Source

Today I will show you guys how to filter website with PFBLOCKERNG on pfsense
I use sources below as reference:

• https://www.youtube.com/watch?v=7_yI1FEw_j0
• https://www.privacyaffairs.com/ip-filtering-pfsense/
• https://digitalavenue.dev/How_To_Setup_Intrusion_Detection_Using_Snort_on_PfSense/

Requirement

System Requirement

• Pfsense Firewall
• PFBLOCKERNG package
• Snort package

Install PFBLOCKERNG

Install pfBlockerNG-deval

• System > Package Manager > pfBlockerNG-devel

While the “devel” suffix stands for development version (i.e., beta software), it is fully functional and is being actively developed. It will be in perpetual beta as the package developer feels it’s safer to consider it as beta software as he continually adds new functionality to the package.

Configure PFBLOCKERNG

Basic Setup

• Firewall > pfBlockerNG
• Click Here to configure pfBlockerNG manually
• Gerneral tab:
  • tick on enable pfBlockerNG. Everything else is default
    
• IP Tab
  • tick on enable De-Duplication, CIDR Aggregation and Suppression. Everything else is default
    
  • MaxMind GeoIP configuration (optional): the GeoIP feature of pfBlockerNG enables you to filter traffic to and from entire countries or continents. To do this, pfBlocker uses the MaxMind GeoIP database, which requires a license key. There is a link in the MaxMind License Key field description that takes you to the MaxMind registration page. The MaxMind license key is free. If you intend to use this feature, then register with Maxmind and obtain the License Key for FREE
    
  • On IP/interface/Rules Configuration section:
    • Inbound Firewall Rules: WAN
    • OUtbound Firewall Rules: LAN
    • Floating Rules: Enable
      

IP Block (Optional)

• Feed tab, pfBlockerNG/IP/IPv4:
  • Click the blue +, next to PRI1
    
  • Delete Pulsedive Source Definitions and set all setting to ON
    
    
  • On Settings section, tick on Deny Both on Action. This will block traffic to and from the IP addresses contained in the lists/feeds. You can choose only to deny inbound or outbound connections if you like
  • 
• Update Tab
  • Select ‘Force’ option : Update. And Run Update
• IP/GeoIP Tab
  • You can try to Allow/Deny connect to and from those contry
    

DNS Block Basic

• DNSBL Tab
  • DNSBL Section
    • Enable DNSBL
    • DNSBL Mode: Unbound python mode
      
  • DNSBL Configuration
    • Enable Permit Firewall Rules
      
  • DNSBL Groups section
    • Add New group name
      
    • Consider custom list at : https://github.com/StevenBlack/hosts
    • Add the list url in Source, name Header and turn it on
    • Set Action to "Unbound"
      
    • DNSBL Custom_List: Add additional domain that you want to block (note: this only work on simple domain, not complication domain with many-subdomain)
      
    • Save Setting
• Update Tab
  • Select Force option: Update
  • Select Reload option : DNSBL
  • Run
    
• Testing
  
  

DNS Block Advance

This section is for blocking huge domain with many sub-domain website like Youtube, Facebook, etc

• DNSBL Tab
  • DNSBL Section
    • Enable DNSBL
    • DNSBL Mode: Unbound python mode
    • Wildcard Blocking (TLD): Enable
      
  • TLD Blacklist/Whitelist
    • TLD Blacklist: add the domain that you want to block
      
• Update Tab
  • Select Force option: Update
  • Select Reload option : DNSBL
  • Run
    
• Testing
  
  

Testing

Note

Block user from change DNS setting

By default normal user should be prohibit from changeing LAN connection properties. However, if for some reason they are not, you can enable GPO to restrict them
https://technet2u.com/prohibit-access-to-lan-connection-properties-in-windows-7/

Install Snort

Install Snort

• System > Package Manager > snort

Configure Snort

Basic Setup

Services > Snort

• Global Settings tab:

  • Snort VRT : Enabled
  • Snort Oinkmaster Code: use can you this link https://www.snort.org/ to register an account for free and get the oinkcode
  • Snort GPLv2 : Enabled
  • Emergin Threats (ET) Open : Enabled
  • OpenAppIP : Enabled
  • RULES OpenAppID : Enabled
    

• Updates Tab: It will download all required rules automatically. Initially this take a little logner time. wait untill it completed.
  
  

• Snort Interfaces Tab:

  • Add New interface
    

    • Enable Interface

    • Always selecet WAN Interface

    • Provide a Description

    • Send Alterts to System Logs

    • Block Offenders : Enabled

    • Kill States: Enabled

    • Search Optimize: Enable search optimization
      

    • Click Save to finish

  • Click Start to enable snort on WAN
    

Configure Rules to block Application

Click on the Edit button on WAN rule

• WAN Categories Tab :
  • Resolve Flowbits: Enabled
  • Use IPS Policy : Enabled
  • IPS Policy Selection: Secuirty
    
  • Select the rule sets : For demonstrate purpose I choose 3 follow rules
    • openappid-messaging.rule : To block Message app
    • openappid-social_networking.rules: To block social app like facebook, tinder
    • openappid-streaming_media.rule: To block video streaming app like Youtube, Vimeo
      
    • You can click on the rule itself to view/allow/restrict app that you want (default is restrict all app on list)
      
    • Click Save
• WAN Preporcs Tab :
  • Enable Performance Stats : If you wanna have logging in depth details through the rules.
  • Auto Rule Disable : Enabled
    
  • Application ID Detection: Enabled - Use OpenAppID to detect various applications.
    
  • Click Save

Testing

Services > Snort > Alerts
Whenever a user use PC or Youtube App, it will show alert

From what I experiment, Snort don’t completed block services like PFBlockerNG but instead it limit the connection so much to the point user can not load the site or play video