 Since 2015, PF Blocker has been protecting assets behind consumer and corporate networks of PF Sense open source firewall. So PF Blocker, I've talked about it a couple times before, I want to talk about the latest version. I talked about it about a year ago that they were developing the 2.2 series and they've really come a long ways. It seems very stable. I've been using it. We have it on our production machines here. And so I figured I'd talk about it and go over how to configure and set it up. A couple of things I want to get out of the way. Please donate to them if you can spare a few dollars. It always helps the developers of these open source projects and you can see currently I am a $10 a month developer on this and maybe I should up it a little more. But I want to raise awareness of the project and raise awareness that, you know, open source, the code is free, but the time that these people spend on it is valuable. Therefore, I'll show your appreciation by helping them out. Further reading, there is a forum where you want to dive deep and discuss with the PF Blocker developer and other people using it and, you know, find details of questions or is it possible to configure questions. That is discussed right here under Reddit slash R slash PF Blocker NG. So there's a pretty active discussion group. You can see there's a lot of posts in here and it it's very helpful. You know, if you have questions or are want to interact with the development team right here is where you can post some of those and dive deeper into it. Now I am running, I've run in the past via the PF Blocker 2.1 series. I've tried the 2.2 at the time I tried it over a year ago. It was, it was pretty good, but I don't think it was really there. As of right now, it seems to be quite stable. I haven't had any problems with it and it works great. Now, if you already have PF Blocker 2.1 installed and you want to move to PF Blocker 2.2, it should keep all the settings. But as I always say, backup, backup, backup, just in case it goofs up or you need to rerun something on there and make sure you understand the settings. The concept I'm doing from here with our lab server is I'm going to be loading it fresh and that way it's not pulling in any legacy settings and that way if you're a new user to PF Sense, this will be the getting started with a 2.25 version of PF Blocker. So first things first, we click the install and then we click confirm and it downloads it. So this part's really straightforward and simple. How fast to install will vary greatly with the speed of your computer, but now it's installed. Now, PF Blocker, which you're going to go over here and it's going to bring us to the wizard to get it set up, couple quick items. A lot of people ask this, what if I'm running a Windows domain? Will PF Blocker work? Well, PF Blocker has two pieces to it. One does IP blocking based on firewall rules, one does DNS sinkhole. So if you're running a Windows Active Directory network, the DNS server generally is set to be that Windows Active Directory server to have the least amount of problems with Active Directory. But you can upstream from that, tell the Windows server to talk to the PF Blocker on PF Sense and use PF Sense for DNS resolution. So the computers will then go to the AD server and the AD server and can use this. That will work for the DNS blocking. The firewall blocking rules that block IP addresses based on firewall rules because it is just IP blocking. No problem that works whether it's on a Windows domain or not. So it depends on which piece of PF Blocker you're speaking to. But if you're doing it as I want to get to this IP address, but then it is sinkhole or blocked inside of PF Blocker with a firewall rule, it's going to work whether you have Windows or not. But when you're running a Windows Active Directory server and using DNS, it will first try to resolve those addresses inside of Windows and then Windows will then reach out with the Windows server or reach out to there. So DNS sinkholing or as people like to say like, you know, blocking of some of the tracking sites, that is only if the DNS in within your realm of network is set to this and it works with the DNS inside of PF Sense. So we're going to hit next on a wizard. Hopefully it answers the questions on there. The PF Blocker wizard will configure a default setup for PF Blocker NG. All the settings will be wiped if you don't need any previous installs. IP firewalls will be added to select outbound interfaces to block the worst defenders. DNSBL utilizing DNS resolver, Adverts, the worst known malicious domains will be blocked. So this is basically what it's doing. You select the inbound as in what's the external. Maybe you have more than one WAN address because you have dual providers. You would select all of the inbound external ones and then all of your internal interfaces, hold the control key and press there. So we have LAN and LAN2. Not creatively named in my lab, I know. VIP address, the virtual IP address, this is just make sure you don't have this network in use on your current system. So if you have this IP, the 10, 10, 10, 1, that is something you're already using. Okay, I use that IP, don't then change it. So you just change it here. I'm not using this one, so it's fine. But just a word to the wise, when I've seen people who have struggled with problems, they coincidentally, through a series of, well, disunfortunate alignments of events here, have had that as their root IP of their PF sense and because they change it to 10, 10, 10, it's even fun. That is the VIP address for this. But you can choose whatever you want here. I'm gonna leave it at default because I don't have that network. And then port 8081, 8443, make sure they're not in use on there. Local port upon which the DNS of a web server list protection, the default is 8443. This can be left on less different port needs to be used. When you change it here, it changes it all the other places. So I like that the wizard can do that for you, make it simple. And that's it, finish. It's set up magic. Takes a second here and it's set up. But the first thing it has to do is get those lists of where those bad reputation IPs are. So it's gonna download easy privacy and away and a lot of other lists. So I'll let it finish this real quick. Update process ended and completed. So here we go, total table entries, blah, blah, blah. You can read and scroll back through all the details. But basically it's all configured and successfully updated. So it's just saying that if there's any errors or doesn't seem to be any update process ended, I don't see any major problems. So the wizard is now finalized and it says a message has been saved to the wizard log. So if we need to see that, let's go all the way to the beginning here and run through what it has here. Now, right here is PF blockers enabled, keep settings. And this is the common settings for a lot of the plugins that way if you ever have to remove it, it has the options to, well, that you want these settings in here, it will remove them or wipe them. So that's pretty straightforward there. Crown settings, default every hour of this updates. Downloadment threshold, no limit. If you need to adjust any of these, in case you want a little more or some type of like, hey, you only tried this many times or how big you want the logs, or we'll leave it all at default for now. But you can get the idea. If you need or want more logs and have the space for it, you can adjust all that here. Same thing with all the crown settings, you can change it from every hour, two hours, three hours, whatever works for you. Here is where the IP reputation part starts. So here's the IP settings and placeholder IP address, ASN, etc., etc. Whether or not we want to reject or have it block, by default we want it to block on the WAN and reject here. Reject versus block, if you're not familiar with what the two rules do. So when it blocks, it gives no notice. It just drops and goes away. You don't even know you're, you don't get any notice at all. Rejection, well, it tells you no, you're not allowed to go here. You want to reject on the internal ones, that way there's actually some type of answer back. But from the external side, if someone's trying to get in, blocking works better because you don't even want to waste your time sending back a notice at all to the person that they're blocked, just let it go away. And this is for the IP rules. Now the other thing I'm going to change here from default is I like it to be floating rules, and let me show you why. So we're going to hear firewall rules. And you'll see, here's a rule under LAN and LAN 2. And there's two different schools of thought here. If you do them under floating, you can see the rules all in one place. If you do them, and for however many networks you create, it will have a rule under each one of these. You can then see where the things are coming from. So it all depends on how you want to consolidate things. If you want to consolidate it under a floating rule, that's where this checkbox does this. And I kind of like it that way, so everything's in a floating rule. But if you want it granular based on each network, you can put them under each network, which is where they end up by default. But remember, when we started customizing or adding a bunch of things in here, those rules start repeating throughout all the networks. So just something to consider and think about when you're doing it as opposed to, I just want them blocked, and we go here and hit save IP settings. Now that'll move to floating rule. By the way, it won't automatically move to floating rule. It won't do that until we go over here to update. We'll just reload things real quick. We'll hit Run. Now we didn't do a download. We just reloaded it. And it's going to grab everything again and reprocess, reload task force all, update process ended, all right. And now the floating rule is here. And there's not a rule under each one of these. So that's how that works in case you didn't know. For every time you make a change, it would have done it automatically on the hour. But we can just go to the reload option and reload either just the IP or the DNS of BL side and run it again back over to the IPs. So now we've moved it over to a floating rule. Keep it pretty simple. Let's you customize how the rules work. And I didn't save this, but I'll turn it on now. Kill states, when enabled after a Cronvent force commands any blocked IPs found in the firewall state will be cleared. Why do I do that? Well, what happens is, let's say you have a connection to some scary command and control server from inside your network to said server. Well, that server was not known to be a command and control server, and then an IP gets added to the list. I'm one of those hourly updates. When you change a firewall rule, and this is the way PFsense work, it will change the rule, but it won't block states of that rule running already. So I block a port or I block an IP address, but there's already an established TCP connection until that connection gets reestablished, which it wouldn't, because if there's a rule to stop it or that IP is in a block list, then it wouldn't, but the established state won't go away. By saying kill states, if an IP address pops up in there, if there's any computers with established connections, it will break those connections because it'll reset any connections that match that rule. So just something to think about when you're doing that. GOIP, this is where you have to decide how you want to handle, for example, the top spammers in the GOIP. So we're gonna go ahead and we can say deny inbound, deny outbound, deny both. Now, there's a few more options here. I'm not gonna get into the details for specific specific use cases, but if you go deny both, and we're gonna go ahead and edit this rule a little bit more detailed here, if you go to denying both, that means no system can make an outbound connection to those. Now that may work fine for the top spammers, which by the way, you can hold the control key, click which ones or hit control A and just grab them all, and then we'll modify, because we didn't hit save at the top here, deny outbound, or actually we'll go ahead and deny both on spammers. I think we're okay with this one. Then we'll hit save, and now we go back over here, and we look at the GOIP, it's enabled, and it says deny both here. And then let's go ahead and deny inbound from places we don't need. So we'll go and deny inbound for this one, but not outbound. And the reason why is, and it's only really matters for inbound, if you're hosting things, you have ports open on your firewall. So in our production environment, specifically for my office, for example, we do have ports open for things we host. I don't need anyone connecting from this particular country, or let's say Antarctica, we'll say list action, I don't need inbound, Asia, and we'll same thing, we'll deny inbound again, Europe, deny inbound. Now, if I were to deny outbound as well, for example, in Europe, that's when I would start having a real problem, and what do I mean by that? Well, I wouldn't be able to go into European websites, so I would actually be blocking my ability to talk to those, you don't realize maybe just how many sites may be hosted over in Europe. And obviously if you're in Europe, you do, but I've seen people where they've set these up and start breaking things right away by denying your ability to get there. Some servers, some companies you may buy services from are hosted over in Germany, they're hosted over in some place in Europe. And if you deny the firewall's ability to outbound those. Now inbound, this only matters if you have ports open because by default, the WAN interface on PF Sense, and a lot of home users, if you're opening no ports, this is your default rule, is deny everything. So it doesn't matter if you have this or not, you're wasting time doing it because if you have no ports open, well, it doesn't matter. Now I do like denying all these for our inbound because like I said, we do have hosting open. So you just have to think about the use cases when you're doing that. Same with, you know, deny all these weird proxy and satellite ones, we'll go ahead and deny those too. Which is a long list, so page, page, page. So I'm just hitting control A to get those and deny inbound. And now we have all the different ones. So let's do South America, why not? And like I said, you can see that this is granular so you can filter and find these. Now once you've done all this, once again, you could wait an hour or we can go back over here and we'll just go ahead and reload just the IP side of it and it's gonna update all those rules. That's done there and I'll just back over here and look at the firewall rules. And now you can see here's all the different blocks. It creates an alias list for each one of them. Now, this is also why I mentioned running floating rules. As you can see, now I have this list of rules here and floating, but these are still nice and clean. These would then end up repeating in each one of the networks if you didn't do it as a floating rule. So just some thoughts on that, like I said, for kind of my reasoning for why we do it. So source and it's got these blocked and then these ones as destinations are blocked. So here we go, that's kind of the basic for the GOIP blocking, which is important. Now let's talk about the DNSBL side of this. So this is where you DNS sinkhole. This is name resolution versus the other stuff is IP level blocking. And the default feeds it has is easy feeds utilizing domains blocked, the collection of advertisement domain feeds and collection of malicious domain feeds. This is where you can also add more custom ones if you have some particular list you want, things like that. So these are some predefined ones that are pretty basic, but it shows where they're pulling from. You can follow this format if you know another one and there's other companies or other groups that should stay in that really businesses, but they have these lists and this is where you can update or change these lists and be able to put like a specific list of things that you don't know you want resolved there. These lists if you wanna ever see what's inside of them, they're pretty easy, they're just basic text files. So you can actually see it's blocking whatever this is, whatever these domains are, these are lists that these people maintain and this is a malware domain list. So anything that tries to get there, it's some crappy website that these people have sinkhole, but you have to be careful because maybe these lists have false positives that is a risk you're gonna get with any list. So take them for what they're well and I've seen people debate and argue about who has the best list that's beyond the scope of this, but kind of get you an idea of what these look like. Like here's a ransom tracking list and these are sites for, I'm assuming a bunch of, yeah. And they look pretty crappy to me because if you're connecting to that site, you probably have a problem in your network on there for sure. So probably this list looks pretty valid to me, but hey, they also have some category options if you wanna try using the categories and they're pulled from these blacklist to enable and lets you do a little bit more filtering. I've not done much testing with this, but these try to group things into categories based on that. Now, this is where they've done a great job and where these feeds are because you're seeing all those really. Where is all this coming from? Where's this data? Well, they actually started filling them out in here and they made it a lot easier to add a list. So this is just the wizard and the default ones that they have on here and they do have some warnings of don't just click everything, do not enable all the feeds well, you're gonna break stuff. It'll be maybe more than your PF sense can handle. But we have some nice ones, like Taylor Snort, heard of Snort, I've talked a lot about Snort and I'll threat list from them. The Taylor Security Group, they've got a great blog by the way. You can then, they're in here by default as one of the lists. Now, all you have to do to add something to lists, let's go in here and let's say, well, here's the developer, he has his own list and I think Tor is in the list. Let's find that. Blacklist, DE, Tor, MyAPs, Spamhouse, Addaway, Abuse Tracker, oh, Mailwarebytes. So this is actually Mailwarebytes has hosted in here and this is actually kinda cool too. So when you click on these links here, they take you to some of the websites where these are so you can read more about what these rule sets are that you're adding in here. So if you wanted to add that in there, Mailware Domains, Ransom Tracker, where was it again? We just go ahead and hit the plus. All right, save. And now we have that one in there and then we just say unbound once a day, save, hit okay. Now it's gonna pull that list in there as well. So it's kinda cool that the way they did these feeds, so you can figure out what feeds you want, what ones you wanna add in there and I believe Tor is in here somewhere if you wanted to block some of the Tor sites as well. But you kinda get the idea for a lot of feed options in here and I thought this was cool too. They even have the alien vault list. So if we're gonna click plus on the alien vault list and it's an IP reputation list, not a DNS one, so we're gonna hit save and we'll go ahead and deny inbound from them, save, hit okay. Yeah, deny inbound every hour. And once again, they give a lot of fine tuning options if you wanna do a couple of specific things like only custom destination ports and block and things like that. But once you've done this, we're gonna go back over here to the update. Go to reload and we'll just reload both real quick. Okay, update process ended and we get back over here to our firewall rules. And we see all the rules are up to date and here's all the things we blocked and et cetera, et cetera. Now quick behind the scenes, if you're not familiar with the aliases, I think I've done a video specifically on how the aliases work in PF sense, but you go here to the aliases and you can see how PF blocker pulls these. So if you see it's pulling from HETPS and it's pulling from local host 555 PF blocker, it runs its own internal web server. So when it updates and pulls these aliases, it actually pulls from a file it creates and then pushes a web server back to so it can pull and update the alias every time it runs one of those updates. Just a little behind the scenes of what's going on when it creates these. It doesn't have to, I kinda like the fact that it's not doing anything magic, it's exposed through the UI, so to speak, how it's doing it. But when they say do not edit this alias, do not edit the alias or you'll cause unexpected behavior in PF blocker. Now, PF blocker itself is fun to have up and running, but I also spun up a box over here, a Windows machine. And I haven't done anything but boot it up and I wanted to show you what the reports look like. Cause obviously there's not gonna be a lot in these reports and there's not many alerts when there's no nothing behind it. And this is our lab server so the only thing behind it is one Windows box with this particular IP address, 192.168.4120. And I like that just by starting it up, the first thing it did was reach out and go settings.win.data.microsoft, which is the Microsoft tracking, by the way. This is another feature I really like the way they have this built into PF blocker. So here's the fact that it was blocked and right here we can do threat lookups. So we're gonna go ahead and open it in a new tab and we can look up that threat. So what is, and you notice the reputation lookup search string is settings.win.data.microsoft and it gives you what that information is. It's actually a trusted website. Well, you trust Microsoft, at least it's trusted as and it's not doing anything malicious. It's just telemetry data coming from Microsoft or going to Microsoft I should say, and it got sync old. They give you a few different places you can look things up. And this is kind of cool because you can see how it's pushing this setting to here and then each one of these, it's then taking you to their website and seeing if it's in their list. Like this one's not in the list here but you kind of get the idea. But if we want to whitelist it, let's say we want to send telemetry data to Microsoft. That's pretty easy too. You click the little plus button and it says whitelist settings, win data Microsoft. No, this will immediately remove the block domain and associated C names from DNSBL and whitelisting actions. So we're gonna hit okay. And then right here, I don't, it's funny because it's in yellow here. Do you wish to wildcard whitelist? And that means anything.settings at Microsoft as opposed to just settings. And we're just gonna whitelist this but in case you want to do a series of potential prefixes that are in front of it, that would wildcard it. So we're just gonna whitelist this in general and it says, do you want to add a description? Yep, MS telemetry. I think that's how you spell telemetry. And now we've whitelisted this and when it does the reload, it will be in here now. So you may need to flush your browser cache. Yeah, and this is one thing too. Once it's been sinkholt, sometimes it may get stuck in the browser for doing it. And if we wanted to undo it real quickly, we could go right here and trash that. So there is options to go back and fix it if you need to. Now, if you wanted to go back and see that whitelist later, not just in the alerts, you go over here to DNSPL. I'll scroll down here. DNSPL whitelist. And you can see somewhere within here. Hey, look, there it is for MS telemetry. So there is where you can edit the whitelist from the raw, so to speak. And no regex allowed. This is let you put things in here for the whitelisting so you can do custom here. All right, now let's see what happens when we open up a browser. Because like I said, the report looks kind of boring. So let's open up the browser real quick and see what happens when we go to some news site, for example. All right, we go to news.google.com. Surely that will take us somewhere. Of course, launches into New Jersey building second floor. Oh, that's a sad story. Why do I have to pick that one? But I bet there was some ad tracking that just occurred. That's what really that was important about. So let's go ahead and update this. Oh man, look at all the things that just tried to pop up right there. So here's just by opening up news at Google and then that other one link we clicked, we can see right away, there's a lot going on here. And then we can dive over here to the stats and see, oh man, look at all the things, the CDNs and the bad being and all the stuff that got tracked on there. So you can see pretty quickly this alerts will fill up. Now, the last thing I'm gonna cover is, cause the question comes up of, do I need to build a really fast beefy machine to run this or will my network choke if I don't have a super fast epic or AMD threadripper on my PF sense here or some Xeon with 64 gigs of RAM is this thing a system hog? No, that's the last thing I wanna cover here is my own PF sense. So we're gonna go ahead and drag it over here. So here's my system, an SG-1100. And you can see that, I'm running the latest release here and I'm using all of 24% of my memory to run this. And it's got PF block reinstalled. So let's actually show you what happens when you run it at home. Obviously this, you can see, I do have some things open on my home system. And yeah, we've got some blocking going on here. Plenty of things being stopped and things that has been malicious and stuff like that. So let's go over here and actually look at the stats. And I may have to blur some things out here but let's look at the reports. And we'll go over here to the stats page here. Well, DSPL stats. And between my kids and my wife use an Instagram. We see that, well, graphs on Instagram. Some of that tracking's been blocked. Some of the other stuff's been blocked. So wherever all this is, I've know what data.flurry.com settings win data. Oh, look, Windows machines calling out because the gaming systems when running Windows. But you get the idea. So it works perfectly fine even on SG-1100. They seem to have done a lot of coding to make this a very efficient project. And I haven't really had any issues at all running my SG-1100 at home. This is one of the reasons I've talked about recommending the SG-1100. This is a lot of times what people wanna do and for a pretty inexpensive box it doesn't seem to have any problems handling it. I don't have any problems playing any games. But occasionally, and you're gonna run into some of the games, you may run into things you have to whitelist and not break things because they may require some of the servers that were on the blacklist. So some fine tuning and using that little, going through the alerts and whitelisting things as needed may be necessary. But all of this gives you good idea of the whole PF blocker system. And as I said at the beginning, if you can contribute and donate to the project, that'd be great. It's a wonderful tool, definitely a good add-on to PF Sense, one of my favorites for being able to, you know, block things coming in, bound and block certain things going out, bound that you may not want, or sink holding things via DNS. So if you wanna dive deeper, have some developer questions and things like that, head over to their Reddit. You can also participate in the PF Blocker NG forums over at the NECade as well. Those are both very, for the more deep and technical things. I mean, I cover a lot in my forums, but if you wanna talk to the developer directly, maybe you can, 1.77 is very active in those forums and does reply to a lot of it. So if you have suggestions or product update ideas, that would be the place to go and post that. All right, and thanks. And thank you for making it to the end of the video. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon if you'd like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com, fill out our contact page, and let us know what we can help you with and what projects you'd like us to work together on. If you wanna carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos, or other tech topics in general, even suggestions for new videos that are accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you. And once again, thanks for watching and see you next time.