Wiki

User Tools

Site Tools

Trace: selectively_enforcing_pfblockerng_for_specific_clients_or_networks
pfsense:pfblockerng:selectively_enforcing_pfblockerng_for_specific_clients_or_networks

This is an old revision of the document!

Table of Contents

PFSense - pfBlockerNG - Selectively enforcing pfBlockerNG for specific clients or networks

ALERT: Stopping the services associated with pfblockerNG (pfb_dnsbl & pfb_filter) while Unbound / DNS Resolver is running will cause crazy things to happen, including breaking the DNS Resolver service on your device temporarily.

Don’t do this!

Instead, first remove any custom options you’ve implemented with this guide to do with pfBlockerNG from your DNS Resolver Custom Options field.

Then in Firewall → pfBlockerNG deselect Enable pfBlockerNG from the General Settings page and click save.

Basic Example

Navigate to Services→DNS Resolver.

Add the following to the Custom Options. 

server:
    access-control-view: 192.168.10.0/24 bypass
    access-control-view: 192.168.20.0/24 dnsbl
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/pfb_dnsbl.*conf

NOTE: In this example, we have network 192.168.10.x set to an Unbound view that does not include our pfBlockerNG DNSBL configuration.

This means all the Unbound commands generated by pfBlockerNG are not referenced when a client in 192.168.10.x queries pfSense, so DNS queries go through unchanged.

For the 192.168.20.x network, the entries are included and redirected to our sinkhole.

It is important to note that you can use these entries in any CIDR notation that fall within your network topology.

To filter content for a specific IP, you could specify 192.168.10.5/32 for example.

Enforce Google, YouTube, Bing and DuckDuckGo SafeSearch

server:
    access-control-view: 192.168.10.0/24 bypass
    access-control-view: 192.168.20.0/24 dnsbl
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/pfb_dnsbl.*conf
    local-data: "www.google.com 60 IN A 216.239.38.120"
    local-data: "www.youtube.com 60 IN A 216.239.38.119"
    local-data: "www.bing.com 60 IN A 204.79.197.220"
    local-data: "duckduckgo.com 60 IN A 107.20.240.232"

NOTE: The entries added in the dnsbl view force all clients in this group (192.168.20.x) to the SafeSearch address for each of the four services included.

We have to add them here as adding them as a Host Override on the DNS Resolver configuration page would enforce them for all clients.

Forward all DNS

server:
    access-control-view: 192.168.10.0/24 bypass
    access-control-view: 192.168.20.0/24 dnsbl
    access-control-view: 192.168.30.0/24 forward    
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/pfb_dnsbl.*conf
view:
    name: "forward"
    view-first: yes
    forward-addr: 1.1.1.1
    forward-addr: 8.8.8.8

NOTE: The forward view forwards requests to a couple of DNS servers on the Internet.

pfsense/pfblockerng/selectively_enforcing_pfblockerng_for_specific_clients_or_networks.1606654493.txt.gz · Last modified: 2020/11/29 12:54 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki