PFsense IP and DNS filter with PFBLOCKERNG / Application Filter with Snort and OpenAppID

--- tags: cybersecurity, IT management --- # PFsense IP and DNS filter with PFBLOCKERNG / Application Filter with Snort and OpenAppID ## Source Today I will show you guys how to filter website with PFBLOCKERNG on pfsense I use sources below as reference: * https://www.youtube.com/watch?v=7_yI1FEw_j0 * https://www.privacyaffairs.com/ip-filtering-pfsense/ * https://digitalavenue.dev/How_To_Setup_Intrusion_Detection_Using_Snort_on_PfSense/ ## Requirement ### System Requirement * Pfsense Firewall * PFBLOCKERNG package * Snort package ## Install PFBLOCKERNG ### Install pfBlockerNG-deval * System > Package Manager > pfBlockerNG-devel While the “devel” suffix stands for development version (i.e., beta software), it is fully functional and is being actively developed. It will be in perpetual beta as the package developer feels it’s safer to consider it as beta software as he continually adds new functionality to the package. ## Configure PFBLOCKERNG ### Basic Setup * Firewall > pfBlockerNG * Click Here to configure pfBlockerNG manually * Gerneral tab: * tick on enable pfBlockerNG. Everything else is default ![](https://i.imgur.com/huN6I2N.png) * IP Tab * tick on enable De-Duplication, CIDR Aggregation and Suppression. Everything else is default ![](https://i.imgur.com/l3EgD7Q.png) * MaxMind GeoIP configuration (optional): the GeoIP feature of pfBlockerNG enables you to filter traffic to and from entire countries or continents. To do this, pfBlocker uses the MaxMind GeoIP database, which requires a license key. There is a link in the MaxMind License Key field description that takes you to the MaxMind registration page. The MaxMind license key is free. If you intend to use this feature, then register with Maxmind and obtain the License Key for FREE ![](https://i.imgur.com/4T7tLKe.png) * On IP/interface/Rules Configuration section: * Inbound Firewall Rules: WAN * OUtbound Firewall Rules: LAN * Floating Rules: Enable ![](https://i.imgur.com/IcsBnRY.png) ### IP Block (Optional) * Feed tab, pfBlockerNG/IP/IPv4: * Click the blue +, next to PRI1 ![](https://i.imgur.com/3QyCzOT.png) * Delete Pulsedive Source Definitions and set all setting to ON ![](https://i.imgur.com/6E6NNNC.png) ![](https://i.imgur.com/BNa8Shn.png) * On Settings section, tick on Deny Both on Action. This will block traffic to and from the IP addresses contained in the lists/feeds. You can choose only to deny inbound or outbound connections if you like * ![](https://i.imgur.com/34gGnMw.png) * Update Tab * Select 'Force' option : Update. And Run Update * IP/GeoIP Tab * You can try to Allow/Deny connect to and from those contry ![](https://i.imgur.com/dDErY4h.png) ### DNS Block Basic * DNSBL Tab * DNSBL Section * Enable DNSBL * DNSBL Mode: Unbound python mode ![](https://i.imgur.com/OfkZe7F.png) * DNSBL Configuration * Enable Permit Firewall Rules ![](https://i.imgur.com/wAQton6.png) * DNSBL Groups section * Add New group name ![](https://i.imgur.com/1wHEsqU.png) * Consider custom list at : https://github.com/StevenBlack/hosts * Add the list url in Source, name Header and turn it on * Set Action to "**Unbound**" ![](https://i.imgur.com/8Pxo2zt.png) * DNSBL Custom_List: Add additional domain that you want to block (note: this only work on simple domain, not complication domain with many-subdomain) ![](https://i.imgur.com/qnmK0vN.png) * Save Setting * Update Tab * Select 'Force' option: Update * Select 'Reload' option : DNSBL * Run ![](https://i.imgur.com/A7XxVjp.png) * Testing ![](https://i.imgur.com/TJFriJg.png) ![](https://i.imgur.com/ry23olT.png) ### DNS Block Advance This section is for blocking huge domain with many sub-domain website like Youtube, Facebook, etc * DNSBL Tab * DNSBL Section * Enable DNSBL * DNSBL Mode: Unbound python mode * Wildcard Blocking (TLD): **Enable** ![](https://i.imgur.com/PAghnen.png) * TLD Blacklist/Whitelist * TLD Blacklist: add the domain that you want to block ![](https://i.imgur.com/WiTuTkf.png) * Update Tab * Select 'Force' option: Update * Select 'Reload' option : DNSBL * Run ![](https://i.imgur.com/A7XxVjp.png) * Testing ![](https://i.imgur.com/TJFriJg.png) ![](https://i.imgur.com/ry23olT.png) ### Testing ![](https://i.imgur.com/M53jDhr.png) ### Note #### Block user from change DNS setting By default normal user should be prohibit from changeing LAN connection properties. However, if for some reason they are not, you can enable GPO to restrict them https://technet2u.com/prohibit-access-to-lan-connection-properties-in-windows-7/ ## Install Snort ### Install Snort * System > Package Manager > snort ![](https://i.imgur.com/2HccuQ6.jpg) ![](https://i.imgur.com/ZNCozAi.jpg) ## Configure Snort ### Basic Setup Services > Snort * Global Settings tab: * Snort VRT : Enabled * Snort Oinkmaster Code: use can you this link https://www.snort.org/ to register an account for free and get the oinkcode * Snort GPLv2 : Enabled * Emergin Threats (ET) Open : Enabled * OpenAppIP : Enabled * RULES OpenAppID : Enabled ![](https://i.imgur.com/glJgGSk.jpg) * Updates Tab: It will download all required rules automatically. Initially this take a little logner time. wait untill it completed. ![](https://i.imgur.com/y6e0dSt.jpg) ![](https://i.imgur.com/x601WNZ.jpg) * Snort Interfaces Tab: * Add New interface ![](https://i.imgur.com/jSTUOIt.jpg) * Enable Interface * Always selecet WAN Interface * Provide a Description * Send Alterts to System Logs * Block Offenders : Enabled * Kill States: Enabled * Search Optimize: Enable search optimization ![](https://i.imgur.com/tncWEkW.png) * Click Save to finish * Click Start to enable snort on WAN ![](https://i.imgur.com/DQNLs93.jpg) ### Configure Rules to block Application Click on the Edit button on WAN rule * WAN Categories Tab : * Resolve Flowbits: Enabled * Use IPS Policy : Enabled * IPS Policy Selection: Secuirty ![](https://i.imgur.com/V2YFSMu.jpg) * Select the rule sets : For demonstrate purpose I choose 3 follow rules * openappid-messaging.rule : To block Message app * openappid-social_networking.rules: To block social app like facebook, tinder * openappid-streaming_media.rule: To block video streaming app like Youtube, Vimeo ![](https://i.imgur.com/dbr0f42.png) * You can click on the rule itself to view/allow/restrict app that you want (default is restrict all app on list) ![](https://i.imgur.com/6hbzrLM.png) * Click Save * WAN Preporcs Tab : * Enable Performance Stats : If you wanna have logging in depth details through the rules. * Auto Rule Disable : Enabled ![](https://i.imgur.com/10uQdV9.jpg) * Application ID Detection: Enabled - Use OpenAppID to detect various applications. ![](https://i.imgur.com/4h1CVY0.jpg) * Click Save ### Testing Services > Snort > Alerts Whenever a user use PC or Youtube App, it will show alert ![](https://i.imgur.com/yQUYMFI.png) From what I experiment, Snort don't completed block services like PFBlockerNG but instead it limit the connection so much to the point user can not load the site or play video ![](https://i.imgur.com/720iwxT.png) ![](https://i.imgur.com/jCM1YQQ.png) <style> /* Dark mode */ :root{ --white-text: #ddd; --white-gray-text: #bbb; --black-text: #333; --gray-text: #666; --navbar-background: #242424; --navbar-alt-background: #363636; --gray-background: #23272a; --darkblue-background: #40788A; --darkblue-alt-background: #2c5460; --link-text: #339fff; --link-hover-text: #2d6da4; } body, .ui-comment-container .ui-comments-container { background-color: var(--gray-background) !important; } a{ color: var(--link-text); } a:hover, a:active{ color: var(--link-hover-text); } .navbar-default, .navbar-default * label, .navbar-default * span, .ui-comment-container .ui-comment-header, .ui-comment-container .ui-comment-input-container{ background-color: var(--navbar-background); color: var(--white-text); border-color: var(--gray-text); } .modal-dialog * .modal-body{ background-color: var(--navbar-background) !important; color: var(--white-text) !important; } .ui-notification-label{ color: var(--white-text) !important; background-color: var(--darkblue-background); border-color: var(--darkblue-alt-background) !important; } .ui-notification-label:hover, .ui-notification-label:active, .ui-notification-label:focus{ background-color: var(--darkblue-alt-background); } .navbar-default .announcement-popover * , .modal-dialog * .modal-header, .modal-dialog * .modal-footer, .panel > .panel-heading, .panel-body{ background-color: var(--gray-background) !important; color: var(--white-text) !important; } .dropdown-menu, .dropdown-menu>li>a{ background-color: var(--gray-background) ; color: var(--white-text); } .markdown-body, .ui-toc-dropdown .nav > .active > a, .ui-comment-container .comment-blank-stats, .markdown-body h1 .octicon-link, .markdown-body h2 .octicon-link, .markdown-body h3 .octicon-link, .markdown-body h4 .octicon-link{ color: var(--white-text); } .ui-toc-dropdown .nav > .active > a:hover{ color: var(--gray-text); } .ui-lastchange, .ui-status-lastchange{ color: var(--white-gray-text); } .markdown-body > blockquote{ border-left: 0.25em solid #5882a7; color: var(--white-gray-text); } .markdown-body > table th, .markdown-body > table tr:nth-child(2n){ background-color: var(--navbar-background); } .markdown-body > table tr{ background-color: var(--navbar-alt-background); } .panel-body .markdown-body tr{ background-color: var(--navbar-background); border-color: var(--navbar-background); } .alert > blockquote{ border-left: 0.25em solid #ccc; } .ui-toc-dropdown { background-color: #23272A; border: 1px solid rgba(255,255,255,.15); box-shadow: 0 6px 12px rgba(255,255,255,.175); } /* Dark mode code block */ /* Imported from titangene/hackmd-dark-theme */ .markdown-body pre { background-color: #1e1e1e; border: 1px solid #555 !important; color: #dfdfdf; font-weight: 600; } .token.operator, .token.entity, .token.url, .language-css .token.string, .style .token.string { background: unset; } /* Dark mode alert boxes */ .alert-info { color: #f3fdff; background: #40788A; border-color: #2F7A95; } .alert-warning { color: #fffaf2; background: #936C36; border-color: #AE8443; } .alert-danger { color: #fff4f4; background: #834040; border-color: #8C2F2F } .alert-success { color: #F4FFF2; background-color: #436643; border-color: #358A28; } /* Stylized alert boxes */ .alert-warning>p::before, .alert-danger>p::before, .alert-info>p::before { white-space: pre; font-weight: bold; } </style> <style> /* * Visual Studio 2015 dark style * Author: Nicolas LLOBERA <nllobera@gmail.com> */ .hljs { display: block; overflow-x: auto; padding: 0.5em; background: #1E1E1E; color: #DCDCDC; } .hljs-keyword, .hljs-literal, .hljs-symbol, .hljs-name { color: #569CD6; } .hljs-link { color: #569CD6; text-decoration: underline; } .hljs-built_in, .hljs-type { color: #4EC9B0; } .hljs-number, .hljs-class { color: #B8D7A3; } .hljs-string, .hljs-meta-string { color: #D69D85; } .hljs-regexp, .hljs-template-tag { color: #9A5334; } .hljs-subst, .hljs-function, .hljs-title, .hljs-params, .hljs-formula { color: #DCDCDC; } .hljs-comment, .hljs-quote { color: #57A64A; font-style: italic; } .hljs-doctag { color: #608B4E; } .hljs-meta, .hljs-meta-keyword, .hljs-tag { color: #9B9B9B; } .hljs-variable, .hljs-template-variable { color: #BD63C5; } .hljs-attr, .hljs-attribute, .hljs-builtin-name { color: #9CDCFE; } .hljs-section { color: gold; } .hljs-emphasis { font-style: italic; } .hljs-strong { font-weight: bold; } .hljs-bullet, .hljs-selector-tag, .hljs-selector-id, .hljs-selector-class, .hljs-selector-attr, .hljs-selector-pseudo { color: #D7BA7D; } .hljs-addition { background-color: #144212; display: inline-block; width: 100%; } .hljs-deletion { background-color: #600; display: inline-block; width: 100%; } </style>