Which packages should I install?

LPD7

I am not new to PFsense, not an expert either, but I have been running the basic out of the box config (with exception of whats needed for proper operation) for some time and I am now moving along and looking at which packages I might want to install to achieve some of my desired goals.

I know that installing a package increases the required processing power, can slow performance, can increase security risks and should be limited to what is required or not achieved by PFS itself so thankfully I dont need to be reminded of that.

Since packages are based on need or intended use let me go over my top needs at the moment and go from there.

1. Ad blocking (the more the better)
2. Restricting access to known malicious sites and or content (exploits, honeypots, phishing, spam, etc) ideally before my internet address is revealed if possible
3. Restricting access to URLs users on my local network may try to access. This must include the ability to also filter/prevent sites which use url encryption (HTTPS, DNS over HTTPS). Example, prevent users from accessing https://facebook.com

Look forward to your feedback and recommendations. Thank you in advance for your help.

SteveITS

@lpd7 pfBlockerNG-devel should handle all of that. We don't use it for DNS based blocking much but it can do that, and it has several feeds for block lists of many kinds. Including DoH servers, which is going to be necessary when using DNS based blocking.

LPD7

@steveits Thank you for that info. I have heard of pfBlocker but no experience with it. Is it a pfsense product, everything I see on PFB when googled is preceded by pfsense?

I looked for the document wiki and found this (https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html#), doesnt seem complete, do you know of a good source I can reference for everything PFB?

Lastly someone had mentioned that Squid would work? I havent looked into it much but from what I can recall it is only a proxy server and not much else. Your thoughts?

Thank you.

SteveITS

@lpd7 It's maintained by BBcan117 who has a Patreon: http://pfblockerng.com/. Few packages are maintained by Netgate directly. It is specific to pfSense.

It has its own sub forum: https://forum.netgate.com/category/62/pfblockerng. You can check the pinned posts there. I don't know if there are more extensive official docs anywhere, but I'd expect to find a lot of "how to" web pages when searching.

The Netgate doc page does look really old, it's way beyond that.

We set it up for ourselves and clients for the MaxMind/geoIP feature to block/allow by country, and the block lists.

The -devel version sounds like a development version and I think that was its intent, but we couldn't get the "needs a key" MaxMind to work on the old version and the maintainer has posted his recommendation to use -devel so that's what we've used for a few years.

Squid is a proxy, haven't used it.

michmoor

Using squid I would recommend that you have a very specific use case for this as it's largely very difficult to manage. If running in Transparent mode you will face a lot of connectivity issues to websites. Running in full MITM should be used to achieve the best results. IMO, Squid should be used after exhausting other methods but again, depends on the use case. You can find more information within the netgate documentation and I will also recommend watching the netgate youtube videos of which a plethora of really great information is given out.

LPD7

@SteveITS Much appreciated. I am going to look for a good set of documentation and if possible videos to get acquainted with the package, I see that there are PFsense books at Barnes and Noble and some have sections with PFB so maybe that would be good to have as a handy guide. I am sure I will have questions and will try to find the forum you mentioned and see if that will be a good place for info as well. Thanks again.

LPD7

@michmoor Yes going to see if PFB will be the right solution, seems like squid would be a lot of overhead and not serve all current needs. Thanks for your input.