 Time here for more systems, and I'd like to talk about my favorite plug-in for PF Sense, and that's PF Blocker This is one that gets installed pretty much all the time whenever we're setting up a new PF Sense They released a new 3.0 version. Well, there's a few more minor changes coming, but we'll get to that in a second But now that it's in the 3.0 I wanted to do a video kind of going over. Well, how much easier it is to set up the defaults work much better And the wizard works great. So this is the latest video on this particular topic, the 3.0 series And it is the latest version as of December 10th, 2020 One thing I want to get out of the way though, this developer, BBCAN177 has a Patreon page. There are currently 875 people including myself donating to this particular project If you can afford a few extra dollars to throw at this project, that would be greatly appreciated by the developer The project, you know, is a lot of time and a lot of effort put in by BBCAN for this plug-in and add-on for PF Sense So if you can donate, I'd just like to bring this up that it'd be greatly appreciated by BBCAN177 If you can't donate and just want to use a product, don't worry It's still free and no problem. Go ahead and use it. It is great I really do recommend it, which is why I'm doing this video. All right, now that that's out of the way Let's first. If you'd like to learn more about me and my company, head over to LawrenceSystems.com If you'd like to hire a short project, there's a hires button right at the top If you'd like to help keep this channel sponsor-free and thank you to everyone who already has There is a join button here for YouTube and a Patreon page. Your support is greatly appreciated If you're looking for deals or discounts on products and services we offer on this channel Check out the affiliate links down below. They're in the description of all of our videos Including a link to our shirt store. We have a wide variety of shirts that we sell and new designs come out Well, randomly. So check back frequently and finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics You've seen on this channel now back to our content now There is a subreddit dedicated to PF Blocker and G and that's where the full announcement with a whole lot of details for all The report tabs and all the fun things that were fixed in here or updated or refactored There's a lot of code changes behind the scenes not a massive change to the front end of it But we'll get to the wizard in a second and how much better it works But here's all the list of changes and I'll leave links to this down below And of course if you have a lot of questions in Q&A, they're probably already answered down here in this already done reddit post So read through this if you have a lot of Q&A and some finite detail. I may not cover in here Also only about an hour ago. Actually it says updated 19 minutes ago was this post right here PF Blocker devil 3.0 0.0 underscore 5 update and there's a couple more minor changes coming now These are not available at this very moment at least for the time of making a video But probably by the time you're watching this because this will probably be completed within a week That this will be added to PF Blocker in one of the things that is Important to know in the improvement for the threat lookups. There's another reddit post about this I'll get to the threat lookups when we're at that part of the video But I do know some of them are Non-functional because well some of those sites don't support the threat lookup anymore So that has been pruned and that's part of what this poll update is for as well And no problem if you run the wizard now before this update and it'll fix itself later Once you've set this up the updates don't seem to have any effect on it I set this up when it very first came out and now I've seen several updates now Let's get into actually setting this up and installing it First thing that's important to know and this is the version right here PF Blocker devil 3.0.0 underscore 3 now I bring this up because if you go to the available packages under the package manager in PF sense and we type in PF Block There is a two series and this was a common thing I've seen on one of my last videos where people loaded the wrong version You want to load the three series not the two series I think in my other video there's an older version and you kind of get the idea There's usually two versions listed in there the old train and the new Development package so that's what we want to start with here then from there the next thing you want to do is kick off the wizard Now if you have already installed this there's not a wizard that will come up It'll just have all your settings the settings will transfer Even if you're upgrading from the 2.0 to the 3.0 series and went through the normal devil updates It will automatically pull the settings over but it does not prune Broken feeds not the threat look up at the actual feeds and you may want to consider Just resetting this up if you've won goof things up to not sure what you did and change a bunch of settings Can't remember what they were and you're not sure what's broken You don't want to take the time troubleshoot it and I've actually done that myself where it's quicker just to Reconfigure this and one of the nice things about PF Blocker 3 the wizard just works so well Let me walk you through how easy this is to set up So we're going to hit next and by the way you can also rerun the wizard By clicking the wizard tab after it's already configured You just go here Click wizard and you can reblow away all the settings and set it back up again I've encouraged people to do this like I said if you goof things up and you're not remembering What you did or what you changed just rerun the wizard it erases all the settings It will now complete figure all the default setup for pf blocker on g this default configuration is for an entry level setup Which is designed to assist beginners with pf blocker By the way the entry level is kind of understating it the entry level works really really well It's probably adequate for the majority of users, especially home users Now next the next thing we want to do is figure out which is our outside interfaces WAN is the only interface on my demo machine But if you have more than one WAN interface because you have failover You'll choose each one of those that you have public facing then we have our internal interfaces LAN and LAN2 they call them outbound interfaces But they're the internal interfaces that you want to apply these rules to Next VIP address port and SSL port this is for the DNS sinkhole and what you don't want is a conflict So my network is built on the 192 subnets therefore The address conflicts won't be there if you are using 10.10.14 something already You're going to have an address conflict This is your opportunity to change that the same thing with ports if you have something on port 81 8081 and 8443 for example If you had moved pfSense to that port you are going to have trouble And this is why they give you the option to reassign these i'm not using either one of these ports I've actually got pfSense on 5555 if you look up at the top over here So yeah no conflicts next Finish All right next thing it's going to do is Reload and grab all the rules and download everything and Pull all the updates so we'll let this complete real quick pfBlocker has been successfully configured and updated And for some people this is as far as you need to go in the video It is set up it is configured It is at the base config, but don't worry that actually works really well And i'm going to keep going on about customizing and what the details mean for more advanced setups But you can stop watching here if this is all you want to do is get it activated get it basically working That's you know as far as you need to go. This is the nice default setup that works now Let's start diving into the settings here general one thing we have is the General tab where we have keep settings pfBlocker engine enabled This is pretty basic and by default it wants to update every hour speaking of updates Each time it updates which it's going to update again at nine. It already made the entry for it So we got six minutes time remaining One thing that's important to understand and i'll reference this The Changes you make in pfBlocker and we're going to go make a change real quick But without doing this reload those changes won't be applied as firewall rules until this runs This is what the force reload option is and we can say do we make a change to the ip settings the dns bl settings dns blacklisting It whichever change you make or both you have to rerun this for those changes to apply And let's walk through at least one common change that I do So I usually leave all this at default which is perfectly fine But then I go down here and we have wan and lan and lan 2 And we're going to enable floating rules and we're going to enable kill states Now floating rules is a function inside a pfSense where you can apply rules floating as in not specific to any interface I like the rules having the being over there because if they're over there Well, they're all in one place instead of having individual rules under each Interface kill states means if there's a new update that comes through a new ip address added to the block list Do you want to kill any states that are found connections between a device behind the firewall and that particular or the firewall itself And that particular ip address if you don't have this and the rule is added where another ip address that you were using Where a connection was being used it will remain in use But it won't be able to start new states and new connections But the old connections will exist kill states is a way of Dropping those connections upon firewall rule reload. So we're going to save ip settings And we're going to go to firewall and go to rules And right here is the block rule that was in place And here's the block rule under lan 2 and here's the floating rules. You notice they're not there No problem firewall pf block or ng Update we're just going to reload the rules. I only need to reload the ip rules because that's the only thing we changed hit run It runs through Very quickly because it doesn't have to do much goes through already has a download I didn't need it to download anything again. Then we go here firewall rules Floating hey, there's the floating rule Lan and lan 2 there's no more rules in here. This is why I like it in floating This is also a big confusing part of when people make changes and can't figure out where while those changes weren't working or Started working later That's because you have to reload it each time to get the changes to apply. All right now that we know that Let's dive into the ip blocking One more thing that you may have noticed in here Is max bind now requires a license key This did not require it before and there was some controversy with just giving away a free g o ip database So if you need to use the g o ip functions, then you will need to put a license key in here And uh, let the hang your comments go down below. I'll leave a video link to the previous video I did on this people really seen upset that this company doesn't give away A automatically free without registering an email address licensed to a g o ip database I'm not here to solve that controversy. I'm just telling you that you do have to register and Acknowledge the email address You can't just give him a fake one and get the license keys set up This is an fyi on there and that's only if you're going to use the g o ip. We're going to get into what that looks like Now let's go to now that that's the only other change on here ipv4 And by default we are only denying outbound now That's actually fine for the majority of users especially home users who may not be hosting anything on pf since as in You don't have any ports open because by default the wan always denies everything coming at it So denying More doesn't help you in any way now you can tell it to deny inbound as well or deny both And it will then log more of it just so you're curious who's banging at the wan address of your particular firewall And don't take that personally because well you'll find that there's a whole lot of attacks going on It's not necessary that they're targeting you as an individual personally Maybe they are but seems unlikely more likely It is just these automated bots that send out massive amounts of scan Looking and knocking on doors looking for well unlocked ports or vulnerable systems And it's a very automated scan and there's even companies that are just aggregating data So that's a showdown you'll see them show up in the logs as well So you don't necessarily need it, but you can turn it on It's not really a big security change if you're not hosting anything If you are if you're a business and you want that turned on then yes Then that does help because well it'll Delist all these things in there and as I stated for any change you would have to go back and do the reload Now let's look at what the default list that has on here And here's what the rules look like now you can add your own custom rules They do have more feeds and I'll show you how to add to these feeds But they're pretty straightforward go here's copy that paste it And this is what the rule actually looks like Not too many IP addresses in this one. Well, actually there's kind of a lot there just insider notations So they're blocks completely delisted and these are ones that for whatever reason Spam house decided are on their drop list and this one seems to get a lot of popularity In terms of hits. This is a pretty long list too Now the system actually goes through and deduplicates these so if something on this particular list was also on another list It will go through and try to aggregate this to reserve memory This is actually some of the code rating that's been updated to make this a more efficient process because even though you're pulling from Multiple blacklist there may be differing opinions. They have but there's a lot of the same opinions They have of which IP addresses should be on this particular list And I think this default list works really well Let's go ahead though and talk about what if you want to add one and we're going to go here and We'll click on alien vault and if you want to add one click the plus change the state to on and Then it will add this one to the list now interesting this one's actually alien vault But they're just said it's called reputation snort.gz. So apparently it's probably part of a snort list It is gzip compressed and interestingly it will handle gzip compressed files And then it uncompresses them it's a more efficient way to transport, of course And now this list can be added now. How does that actually work in terms of adding it go over here? Make sure this is state on as you notice it was defaulted off. We just hit save And now if we go to the list Same answers that maybe want to deny both and hit save Hit okay Now these lists are top down so it works like other firewall rules inside a pf sense So you can drag these around if you wanted this one to be matched first or matched second Um, it's kind of just a personal preference So whatever you want to do that you can also on a per list basis change the frequency Maybe this one you only want it updated every four hours and hit save now once again You'd have to go here go to the update this time because we changed the list We wouldn't just do a reload because we're not just changing rules We have to make sure it pulls so we'd run this and actually pull that particular list And when you look back through the logs, you can see alien vault downloading update But these ones existed because there was no changes the system's also smart See is hey, there's no changes to these lists. There's really nothing to do They hash them and go. Hey, do they match? Yes, this last list is unchanged and well nothing really happens But now we did change the alien vault one so that one's been downloaded Now let's dive a little further over here and look at g.o.i.p Now I don't feel like putting a license in this particular one But we're going to jump over to my system and show you what the g.o.i.p actually looks like once you pull it So here's the g.o.i.p. And one important thing is one you have to put a max mine License key second you have to do an update third you have to go here and edit these if you don't edit them They default to disable then not just enabling them doesn't exactly turn it on So it's like we're just blanket doing well an artica asia or those ip addresses You actually have to edit each one and by default none of these are selected You have to do a control a or granularly go through each one of these country codes And decide which groupings that you want to block or not block And they can be select holding a control and pick very specific ones Then you have to go down and hit save once you're in here You can go to each individual section. There's more ip addresses than I expected in Antarctica But either way if you didn't want to block the penguins in Antarctica You could select which one of these is okay not to block I don't know how many attacks actually come from there that could be interesting Anyways, not to get off topic Once you've done all this and done all these saves and configured the Country blocking and features then you can go back over and we'll look at the g.o.i.p list here Make sure this is saved make sure all these are set up the way you want then do the reload Of note you notice how I am set up to deny inbound but not to die outbound home users Please don't deny outbound. This is a common Well, sometimes people want to call us for support and we look and find that they can't get to a lot of websites Because they decided to deny everything thinking that would make it safer You're literally blocking entire countries. You will be surprised sometimes how many Websites you visit that are maybe not hosted in the country You thought they were or just where those servers are going to serve up the content from through the content delivery networks So if you start blocking everything outbound, you're going to have a bad time The deny inbound is because we host things and well, we don't really have customers that need to touch our servers that we have things hosted on That are inside the us from outside the us So we choose to deny inbound and then granularly edit these kind of on as needed if we have a client in those particular places Just an fy of how that works And it's important though because if you start really tuning this pass where I said now you've got this basically set up home users and default users This is where people get themselves into trouble and sometimes if you goof this up beyond recognition Click the wizard and start over Now while we're into my system I'll take a look at the reports because the demo system is behind another firewall Which means the reports are empty and when you go to the reports page and then the alerts page Here are some of the dyes and I've blurred out some of my public ip address blocks that we have here attached to my pf Sense of note though if you wanted to whitelist something It's actually pretty easy You just click the little plus Hit okay, and it has the ability to create whitelist aliases This is a way you can create the rules and create a separate whitelist to allow something and when you do this it's going to create a whitelist right under the IP list Over here and then you can put these ip lists above Mentioned that it's top down and instead of a deny rule you can say a permit that way It'll process those ip addresses that you have any custom whitelist because for some reason they're false positives that are on there This is some of the fine tuning that is pretty easy to do inside of here Now the other enhancement to the reports Is go here And we'll just look at the block stats real quick They've offer a lot of tuning that you can pull these report information fine tune what you do want These are actually not more to add this is invert So you can actually remove some of these things if I didn't want the event timeline for example So select things to hide that's what this is for kind of not select any of those It gives you some stats over time And I won't scroll down too far as I got to blur too many of the ip addresses But it will get really nice reports that are for Understanding you know where some of these attacks came from was the count. What's the g o ip location from that ip address and Tons of them come from the us I'm not going to lie Some of these things are just blocked that are end up being us pretty frequently So just because you block the other countries don't think that's any substitute for not locking things down and being secure All right, let me go ahead and close this. So that's the g o ip pretty straightforward Now we can go over here to dnsbl the blacklist I'm fine with the default function of this. I actually sometimes turn it down a bit. So here is the Groups that it adds we have the easy list the ads collection and we have the malicious The problem is This is for example the easy list and these list formats you can find and spend some time in the subreddit because there are plenty of Discussions about which is the best list and it's not for me to decide It's for you to decide and these are common lists that are well Not just specific at all to pia block or they're common lists of things you may want to block You also I'll get yourself in a headache of I wanted to block everything But every time I block everything all these different things stop working that I need to use Yes, that is a challenge. Um, it's one of the reasons I actually in our office We don't have these on and I'm a big fan of like you block origin in the browser to solve some of those problems Because it's way easier to just unblock certain pages because the functionality page you have a use for So you can start by turning it all on and setting these singles up And then you can start working your way back to whether or not these lists are right for you Or if they end up being too aggressive and causing well Too much drama for you for all the sites. They try to block And we'll go over here the reports dnl splock stats. My laptop is behind this demo firewall that we're working on as you can see I'm logged in as a 192 and uh, yep, here is my Computer hitting these different uh sites and yeah, it's blocking quite a bit I already know one of the challenges I've had with it is uh, it's Blocks almost too much and then things stop working. Like I had said, it can be it can be a fine tuning headache. Um People really want to block everything on the internet. That isn't exactly what they want But you'll find a lot of websites, especially new sites now if they catch you blocking some of this Well, they're gonna tell you that yeah that you can't block this or we won't show you the page I'll let you work on that. Um, I'm just throwing it out there It's pretty easy if you don't want to turn these on or off you go here And you can just disable them on an as needed basis Maybe leave the malicious one or find any other feeds that make you happy Finally, I will get to the report the alerts and the threat lookup So let's click on that and as I say at the beginning We know there's a couple of them broken in here So in a few days maybe a week from uh, december 10th when I'm recording this video There will be some more updates to this to solve this issue, but right here we can look at um, uh, 40 yard and A virus total and what this did was we took an ip and I artificially created this by just going through and finding an ip It's actually scan 95 security ip ip dot net and we'll see if this is really a Bad list or not so go here We clicked on a little lookup that brought us to here and from here It just sends us to each one of the pages with the lookup web filter lookup not rated in 40 os Virus total has alien vault listing it as malicious and cin s army Which is actually where I pulled the list from has it as malicious Let's actually do a lookup here because it came from ip ip dot net what is ip ip dot net make our own assessment here The only ip database based on real-time bgp asn data analytics They're a data analytics company clearly and being a data analytics company They know my location right here and have my ip address Uh And my longitude latitude and they assume i'm in the detroit time zone What if you're correct on the longitude longitude? I'm just going to say they're really far off on longitude longitude I am uh south of detroit down here They think i'm up here So we're going to go with uh, maybe not the most accurate database But we know that they're just a collection in aggregator So maybe we want a whitelist that and that's what I wanted to talk about specifically Do your assessments use a threat lookup and then you can say all right I guess that ip is something I need uh, it's a false positive and I want it added to my whitelist So we're going to go here We're going to click okay And we want to whitelist we're going to create a new whitelist. We're going to give it a description Pretty simple. It's added right here and uh, yeah test whitelist. We could say youtube Good description. Why did I add this hit save? Go here And we'd probably want to put this at the top there we go Save and order change. So now We have a permit outbound whitelist and Then we'll start denying the other ones on here. This is how you can edit those You can add more to it and if we wanted to you know go through actually if you go back even to the reports alerts It tells you where this is Uh whitelisted and we can also Delete this out of the whitelist. So it's now still matching in there Matter of fact, as long as we have the matching set up and side there It'll keep showing up and report and we can remove those from a whitelist if we later want to and it'll go ahead and update that And this is where that kill state thing can be important because let's say you want to remove something And there's a bunch of connections to it and you had it in that list Uh, this is where kill states when you reload it would actually kill any sessions that are going to that particular address Now that covered how to Unblock an ip address from the ip blocking. What about the dns blocking? Well, let's go here the same thing just a little further down in the reports Uh, yeah, we're gonna go ahead and whitelist. Yes Removed cname domain add service on there now. It's been removed. So now it's got a little mark through it And once again, we can go here Exists right here. You can kind of look back at it and then remove it again if you want And if you want to see where that was added you go here to the dnspl Scroll down There's the whitelist Scroll down There's all the ones and then the ones that we have in here That were just added says allow google services There's a few others that are default in there because if you don't well There are a lot of false positives if you block dot apple source forage and then a handful of these other ones like amazon You're gonna have a hard time dealing with a few things because a lot of the internet runs on those services So wildcard blocking all of that and dropbox you can take these out You can edit this this is the way the default works But do it your own risk and at your own peril if you turn off the internet or large sections of it The well large section and it will be inaccessible to you. Just want to throw that out there If you really want to be secure turn off the internet completely It's that's the best and most honest answer I can give So hopefully this is helpful for getting started and understanding a little bit of the tuning for PF blocker. It's a great plugin. It's solid I like I said in the beginning if you can throw a few dollars and be a patreon supporter to support further development of this And if you want to have a more in-depth discussion about it My forums are okay But actually the reddit is going to be a really great place to have a conversation and talk about the latest developments of it and Have a long debate about which lists are the best sometimes that pops up from time to time in there All right, thanks And thank you for making it to the end of the video If you like this video, please give it a thumbs up If you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like youtube to notify you when new videos come out If you'd like to hire us head over to laurancesystems.com fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Or we can carry on the discussion about this video other videos or other tech topics in general Even suggestions for new videos. They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you. And once again, thanks for watching and see you next time