pfBlocker Configuration for Home Use
-
Hello everyone, I am running pfSense on a Protectli unit for home. I have a 1gbps fiber connection and have a few ports open for Plex and qBittorrent and would like the extra protection pfBlockerNG-devel gives me. I had found a video from Lawrence Systems and set it up that way but am not sure if it's the best for my use case. If anyone has advice on what would be best for me and can recommend what block lists to use. I also would like help in identifying what list or rule is blocking certain elements as when I have enabled pfBlocker in the past sometimes embedded videos on certain sites die or sites that make you disable your ad blocker won't work so I would like to be able to find where they are being blocked and edit or add rules for specific sites and content.
-
@bose301s Yes, Lawrence instructions are reasonable and a good start...just continue reading on the forum to learn what others have done as ultimately it will be your choice as administrator for your network what you choose...just don't select all feeds.
-
@nollipfsense Lol, that was a rookie mistake I made the first time I set it up.
-
Well, as you can probably guess, there is no easy answer here. We all have varying needs, some only want to block ads, others try to keep their kids safe and this is one tool in the toolshed. Others are looking to GEOBLOCK... Me, not so much geoblock, as ad blocking and 'not-nice' sites, along with blocking public DNS, together with nat rules to redirect IOT back to PFSense for DNS. It took months of trial and error to come up with a workable mix, the lists are not maintained by BBcan (with the exception of his) but by 3rd parties. List owners can change as the lists are bought by new owners sometimes. Sometimes a list works well, then not so. Sometimes they are abandoned and don't get updated or disappear. So this is not a 'set and forget'. I pop into PFSense about once a month just to check that the lists are updating, or if there are newer lists that may do better that I could test out. It's the nature of internet security; it really IS shooting ducks in a barrel...
If you've had issues in the past with it, perhaps the way to go is to wade in a little at a time. Start with IP blocking only. Select the lists that appear to do what you are looking for, example, Emerging Threats, Talos, and I use cins army. You can round it out with a coinblocker and maybe a few others in other categories. Work with those for long enough to confirm they aren't blocking things that are causing issues. You could also go to their websites and read about their lists to determine what you think is important.
Once that is stable, you can do something similar with the DNSBL lists. Nothing is turnkey here. Things take time.