Like

So am I understanding it correctly that pfBlocker blocks all traffic from a specific IP, and that IPS is more fine grained and looks for specific types of packets? So things like “ET DROP Dshield Block Listed Source” and “ET CINS Active Threat Intelligence Poor Reputation IP group” would be where any overlap would happen?

Correct, IP reputation plays a part in the IDS/IPS systems so there would be an overlap there.

1 Like

I’ve run pfBlocker on and off for testing. My box slightly with more capable hardware - intel i5 with 32 gb ram, however I’m running pfsense within xcp-ng vm and I’ve allocated 2 cores with 8gb of ram to the VM. What I find unfortunately is that with pfBlocker it will run ok for 4-5 days with RAM usage as reported in pfSense dashboard moving consistently between 25-50% and then I’ll get a lockup in the VM. If I’m somehow able to access pfSense through the GUI (which many times this isn’t the case), I see memory usage at 100%. When system gets like this I have to forcefully kill the VM. Without pfBlocker, at baseline pfSense is using 2-10% of memory.

With pfBlocker as you mentioned with any list, you have to train the list since many times it “overblocks” things. No reddit, no pinterest, no facebook and other social media sites. You have to run it for a while and whitelist a lot of things. A lot of ads are blocked – which I guess is the purpose - but a lot of websites look funny with pages with large white spaces indicating where an ad used to be located.

Hi guys, why pfBlockerNG is blocking the IP 1.1.1.1, these is my DNS cloudflare im using on pfSense. I remove the IP 1.1.1.1 from the IP ALIASES Rules, but when i hit on CRON RELOAD, the 1.1.1.1 is back on the list.

Is there a Way to see what list is putting the 1.1.1.1 and then turn it off on pfBlocker?

I just look at your youtube video and I must say that I appreciate the time you took to explain things. I am wondering if I can use pfblockerNG in my scenario as I seek to explain what I am trying to achieve. I have two pfsense box at my work in High Availability and CARP WAN/LAN IPs. I am using squid proxy and squidguard for blocking and allowing sites. The challenge is when my secondary firewall takes over the squid/squidguard doesn’t work. My users are left with out internet unless they manually disable the proxy server. I read somewhere in the config that the squidguard doesn’t work on the secondary in HA, and when I tried to enable it, it crashed both boxes in production. So I was wondering if I could have gotten rid of the squid proxy/squidguard and use pfblockerng to allow and deny access to sites. I have two sg-1000 devices in my lab environment configured as HA so I can test first before moving forward with or without a solution. Your feedback would be of greatest help.

pfblockerNG use DNS blocking Squidgaurd does web site more granular filtering based on the traffic passing through the proxy. So it would not be as granular and would rely on DNS.