Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlockerNg, What's the real need? Think you'll be surprised

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 7 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rsaanon
      last edited by

      I betcha significant number of pfSense users run pfBlockerNg in their home environment without realizing whether they really need it or not. Most might just run it because they might not realize the cost-benefit (cost in terms of memory usage & overhead of running the pfBlockerNg package and benefit in terms of blocking traffic that is already blocked by the pfSense itself) aspect of running pfBlockerNg.

      Why is pfBlockerNg really needed (at least for most of the residential use case)?  That is the question of the moment for me.  As is (aka out-of-the-box), the pfSense auto blocks any inbound traffic on the WAN  side.  So then what's really the use case for most of the homebound end-users?  Maybe, for some reason, they want to selectively restrict inbound connections or may be they want to restrict/limit outbound connections from within their network from hosts that might have been comprised (ie: worms/trojans that initiate outbound connection which bypasses the inbound WAN originated connections).

      So, I ask you folks to chime in and share your thoughts..

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        I run mail, web and file servers and it's a domestic environment

        Obviously I have ports that are open and I use it purely for Geo block purposes. I do not use the DNSBL features - I did for a short while but SWMBO complained about it being too effective. :)

        1 Reply Last reply Reply Quote 0
        • JailerJ
          Jailer
          last edited by

          Same here basically. I host a small private discussion forum and use it for the Geo blocking to keep spammers out. I recently enabled the DNSBL feature to block unwanted ads and I'm quite pleased with it.

          1 Reply Last reply Reply Quote 0
          • P
            pilotboy72
            last edited by

            I recently removed pfBlockerNg from my system.  For me it wasn't causing any performance-related issues to start.  However, I started thinking about why I had it running and the original intent was to geo-block certain countries.  Once I started thinking about it, I figured that most actors who would be able to penetrate my next layer of security would also have the means to attack from anywhere in the world, so my conclusion is that geo-blocking is probably not all that effective since it can easily be bypassed.

            1 Reply Last reply Reply Quote 0
            • ivorI
              ivor
              last edited by

              pfBlockerNG is much more than simple geo-blocking. I use it with many blacklists that stop bad IP's, ranges and domains. In the upcoming version it will be easy to block specific services. See here https://www.patreon.com/pfBlockerNG

              Need help fast? Our support is available 24/7 https://www.netgate.com/support/

              1 Reply Last reply Reply Quote 0
              • P
                pilotboy72
                last edited by

                The new version looks very useful and looks like it will be a replacement for SquidGuard (or work with it).  When will it be available on pfSense 2.4.2?

                1 Reply Last reply Reply Quote 0
                • ivorI
                  ivor
                  last edited by

                  Ask @bbcan177 :) he's the developer. I'm hoping soon, once the bugs are ironed out.

                  Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                  1 Reply Last reply Reply Quote 0
                  • M
                    motific
                    last edited by

                    The OP seems to be conflating the fact that they weren’t using pfBlockerNG appropriately with the value of the pfBlockerNG package itself…

                    Yes, geo-blocking on a SoHo network where you aren’t running servers is of limited value because everything should hit a dead-end.  pfBlocker also does IP and DNS blackholing and that is very valuable in that environment.

                    I can recall a specific incident with a friend of mine, they would be a client but they’re too far away.  A customer of theirs picked up something nasty, which emailed itself to my friends’ business, the AV at their provider missed it, a colleague opens it (because they’re expecting a document) and it was game over.  They nearly lost the business and their home as a result (no backups of certain key data.)

                    Whilst by no means the only mitigation, but a firewall is one component of “defence in depth”.  pfBlockerNG could have stopped issues by blocking outbound access to the C&C and payload servers through blackhole lists.  It’s not just about what comes in unsolicited - sometimes nasty things get pulled in by client devices.  We had a long chat and they now have much better IT suppliers now btw.

                    I also use mine at home to block ads and tracking servers, but the prime use case for pfBlockerNG in a SoHo environment is the same principle.  The firewall covers Outbound as well as inbound traffic.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dhaselhorst
                      last edited by

                      Whether home or business, if I could only choose one package to install it would be pfBlockerNG. First, DNSBL is fantastic (think built-in Pi-hole). Yes, the default WAN rules will already block everything if you don't have any forwards. But as motific and others have alluded to, even then, if you deny both directions (LAN and WAN) via the IP component your internal clients will get blocked when trying to communicate with known bad addresses. The alerts/reports will show this activity as well. This is a pic of the alerts on the new version, but the older version had similar functionality. On this particular firewall, if the LAN interface shows up in the list of "denies" I need to investigate the cause of the alert.

                      pfblockerng-alerts.png
                      pfblockerng-alerts.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.