I hoped there was a configuration setting in pfblocker to disable reverse lookups and repeat lookups, but it has been a while since I posted to the forums and there have been no replies, so I assume there is not.
I created a workaround because I enjoy tinkering, but, unless you have my same use case, there is no reason to take this route. Please just stick with PFBlocker.
That said, I uninstalled pfblocker and did the following...
[1] get the priority 1 threat lists
[2] normalize the output and put it on a webserver
[3] use a pfsense firewall alias and fetch it as a URL table [gui]
[4] update this to hourly on pfsense cron [cli]
[5] change the file time hourly [cli]
[6] create firewall rules to block using this alias [gui]
NOTE: I used a debian linux machine for steps 1-2 (because I already had it generating other URL lists and it was just easier to do it there). Steps 3-6 are done on the pfsense.
I had fun doing it and I learned a few things about how pfsense works in the process. If you want the details of how I did it in case you need to do something similar, then read on. Otherwise, this forum post is probably done.
Cheers
[STEP 1] script 1 (feedlist-fetch.sh)
#!/bin/bash
# start in the right place
cd /home/donutjustice/PFSENSE-scripts/quietblocker/
# get the lists
curl -s https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt > ips-feodo.txt
curl -s https://sslbl.abuse.ch/blacklist/sslipblacklist.txt > ips-sslbl.txt
curl -s https://cinsarmy.com/list/ci-badguys.txt > ips-cinsarmy.txt
curl -s https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt > ips-ET-emerging.txt
curl -s https://rules.emergingthreats.net/blockrules/compromised-ips.txt > ips-ET-compromised.txt
curl -s https://isc.sans.edu/block.txt > ips-isc-block.txt
curl -s https://www.spamhaus.org/drop/drop.txt > ips-spamhaus-drop.txt
curl -s https://www.spamhaus.org/drop/edrop.txt > ips-spamhaus-edrop.txt
curl -L -s https://talosintelligence.com/documents/ip-blacklist > ips-talos.txt
[STEP 2] script 2 (quietblocker.sh)
#!/bin/bash
#
# threat feed data cleanup
# copy to web server
#
# grab data from all the lists
cd /home/donutjustice/PFSENSE-scripts/quietblocker/
`/home/donutjustice/PFSENSE-scripts/quietblocker/feedlist-fetch.sh`
sleep 35
# cleanup the output
cat ips-cinsarmy.txt > BUILD.txt
cat ips-ET-compromised.txt >> BUILD.txt
cat ips-talos.txt >> BUILD.txt
grep -v \# ips-ET-emerging.txt >> BUILD.txt
grep -v \# ips-feodo.txt >> BUILD.txt
grep -v \# ips-sslbl.txt >> BUILD.txt
grep -v '^;' ips-spamhaus-drop.txt | cut -d\; -f1 >> BUILD.txt
grep -v '^;' ips-spamhaus-edrop.txt| cut -d\; -f1 >> BUILD.txt
grep -v \# ips-isc-block.txt | awk -F '\t' '{ print $1 "/24" }' >> BUILD.txt
# move it to the local webserver
cat BUILD.txt | sort -u > /var/www/html/quietblocker/quietblocker.html
This script is run hourly on the debian box. It runs 5 minutes before pfsense grabs the URL to ensure the threatlist is fresh.
The local crontab looks like this:
25 * * * * /home/donutjustice/PFSENSE-scripts/quietblocker/quietblocker.sh
[STEP 3] In the gui set pfsense firewall alias to fetch the URL. I named mine "quietblocker" (relevant in step 5 where this becomes quietblocker.txt. If you name yours something different, just make sure it matches in step 5.) and the URL looks like this
http://10.1.1.100/quietblocker/quietblocker.html /1
[STEP 4] ssh to pfsense and edit /etc/crontab
EDIT the "urltables" line from a 12 to a *. It should look like this
30 * * * * root /usr/bin/nice -n20 /etc/rc.update_urltables
[STEP 5] keep editing /etc/crontab (just like step 4)
ADD a new crontab line (I suggest below the urltables). It should look like this.
35 * * * * root /usr/bin/touch -t 1001011230 /var/db/aliastables/quietblocker.txt
This step is necessary because the urltables script checks the timestamp on the file and won't update anything less than 1 day old. This just changes the date, so it is always old enough. I preferred this method to monkeying with the urltables script.
[STEP 6] Now create firewall rules to meet your needs using this firewall alias.
