 So let's talk about website filtering with PF Sense and PF Blocker. Now I've done a previous video on PF Blocker by focused on the blocking side as in so if you open ports you only want certain websites or certain people to be able to get to those ports and block out lots of other things banging away at the ports. An example of this would be you open up let's say SSH and you don't want everyone to join SSH in so you can use the PF Blocker list to stop some of the list of people that's blocking from the outside in. There's another use for PF Blocker and I don't think I really touched on it in that video but I'll link to that previous video and this video is more focused on filtering content and filtering via DNS on the outgoing side. So the people behind the firewall making sure that they don't go to websites they shouldn't go to, blacklisting websites and setting up the controls for that. Now I've done a video before on this with DNS thingy which is kind of cool because it's a nice turnkey solution with a paid subscription that will allow you to block from a computer by computer basis. There's other companies out there that do things like this DNS thingy this happens to have integration with PF Sense and I covered it it's pretty neat service. Now the lists I'm going to share with you are a lot of open lists I have up here in the tabs and we'll be covering those in the links will all be in the description below and that is a one thing about the paid versus the non-paid ones. A lot of times what you're actually paying for isn't just something that you can say why can't you do the same thing over here for free. You're paying for these updated lists. The blocking is only as good as those lists are maintained and when those lists are being maintained on a paid service versus a free service you may have some discrepancies. Now that being said you can customize and you can decide to maintain your own lists if you want and all of this is pretty open and we're just going to talk about how this is all done. So let's get started. Now the first thing I wanted to quickly address everyone says Tom why not SquidGuard why are you doing it with DNS. The reason for DNS filtering is this part right here and you can Google this it's actually a top result for setting up SquidGuard with man in the middle and this is the part everyone gets stuck on and it's a pain and it doesn't work with my phone it doesn't work with IOT devices. It's the man in the middle interception. When you're trying to actually filter at the URL level most sites well I can't say most but a lot of sites have moved to SSL which is encrypted. So if it's encrypted Squid can't play man in the middle and filter the websites based on some contextual information you put in there. That being said you have to install and create a trust certificate for each computer to trust the PF sense so they can do that and yes you can do that and no I'm not going to make a tutorial on it because I don't do that because it breaks too many things and if you're curious I'll leave I will leave a link to this the draft for the new TLS 1.3 and the problem it creates because of the way they're doing the security it breaks even with man in the middle because the goal in some of the function changes from TLS 1.2 to 1.3 is better security between your computer and whichever computer or server is trying to talk to because of that man in the middle becomes an even bigger problem. So I'm not a big fan of having to man in the middle and it's all certificates they do it a lot in corporate networks and a lot of the corporate antivirus or filtering boxes that do all this do those functions and but it can cause a lot of trouble it can be a lot more to maintain DNS filtering much easier to maintain at this time here in 2018 it filters the DNS now we're going to talk about how to set this up and how to get it going and it's not that hard to do and like I said it's my preferred method for doing it. Let's start with PF sense we got our lab box here all set up and configured and I'm going to jump over first to the firewall rules because I made two rules that are important to this. So if you're someone running this for a small business or a school because we want PF sense to be the default DNS server or an internal server you're using if you're if you're on a Windows domain has to be default DNS server. You don't want external DNS servers to be used that's the important part. So we're going to hear rules and land rules apply this to which all the lands that this is important for now rules go in order from top down. So we're going to look at here this land net rule that says and I'll guys go ahead and edit it past traffic from land IPv4 traffic protocol UDP source wherever it is in your land destination land net which falls on servers within your lands we're not blocking them 53 DNS and this is allow and we're saying any and this is basically allow port 53 requests via UDP to land on the network the land net as a destination which includes the PF sense box because it's in the land then the next rule is if it doesn't match landing under rent land net block it so that's this rule default action block interface land IPv4 UDP so the same rule essentially source land as if it comes from the land destination anywhere now if it matches the first rule that's it it stopped it past but if you try to use a DNS server outside of the land it's going to fail so if they try to use another public DNS server it's going to fail. Now the one sort of exception to this just so you know is Android and I don't know if it's just Google Chrome but Google Chrome does proxy its own DNS so it doesn't really work as well I believe for some of the ad blocking inside of Chrome in Android because it's proxying DNS over their own Google protocols for that well I'm they're using open protocols but Google's doing that so someone asked that before I just wanted to throw that out there that could be an issue for you but inside of the different apps if the phone is on the land and you have this enabled it will block things inside of their malware sites and stuff like that so things that are the apps itself may be going out to can be blocked just little side note there but because you're not installing any certificates all of the other devices if they try to use any external DNS tablets or other laptops or computers they're not going to be able to with that rule so let's get started here on the installing this fail packages pf block real simple install just like installs like any other package alright so the package is installed it does take a while so depending on speed of your machine this can take a little while to install it because it is a pretty good size package and has a few dependencies it loads with it once it's installed we're going to go here to firewall pf block or ng we're going to go ahead and enable it hit save I'm going to leave everything at default now from here you can go watch my other tutorials I mentioned before on all the other features you can see up here we're focusing specifically on using it for the DNSNBL blocking so this is the focus right here now we're going to go ahead and turn this on enable DNSBL we're not going to worry about this feature here this is something important the DNSBL virtual IP so the way the domain name service blocking works is it's going to redirect a domain that has an ad server or whatever you're trying to block to whatever IP address you put in it's going to run its own special web server but if you're happened to be here in the US this is the default IP address of Comcast routers so that may or may not work for you to do that you want this to be an IP outside of your normal range adjust this accordingly some Comcast routers I think well they're 10.1.10.1 but make sure this isn't in a range that you've chosen that's the most important part so double check that try to ping it before you turn it on because it's going to create a web server there and it just forces everything there now so we're going to go enable leave this at default because that works perfectly fine leave this here leave all these things at default no problems here and this is well we'll just leave that default now we only have one LAN on this if you have multiple like I do on my main system you check this and you can create rules section we drag a window over here it'll allow you to create rules for all the different lands that you have so if that's an issue for you you can check that and it'll create the rules it just creates more floating rules so all this is done and we're gonna hit save all right now we've set this up we've set saved it we've turned it on and it's going to be using the default DNS server inside of PF sense here now comes a fun part we have to feed this information to tell it what to block to the fault all the boxes block nothing they do build in the easy list if you wanted to turn these on so this is an option in here we're going to focus on loading the piehole ones because I have that list it's easy to do and we're talking about doing something custom here so we just slide this over here and I'll leave a link to this this is the ones on the piehole and there's Stevens blacklist now this is the more extensive list and let me just shuffle things around over here this is the more extensive list where you have a lot of them for example to block gambling porn social fake news but you remember when you're doing this you're choosing these lists maintained by well Steve so I'll leave a link to this as well so this will get you like if you want to block all the social sites and things like that I'll show you some what that looks like it's actually just a raw file to block all the sites but we're just going to start with just the piehole ones to keep it simple and easy to do so here's the list of them here and we can just go and paste them in so here's some mail air domains we're gonna go over here to our pfSense box we're gonna add and I'm gonna call this group first you give it a group name piehole list no space is allowed you can put in description the list the sites from piehole and if you're not familiar with the piehole project it's the concept to run this on a small server in your house perhaps even a Raspberry Pi I've set this up and tested it works well I'm doing this demo of pfSense but you can run separately a outside server run the piehole software that's a tutorial I might do in the future because it's kind of a fun little project I've set it up I've tested at home it works it gives a cool dashboard for all this I will do that in a future video but today we're covering this so we paste the source in here needs a label so this label is the mailware blocks so there's our mailware one and we're gonna add a few of them so we'll go that where we got the mailware block I'm not sure what these ones are where the chameleon hosts looks like more advertising domains we'll throw them in there I would say I would put the same label on it you don't have to I just for labeling purpose I want to call the same thing go to the next one the Zeus tracker and if you're not familiar with Zeus tracker it's another one list of different fake bad URLs for things and they've got a whole way it works you can look some of these up then they tell you how they come up with some of these lists these these are pretty much all open source lists that they have in here this is a cool one this is the tracking ones so we'll do this add alright now let's go get the next one here are the ad there's a big one the ad list and there's another one from host file net so we'll throw that one in there to host net now list action unbound when that means is enable domain name blocking for this alias so you want to make sure you've done this update frequency don't beat up these servers if you're really think you need more go ahead but I'm saying maybe once a day every 12 hours should be pretty good if you feel it isn't easy more aggressive go ahead and do that but you are pulling data from all these servers your systems going out and grabbing all these and whatever the definition you have here is so we'll go ahead and save but you're probably thinking Tom I don't want to wait 12 hours to get this list updated oh no problem go over here to update and we're going to force run this and it's downloading all the lists and away we go now it tells you the time remaining next scheduled event so time remaining then this is it creates a cron job automatically so it tells you the frequency in the next time update based on the rules that you set here for update frequencies in the feed so here's our piehole list if we want to edit it again here's the sites we had in here we can add remove them turn them on or off or delete them back out of this list so all that's pretty straightforward now let's talk about the effectiveness of this so let's pull up a list in here so here's all the ads that are being blocked let's find one it's just a simple one was it and it should see if it works okay I have my system set to this and what it's doing here is it just changes to a pixel this is not actually the site there so what happens is this site because we're using the DNS and refiltering it it brings it and redirected this site to an internal single pixel back to that right there if you can see the one by one you can see that it's I believe we can inspect it here there we go it is now essentially blocked it's just a single pixel that's put being pulled in here for ad speed net and this is what the pf the pf blockers doing is it created that server it created it that 10.10.1 and now we just get a one by one pixel that means when we go to different websites we'll end up with that one pixel being replaced with whatever ad they were gonna serve up so let's go over here and I have my windows machine and you can kind of see some of this in action and we'll zoom in here when we clear this there we go sometimes I forget I'm not in Linux jumping back and forth to windows to zoom in make it easier see we're doing an ass look up whoops all right by default it wants to go to our pf sense lab domain so we look up and we'll just use that same one you know as speed net and you can see it resolves to 10.10.10.1 simple as that now the other thing you can't do here so we specify server 8.8.8.8 we recognize that it's the Google public domain server but if we try to do that same thing it's not allowed to talk to it because of the rule we put in so now this system has that site blocked now let's go a step further and talk about blocking something like social networks so if we go over here and maybe you want to block gambling porn and social seems reasonable enough and well this is where we come to this Steve's custom lists and I'm feeling positive the big names are in here and porn hub.com yeah porn hub is definitely in this list so let's add this list to our server we can add it to the piehole list we can create it home so we'll just call this the porn blocks and I guess we'll block right porn blocking blocking some porn there's our source Steve porn list so you know what it is it's actually porn and gambling so I guess it should be the porn gambling list all right list action unbound same as before update frequency I'm 12 hours is probably fine save all right so now we have the porn list in here it's blocked but it hasn't updated yet 12 hours hasn't occurred so we're gonna go over here to update it's got nine minutes I don't feel like waiting any minutes I'm gonna force now or just force the update it'll realize some of the other ones already exist after it runs through them and they may not change so it's going through and assembling that database reloading unbound all right so everything's up to date now let's go over here just go to standard NS look up we already know other domain servers are blocked make sure it's NS look up surfing it is we can do that and porn hub.com is just a single pixel so we try to actually open a domain itself back to the one by one pixel that's that dot right there so the site is blocked and as simple as that it's really a straightforward system to use it can block lots of things on your network the things you're kind of missing with this is granular controls not as easy it's blocking it at the DNS level for everything on a network one way around it you maybe want to block social and gambling and porn from everyone but yourself on the network one of the ways around it was you could create a pass rule in the firewall so you can use an external DNS server but everybody else and everything else has to use this DNS server so that is kind of one way to do it and let me jump over here to the rules land you just add a rule above this to say allow DNS from this IP anywhere so before it hits this rule you'd add one rule above it and let's just go ahead and make one so we duplicate this look up the IP address of this machine real quick so this is 40.101 40.101 destination any so if it comes from here it can go out to DNS apply changes but if it's not coming from here go ahead and block it that's that's a way you could say I want to be able to use an external DNS server because I don't want to be falling under these filter rules like I said compared to DNS thing where you get more granular control on the list of the computers and things that are being done less granular but pretty cool and definitely gets the job done we've used this for some of our clients just general filtering for the whole site because most of time companies want company-wide filtering you should be blocking a lot of the malware sites in general that's a great thing to do because there's no one who really wants a filter rule so well let me have some malware on my computer but hopefully this tutorial was helpful for getting you started with pf blocker and specifically the DNS blacklisting piehole list and block domain it works really well it really is a smooth sailing system for once you get it set up and it provides that filtering without breaking the SSL man in the middle problem that I always it was harping at at the beginning and things like that as well like I said hopefully self of its counter like subscribe and if this is a helpful thing for you or you have questions leave them below leave an account slower join our forums and we can go ahead and do that oh in case you're wondering it was pulling up here if you're wondering where it does this it does server include far unbound pf dnspl star comf this is in the DNS resolver so into services the entry solver the default resolver and just so you kind of know the back end of how this works it pulls and adds all the config files just with an include files to append any settings you already have in DNS resolver I thought I'd mention that all right that's it have fun setting this up and blocking things and all that fun stuff thanks