Describe your package here Describe your package requirements here Currently there are no FAQ items provided. pfblockerngdnsblsettings 1.0 /usr/local/pkg/pfblockerng/pfblockerng.inc pfBlockerNG: Save DNSBL general settings pfBlockerNG

Firewall

pfblockerng_dnsbl.xml General /pkg_edit.php?xml=pfblockerng.xml Update /pfblockerng/pfblockerng_update.php Alerts /pfblockerng/pfblockerng_alerts.php Reputation /pkg_edit.php?xml=/pfblockerng/pfblockerng_reputation.xml IPv4 /pkg.php?xml=/pfblockerng/pfblockerng_v4lists.xml IPv6 /pkg.php?xml=/pfblockerng/pfblockerng_v6lists.xml DNSBL /pkg_edit.php?xml=/pfblockerng/pfblockerng_dnsbl.xml Country /pkg_edit.php?xml=/pfblockerng/pfblockerng_top20.xml Logs /pfblockerng/pfblockerng_log.php Sync /pkg_edit.php?xml=/pfblockerng/pfblockerng_sync.xml DNSBL /pkg_edit.php?xml=/pfblockerng/pfblockerng_dnsbl.xml 2 DNSBL Feeds /pkg.php?xml=/pfblockerng/pfblockerng_dnsbl_lists.xml 2 DNSBL EasyList /pkg_edit.php?xml=/pfblockerng/pfblockerng_dnsbl_easylist.xml 2 listtopic LINKS Firewall Alias  Firewall Rules Firewall Logs]]> info info Note: DNSBL requires the DNS Resolver (Unbound) to be used as the DNS service.
When a DNS request is made for a domain that is listed in DNSBL, the request is redirected to the Virtual IP address
where an instance of Lighttpd Web Server will collect the packet statistics and push a '1x1' GIF image to the Browser. If browsing is slow, check for Firewall LAN Rules/Limiters that might be blocking access to the DNSBL VIP.

Note: DNSBL will block and partially log Alerts for HTTPS requests. To debug issues with 'False Positives', the following tools below can be used:

• 1. Browser Dev mode (F12) and goto 'Console' to review any error messages.
• 2. Execute the following command from pfSense Shell (Changing the interface 're1' to the pfSense Lan Interface):
  
•  tcpdump -nnvli re1 port 53 | grep -B1 'A 10.10.10.1'
• 3. Packet capture software such as Wireshark.

]]> Enable DNSBL pfb_dnsbl checkbox To Utilize, Unbound DNS Resolver must be enabled.]]> DNSBL Virtual IP pfb_dnsvip input 13 Enter a  single IPv4 VIP address  that is RFC1918 Compliant.

This address should be in an Isolated Range than what is used in your Network.
Rejected DNS Requests will be forwarded to this VIP (Virtual IP)
RFC1918 Compliant - (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)]]> 10.10.10.1 DNSBL Listening Port pfb_dnsport input 3 Enter a  single PORT  that is in the range of 1 - 65535

This Port must not be in use by any other process.]]> 8081 DNSBL SSL Listening Port pfb_dnsport_ssl input 3 Enter a  single PORT  that is in the range of 1 - 65535

This Port must not be in use by any other process.]]> 8443 DNSBL Listening Interface dnsbl_interface Default: LAN - Selected Interface should be a Local Interface only.]]> interfaces_selection wan|loopback lan DNSBL Firewall Rule pfb_dnsbl_rule checkbox begin dnsbl_allow_int to access the DNSBL VIP on the LAN interface. This is only required for multiple LAN Segments.]]> interfaces_selection wan end DNSBL IP Firewall Rule Settings listtopic Configure settings for Firewall Rules when any DNSBL Feed contain IP Addresses info List Action Disabled

Select the Action for Firewall Rules when any DNSBL Feed contain IP addresses.

'Disabled' Rule: Disables selection and does nothing to selected Alias.

'Deny' Rules:
'Deny' rules create high priority 'block' or 'reject' rules on the stated interfaces. They don't change the 'pass' rules on other interfaces. Typical uses of 'Deny' rules are:

• Deny Both - blocks all traffic in both directions, if the source or destination IP is in the block list
• Deny Inbound/Deny Outbound - blocks all traffic in one direction unless it is part of a session started by traffic sent in the other direction. Does not affect traffic in the other direction.
• One way 'Deny' rules can be used to selectively block unsolicited incoming (new session) packets in one direction, while still allowing deliberate outgoing sessions to be created in the other direction.

'Alias' Rule:
'Alias' rules create an alias for the list (and do nothing else). This enables a pfBlockerNG list to be used by name, in any firewall rule or pfSense function, as desired.]]> action select DisabledDisabled Deny InboundDeny_Inbound Deny OutboundDeny_Outbound Deny BothDeny_Both Alias DenyAlias_Deny Enable Logging aliaslog Enable
Select - Logging to Status: System Logs: FIREWALL ( Log )
This can be overriden by the 'Global Logging' Option in the General Tab.]]> select Enableenabled Disabledisabled Advanced Inbound Firewall Rule Settings listtopic info Note: In general, Auto-Rules are created as follows:

Inbound  - 'any' port, 'any' protocol and 'any' destination
Outbound - 'any' port, 'any' protocol and 'any' destination address in the lists

Configuring the Adv. Inbound Rule settings, will allow for more customization of the Inbound Auto-Rules.
Select the pfSense 'Port' and/or 'Destination' Alias below:]]> autoports Enable Custom Port checkbox aliasports begin Define Alias aliasports Click Here to add/edit Aliases Do not manually enter port numbers.
Do not use 'pfB_' in the Port Alias name.]]> 21 aliases port end autodest Enable Custom Destination checkbox aliasdest,autonot begin aliasdest Click Here to add/edit Aliases Do not manually enter Addresses(es).
Do not use 'pfB_' in the 'IP Network Type' Alias name.]]> 21 aliases network Invert autonot Invert - Option to invert the sense of the match.
ie - Not (!) Destination Address(es)]]> checkbox end Custom Protocol autoproto Default: any
Select the Protocol used for Inbound Firewall Rule(s).
Do not use 'any' with Adv. Inbound Rules as it will bypass these settings!]]> select any TCPtcp UDPudp TCP/UDPtcp/udp 4 listtopic Enable Alexa alexa_enable Top 1 million sites list. (Global 1 month average traffic ranking)

Alexa can be used to whitelist the most popular domain names to avoid false positives. To use this feature, select the number of 'Top Domains' to whitelist. You can also 'include' which TLDs to whitelist.

Recommendation:

Alexa also contains the 'Top' AD Servers, so its recommended to configure the first DNSBL Alias with AD Server
(ie. yoyo, Adaway...) based feeds. Alexa whitelisting can be disabled for this first defined Alias.

Generally, Alexa should be used for feeds that post full URLs like PhishTank, OpenPhish or MalwarePatrol.

To bypass an Alexa domain, add the Domain to the first defined Alias 'Custom Block list' with Alexa disabled in this alias.

The complete 'Top 1M list' can be downloaded from Here (Database is free to use.)
When enabled, this list will be automatically updated once per month along with the MaxMind Database.]]> checkbox Top Domains to Whitelisting]]> alexa_count Default: Top 1k
Select the number of Alexa 'Top Domain global ranking' to whitelist.]]> select Top 100100 Top 1k1000 Top 10k10000 Top 100k100000 Top 250k250000 Top 500k500000 Top 750k750000 Top 1M1000000 1000 Alexa TLD Inclusion alexa_inclusion Default: COM, NET, ORG, CA, CO, IO

Detailed listing : Root Zone top-level domains. ]]> select AEae AEROaero AGag ALal AMam ARar AEae AEROaero AGag ALal AMam ARar ASIAasia ATat AU (16)au AZaz BAba BDbd BEbe BGbg BIZbiz BObo BR (7)br BYby BZbz CA (21)ca CATcat CCcc CFcf CHch CLcl CLUBclub CN (14)cn CO (22)co COM (1)com COOPcoop CRcr CUcu CYcy CZ (23)cz DE (5)de DEVdev DKdk DOdo DZdz ECec EDUedu EEee EGeg ES (18)es EU (25)eu FIfi FMfm FR (12)fr GAga GEge GOVgov GR (20)gr GTgt GURUguru HKhk HRhr HUhu IDid IEie ILil IMim IN (9)in INFO (15)info INTint IOio IR (13)ir ISis IT (11)it JOjo JOBSjobs JP (6)jp KEke KGkg KR (19)kr KWkw KZkz LAla LIli LINKlink LKlk LTlt LUlu LVlv LYly MAma MDmd MEme MKmk MLml MNmn MOBImobi MXmx MYmy NAMEname NET (2)net NGng NINJAninja NL (17)nl NOno NPnp NUnu NZnz OMom ORG (4)org PApa PEpe PHph PKpk PL (10)pl PROpro PTpt PWpw PYpy QAqa ROro RSrs RU (3)ru SAsa SEse SGsg SIsi SKsk SOso SPACEspace SUsu THth TKtk TNtn TOto TODAYtoday TOPtop TRtr TRAVELtravel TVtv TW (24)tw TZtz UAua UK (8)uk USus UYuy UZuz VCvc VEve VNvn WEBSITEwebsite WSws XN--P1AIxn--p1ai XXXxxx XYZxyz ZAza 10 listtopic Custom List suppression
Enter one   Domain Name  per line
You may use "#" after any Domain name to add comments. example (google.com # Suppress Google.com)
This List is stored as 'Base64' format in the config.xml file.

Note: These entries are only suppressed when Feeds are downloaded or on a 'Force Reload'.
Use the Alerts Tab '+' Suppression icon to immediately remove a domain from Unbound DNSBL.]]> textarea 50 25 base64 Click to SAVE Settings and/or Rule Edits.   Changes are Applied via CRON or 'Force Update']]> listtopic