 Tommy here from Orange Systems and a question comes up quite a bit. What should I be blocking in PF blocker NG and specifically? How should I defend my firewall against threat actors? And there's not an easy answer for this There's not a just click this button answer But I want to go through some of the common things you should probably be blocking And we're gonna keep this narrowed in scope to protecting a PF sense firewall that has inbound ports open Because the default settings for PF sense unless you modify them if you just next and yes your way through a default setup It blocks all incoming things But as you may want to run services on your firewall or run services behind your firewall it's probably important that you block certain things and There's no silver bullet. This is all a cat and mouse game There's lots of lists out there But these lists are often developed because someone found a threat that the IP address was well attacking somewhere So there's not a guarantee that you won't be the first person to attack before some threat researcher updates a list But this is a pretty good way to reduce the amount of noise that comes to your firewall when you have ports open Now I'm going to show some general lists that I have here But there could be a future beyond October 2022 where there's different lists So I want to talk about this a methodology as well So this list is what's available today. There may be something available in the future But I want to make this video Well a little bit future-proof by showing you some of the thought process for how the process is done and how you can look At these things and some of the things you might want to avoid now pf blocker I've got plenty of videos on I'll leave link down below about getting it set up and configured And this has nothing to do with tracking or ad blocking We're talking specifically about threats coming in or knowing how your system is beaconing out or a system on your network Maybe beaconing out how to log those firewall rules and how to look that up and why that's so important now This is a relatively default setup. We're going to show you what changes I made to it So if you just went through the wizard and you wanted to Wonder what settings you change after the wizard runs and kind of gets it going. These are the settings I did change Download failure threshold normally is set to no limit. I set it so it will eventually fail and Clear the widget failed downloads to reset. This is something where if it fails too many times I don't want it to keep trying forever. I will investigate and look at these for failed downloads Hopefully you don't have any but sometimes lists go away and you don't want it just having an error constantly You're taking longer to reload. It's something you should address and fix We'll show you how you see which lists are working which ones are not Going over here to IP de-duplication. That's enabled Cider aggregation. This is going to aggregate things. So there's less blocks That are all separate and put them into larger blocks if possible now by doing aggregation So you're having less rules and grouped in terms of using an entire cider block that you may want to block on there Is a processor intensive process when it does this so if you have a really slow System that's running pfSense you may have a problem with this, but it should be fine on most modern systems here Suppression that's default force global IP logging placeholder IP address. All those are defaults I do not have the max mind key in here I do recommend you put this if you want to use any of the geo blocking and understand some of those IP addresses now We have block on The whan and reject on land That's fine because we want to log these rules for the rejection And in the past I've used the floating rules to consolidate them under one spot I'm fine putting them under each individual You'll see why when we talk about some of the ways you can log it But either way it works as you can log it two different ways, but I'm fine leaving that off right now This is left that a default format and right here the kill states I do have enabled when enabled after a crime job event of any force commands any blocked IPs found in a firewall state So we clear now this is one of those things that the way firewall states work is if a state is connected And there's an established connection and you make a rule the rules will not break the established states by default Unless you check the kill states button that way if something gets added to the IP list It'll suddenly get logged if not that state will remain until it expires, but a new one can't be created It's just important to think about that. Now. Let's go over here to the feeds and show you how the feeds work This is a little bit tedious when you're setting up the feeds And this is the default feeds that it has in here is the PRI one feeds These are the ones that are very reputable. It says it right here in the collections This is the only one that's enabled by default now enabled by default is because you don't want too many false positives And it does warn you do not enable all the feeds at once And this is a common mistake people seem to make is going well if they're on a threat list I want to protect against them and they immediately regret that because they find out well It kind of breaks the internet you have lots of things that just don't work There's tons of false positives you have to think about the source They've done a nice job of listing the feed website and the URL it pulls from the checkboxes allow you to change Any of these if there's multiple feed options and you can go to each of these sites and this is the important part I want you to think about is how you go through these sites So these are the lists that's available right now October 2022 But hey, it may change a little bit and most of these are very reputable sites That's why they're listed in this PRI one and they're good ones to do Telos is the company that is the security company behind snort right now Yes, they are part of Cisco, but they do provide a free feed spam house famous for Well preventing spam and lots of other blocking Pulse drive is a paid subscription So there's a click here to register if you want to add more subscriptions internet storm center Emerging threats this one actually I found quite good. It has a lot of bad actors IPs listed on there to CINS army that one's enabled by default All these are perfectly fine now to add another one We're just going to go and you can choose Any one of these and let's say you want to protect against pox proxies Or you want to use one of the binary defense ones? We're just going to go ahead and you can click the plus And then it brings you to the feed so you can actually edit the feeds Now for each one you add it brings you back here And it's kind of a back and forth process when you go to the fees I'm not going to save that particular feed Let's go down here though and show you which ones I do add in there And that's going to be all the tour feeds The tour feeds are where you're going to find a lot of problems because As much as I like tour for its privacy and anonymity, that's a hard word to say the Problem is uh, that's often where people go when they want to poke at things You spin up a vpn then you connect to the tour for the vpn And then you start poking at things you found on the internet And if someone has found your open port interesting Well, they may want to poke away at it here Also tour is a common way to get data out and exfiltrate things off of the network So we're going to show you how these rules protect you Not just for inbound ports but can be used to protect your internal devices as well So these are the ones I have and because this is the tour project bulk list And the internet storm center tour list, uh, they're pretty solid Reptile places. I mean the tour project pretty much has all of them on there Then I also have the emerging threat tour and the Dan.me tour. Now this is where the aggregation comes in because Undoubtedly there's overlap with these lists But the overlap is then aggregated together so it minimizes the number of rules It says hey, these are duplicated across these lists Now that still can cause a problem if you check all the lists Because well it has to deduplicate more IPs that are on the list that cross over But tour is a pretty important one to protect against Now if you go through here there are categories for other things on here Like stop forums man Maybe you're running forums and these are some known forum spams That you want to go through and maybe you want to check some of those And you just hit the plus and add each of those Once you're done adding them before we actually run the update Which is actually what enacts all the changes Adding these doesn't automatically add the change It's the update process that does it We're going to go back over to IP IPv4 And we want to set these settings right here So I have this set to deny both And the default is not to deny both This is what I think you should do though You want to deny both inbound and outbound rules And deny both inbound and outbound rules here for the tour ones I have So here's my PRI collection Here's my tour collection frequency every hour Let's go ahead and edit ones to show you what they look like As you're setting these up Also when you add each feed the default state is going to be off You want to make sure that the state is set to on for each of these So you change the state from the default To the on That way it's pulling each of these If you want and this is where it can hold these once it downloads So maybe you don't want them updating That's what those other options are for But for the most part you generally do So here's all those different block lists And by the way if you're wondering what's in one of these block lists Or if you're having trouble testing them You can actually just copy these Paste them into a browser and see what they are Pretty straightforward and simple in terms of like If you want to understand how they work And PF Blocker automatically parses them Now after all these are set And we'll go ahead and look at the tour ones real quick as well Same thing, they're all right here There's a failed download in here So we'll have to look and see why that one failed And maybe we'll have to remove that one for the list But these are why I have those lists And looking and investigating why something failed So we'll go ahead and leave this one at default But we'll look at that later We're going to run an update again Because after you add all the rules This is when the action takes place Now it's going to tell me the next event It's going to run at this time So that's within three minutes But we're just going to head and run it now And see what happens Those exist, update ended All these seem perfectly fine So these all worked So let's go back and look at the one that failed And figure out if we can re-enable that one So we're going to here IP, IPv4 Let's go ahead and edit that one Oh, and now it worked So it did download this time So the error's gone It was probably just a failed time It downloaded As long as it doesn't fail too many times Before it stops looking at it There's not much you have to do And you can always go back here to the update And hit view again To view the last one on here And you can see each of the things that's on there And through the table usage count You can see the number of table stats that are on here This is because it de-duplicates all this And tells you each of the files that are in here So pretty much you're all set as far as the rules go They're really easy to do But I want you to remember Any time you make any changes Whether it's to the DNSPL, the IP Even if you want to enable or disable any of these features Each time you have to run this Now if you're not wanting to update it You can just do the reload And the reload just says reprocess Whatever changes happen in pfblocker This is after where people think they have solved the problem And they check a box in here But then it didn't actually update the rules in the firewall This is the process that updates those rules Now let's talk about the rules themselves We go right here And we have the rules at the top here Which are blocking So here's all those IPs Here's those IPs for Tor So there's a pretty big list Of anything inbound that hits my WAN So these rules are on top Because it's a top-down process So I have ports open on the WAN But it'll first process through Hey, is any of these IPs matching? And if all those IPs are skipped Because none of them match It can then go on to the next rules This is really important because Hey, I have this port open And I don't want anything from Tor Just poking away at port 1,050 That's actually something I was testing for Xavix So each of these ports that I have open This would stop any of those Now this is in my lab So it's actually not very useful This is only matters When your WAN has a public IP address But the concepts don't work Now let's look at the rules inside of here Here's my LAN rules Or my LAN 2 rules It creates a rule set under each one And one of the important things is It's traffic is logged Because we want to know If any machines are trying to reach out To these IP addresses Let's do a test real quick And see what the rules look like And if we go here We'll just look at this right here Here's the relay search So here's all the different relays That are available And we're going to try and ping One of these relays with a machine That is behind my firewall And show you what happens So there's the IP Go over here You can see this IP is 192.168.40.150 So we're going to go ahead And ping a Tor relay And we'll just let it keep paying Go over here Switch back to the firewall And let's look at the rules So if we go to status System logs Firewall Hey, there's those rules There's that IP address that we're pinging And we see ICMP rules We see this rule is being tracked Now if you're setting this to an external log server You can then build triggers Because this is the rule ID And I've talked about using Raylog Which I use And you can do things To alert you that something's trying to get to Tor And what this How this works is you'll take a rule ID Like this and go to firewall rules And we'll show you where that rule ID is So when you look at any of these You'll see the tracking ID right at the bottom This is actually a field And if you watch my Raylog video And you can do this on our log servers as well You parse the tracking ID And then you can build alerts to say Hey, if anything from my land hits this tracking ID I should probably investigate it Now it doesn't mean it's not a false positive That the Tor Relay isn't something else Besides the Tor Relay Make someone's running a website on there That you're trying to get to But these are the triggers And help guide you through an investigation Of what's connecting to what And this same rule applies When you're looking at anything That might be on this list here So if we see like this one here 1.12.57.74 All right, let's go ahead and change that So we'll ping this 1.12.57.74 So there's that IP address It's failing Go ahead and refresh this And we'll say yep We can see it's trying to send some packets Here on this tracking ID So we do the same thing Traffic We're going to do a system logs Firewall 8 And there it is Hitting that right there So it's You can see the protocols ICMP Once again I don't know why it's hitting that I don't know much about this IP address Or why it's on the block list But this is how you trigger those And then start an investigation And try to figure out whether or not That should be on a block list Now this is also the reason You don't want to enable too many block lists Because well You can kind of break things And spend a lot of time chasing your tail And that's really it for doing the block list It's a pretty simple process Having these in sync holding them Downside is false positives Is going to happen And I'm going to have to say That it's going to depend on each one of these feeds Of how often they get updated or removed I bring this up because a lot of attacks happen Someone takes over a web server Or spins up a spot in some hosting company And then they release the IP one or done Because they're like well We're on the block list Let's dump this server And someone else gets that IP address And no one realized that it needed to be removed From one of the said lists and feeds So it ends up going hey But we're just trying to host a website To sell cookies And we can't sell our cookies Because it's on this IP address That someone else used to use before us Before they got shut down for doing Whatever nefarious thing Got them on the list in the first place This is why this is kind of still A cat and mouse game And all the feeds are always As I said reactive Because well They get on these lists Because they're discovered doing something It's not like the threat actors Or someone knows ahead of time What these lists are going to be doing The final thing is Whether or not you want to add GOIP blocking I've found this to be tedious If you do any type of international business And if you're doing anything like outbound It breaks a lot of things Because the interdependency Things cross borders a lot Now there may be certain blocks That you could say hey I just never do business with this group of IPs Because it's pretty dedicated And focused on one particular region So you may not have problems with it But kind of take that When you do the GOIP You really think about that Of whether or not it's going to affect things And once again Log and watch all those rules So you can figure out What's hanging up and what's not working It is really tedious when websites If you really dig into them You look at your Chrome browser Or whatever browser you're using And see all the connections A one single web page you may have And how many different IP addresses are in there You kind of get the idea Of why certain page elements may fail to load But there's no silver bullet for all this But definitely blocking those inbound things This can pretty well With those PRI lists and a Tor lists I've found very few false positives And very few problems With those particular lists As you expand out to all the other ones in the list Well that's where the headaches might come in And it becomes a little bit more of a manual process And you can always go through and prune those As you find the ones that are well Just bad or not being updated anymore So hopefully this helps as to what to update Also head over to reddit Slash r slash pfplockerng They have their own forums I'll leave a link down below where you can go through And they just use reddit as their forum If you want to ask questions about it I've suggested a lot of people go there That's where a lot of the discussion is happening in it And of course if you want to reach me And talk about this There's always myforumsforums.lorenc systems.com I'll see you over there and take care Hopefully this helps, thanks And thank you for making it All the way to the end of this video If you've enjoyed the content Please give us a thumbs up If you would like to see more content From this channel Hit the subscribe button and the bell icon If you'd like to hire a short project Head over to lorenc systems.com And click the hires button right at the top To help this channel out in other ways There's a join button here for youtube And a patreon page where your support is greatly appreciated For deals, discounts, and offers Check out our affiliate links In the description of all of our videos Including a link to our shirt store Where we have a wide variety of shirts that we sell And designs come out well randomly So check back frequently And finally our forums Forums.lorenc systems.com Is where you can have a more in-depth discussion About this video and other tech topics Covered on this channel Thanks again for watching And look forward to hearing from you