pfBlockerNG, the next generation of pfBlocker, is a relatively new package that blocks countries and IP ranges. It was designed to combine the features of Countryblock and IPblocklist. pfBlocker is a good package to have if you are running an email server, as it allows you to quickly block the top countries from which spam originates. In addition, you do not even need to come up with your own block lists, as there are several free block lists available on the web.

Once you have installed pfBlockerNG, you need to run geoipupdate in order to update the GeoIP2 databases, which provide information about users, including country and approximate location. To do so, type in the following at the console  or at Diagnostics | Command Prompt:

/usr/local/bin/geoipupdate.sh

To begin pfBlockerNG configuration, navigate to Firewall | pfBlockerNG. There are several tabs, but the default tab is the general tab. The first setting is the Enable pfBlockerNG checkbox, which, if checked, enables pfBlockerNG. The Keep Settings checkbox, if checked, will maintain pfBlockerNG's settings across a reinstall or upgrade (if this option is not checked, these settings will be erased). The CRON settings drop-down boxes allow you to select the interval at with the MaxMind interface is updated.

The Global Logging checkbox, if checked, enables the logging of firewall rules. You can check the Disable Maxmind Updates to disable the download of the monthly country database update. You can also set the maximum daily download failure threshold in the Download Failure Threshold drop-down box. Finally, you can set the number of lines in the log files in the Logfile Size drop-down box.

The Inbound Firewall Rules list box allows you to select the interfaces to which the inbound rules apply. You probably want to select WAN here. The adjacent drop-down box allows you to select what action to take when inbound rules are applied. You probably want to keep this set to Block. The Outbound Firewall Rules list box allows you to select one or more interfaces on which outbound traffic will be blocked. If you want to do this (in order to prevent the users on your network from connecting to IP addresses which are on the block lists), you should select LAN here and possibly also select additional internal interfaces. The corresponding drop-down box allows you to select what action to take when outbound rules are applied. The default value of Reject is probably what you want here; this will tell the users on your network what is happening when they try to connect to forbidden sites.

The OpenVPN Interface checkbox, if checked, will add auto-rules for OpenVPN. The Floating Rules checkbox enables you to ensure that auto-rules are generated in the Floating Rules tab. This is helpful if you want to ensure the auto-rules are in a single place. The Rule Order drop-down box allows you to select in what order the rules are placed; by default, pfBlocker rules take precedence over all other rules.

The Update tab allows you to configure some of the update settings for pfBlockerNG. The Update Settings section includes a Status subsection which informs you of the next time cron will update the pfBlocker database. There is also a section called Force Options if you wish to force an update. There are three options for forcing updates: Update, which just updates at the current time; Cron, which does an update, but does it as a cron job; and Reload, which just reloads the rules. If you choose Reload, you can choose to reload All, just the IP ranges (IP), or the blacklist(s) (DNSBL). As you update, any log activity will be reported in the Log section.

The Country tab allows you to quickly block any of the top countries from which spam originates. There are two top 20 spammer country lists: one for IPv4 and another for IPv6. You can select countries by pressing Ctrl (one country) or Shift (multiple countries) and clicking on countries. The List Action drop-down box allows you to select what happens to traffic from the selected countries. The options are: Disabled, Deny, Permit, Match and Alias. The Deny, Permit and Match options have three options each. You can deny/permit/match inbound connections, outbound connections, or both. You can choose Alias if you want to create an alias for traffic that matches this rule.

There are two additional sections on this page: Advanced Inbound Firewall Rule Settings and Advanced Outbound Firewall Rule Settings. These sections allow you to configure options similar to the options available for other firewall rules. For example, the Custom Protocol drop-down box will cause this rule to only match if the traffic matches the protocol set here. The Custom DST Port and Custom Destination fields require that you use aliases, not actual ports and IP addresses.

If you want to select specific countries, click on the appropriate continent tab in pfBlockerNG (Africa, Asia, Europe, North America, Oceania or South America) and select the countries in the list boxes at the top of the page. You can also whitelist a country by selecting on of the Permit options in the List Action drop-down box. The options on these pages are identical to the options on the main Country tab. The Proxy and Satellite tab allows you to match traffic to and from proxies and/or satellite providers.

You can also add your own IP lists by specifying a URL for a public block list that will then be automatically downloaded and then periodically update it. To enable this feature, click on the DNSBL tab. The main tab in this section will enable you to configure DNSBL list retrieval. Clicking on the Enable DNSBL checkbox enables DNS block lists. You can also enter a virtual IP in the DNSBL Virtual IP field. You can also enter a listening port and SSL listening port on this page. You can also select the interface you want DNSBL to listen on (the default is LAN, whichever interface is chosen, it should be a local interface). You can also check the DNSBL Firewall Rule checkbox to create a floating firewall rule, which will allow traffic from interfaces selected in the accompanying list box to access DNSBL virtual IP.

The Alexa Whitelist section allows you use Alexa's top 1 million sites list. To do so, check the Enable Alexa checkbox. You can also select a subset of this list to whitelist by selecting an option in the number of AlexaTop Domains to Whitelist drop-down box; the options range from 1,000 to all 1 million. In the Alexa TLD Inclusion list box, you can select top-level domains (TLDs) to whitelist (the defaults are .com, .net, .org, .ca, .co, and .io). In the Custom Domain Suppression section, you can enter URLs to whitelist.

The DNSBL Feeds tab is where you actually add and configure blacklists. You can do so by clicking on this tab and then clicking on the Add button. You need to enter DNS GROUP Name for each entry and you can also enter a Description. In the DNSBL subsection, you can select a Format (Auto or rsync) and a State (ON, OFF, HOLD, or FLEX). You must also specify Source, which can be either a URL or a local file. In the Header/Label field, you must enter a unique identifier. You can add more than one blacklist by clicking on the Add button and adding another entry.

There is a List Action drop-down box where you can select what action to take on the blacklisted items. The Update Frequency drop-down box allows you to select how often list files will be downloaded. In the Weekly (Day of the Week) drop-down box, you can select the day of the week to update, which is only required if you choose Weekly in Update Frequency. The Enable Alexa Whitelist checkbox, if checked, will result in pfBlocker whitelisting sites that were otherwise blocked if they appear in Alexa. You can also add a custom domain name block list in the Custom Block List section.

The DNSBL EasyList tab allows you to add one or more EasyList feeds to your pfBlocker NG setup. The EasyList feeds provide lists of ad servers and trackers that you can block at the firewall level. You can choose two different EasyList feeds:

• EasyList w/o Elements: EasyList without element hiding. The practice of element hiding hides sections of a page that previously contained advertising.
• EasyPrivacy: An optional filter list that removes all forms of tracking.

You can also select different categories to block, such as EASYLIST Adservers, EASYLIST Adult Adservers, and EASYLIST trackers. You can choose an update frequency for the list, and you can also filter this list through Alexa to enable certain sites that show up on Alexa's list of top sites.

The IPv4 and IPv6 tabs allow you to add lists of IP addresses or ranges of IP addresses to filter. You can do this by clicking on either the IPv4 or IPv6 tab and clicking on the Add button. Each entry must be given a name, which is specified in the Alias Name field. Your list can either be accessible via a URL or locally.

The Reputation tab allows you to enable pfBlocker to search for repeat offenders in each IP range. If there are enough offenders in a subnet, then the entire subnet will be blocked rather than just the individual IP addresses. For the purposes of this algorithm, subnets are always /24 ranges. The Enable Max checkbox, if checked, enables the search for repeat offenders. The [Max] Setting drop-down box allows you to select the maximum number of repeat offenders which will be allowed in a single IP range. The default is 5, but you can allow up to 50 repeat offenders in a subnet.

pMax and dMax allow you to perform further analysis on repeat offenders. pMax will look for repeat offenders in subnets but will not use the country exclusions, whereas dMax will look for repeat offenders, but will apply country exclusions. In the Country Code Settings section, you can ignore repeat offenders in select countries.

The Alerts tab enables you to view alerts, as well as control how many alerts are displayed. Under Alert Settings, you can control the number of Deny, DNSBL, Permit, and Match entries are shown (the defaults are 25, 5, 5, and 5). Under Alert Filter, you can filter the results based on such criteria as date, source and destination IP address, source and destination port, and protocol.

The Logs and Sync tabs are similar to the Logs and Sync tabs in Squid and SquidGuard. The Logs tab allows you to view the logs, and the Sync tab allows you to perform an XMLRPC sync with a CARP backup node or to a specified host.

Installation of the pfBlockerNG package results in the pfBlockerNG widget appearing on the pfSense dashboard. This widget provides you with a summary of pfBlockerNG activity. The table provides information about each alias, the number of sites blocked by the alias (Count), the number of packets blocked by the alias (Packets), and the last update time of the alias (Updated).