The pfSense Store

Author Topic: pfBlockerNg, What's the real need? Think you'll be surprised  (Read 474 times)

0 Members and 1 Guest are viewing this topic.

Offline rsaanon

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
pfBlockerNg, What's the real need? Think you'll be surprised
« on: December 09, 2017, 09:43:08 pm »
I betcha significant number of pfSense users run pfBlockerNg in their home environment without realizing whether they really need it or not. Most might just run it because they might not realize the cost-benefit (cost in terms of memory usage & overhead of running the pfBlockerNg package and benefit in terms of blocking traffic that is already blocked by the pfSense itself) aspect of running pfBlockerNg.

Why is pfBlockerNg really needed (at least for most of the residential use case)?  That is the question of the moment for me.  As is (aka out-of-the-box), the pfSense auto blocks any inbound traffic on the WAN  side.  So then what's really the use case for most of the homebound end-users?  Maybe, for some reason, they want to selectively restrict inbound connections or may be they want to restrict/limit outbound connections from within their network from hosts that might have been comprised (ie: worms/trojans that initiate outbound connection which bypasses the inbound WAN originated connections). 

So, I ask you folks to chime in and share your thoughts..


marjohh

  • Guest
Re: pfBlockerNg, What's the real need? Think you'll be surprised
« Reply #1 on: December 10, 2017, 02:47:10 am »
I run mail, web and file servers and it's a domestic environment

Obviously I have ports that are open and I use it purely for Geo block purposes. I do not use the DNSBL features - I did for a short while but SWMBO complained about it being too effective. :)

Offline Jailer

  • Sr. Member
  • ****
  • Posts: 405
  • Karma: +54/-2
    • View Profile
    • Bored Guy Blog
Re: pfBlockerNg, What's the real need? Think you'll be surprised
« Reply #2 on: December 10, 2017, 05:40:33 am »
Same here basically. I host a small private discussion forum and use it for the Geo blocking to keep spammers out. I recently enabled the DNSBL feature to block unwanted ads and I'm quite pleased with it.

Offline pilotboy72

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: pfBlockerNg, What's the real need? Think you'll be surprised
« Reply #3 on: December 14, 2017, 09:38:59 am »
I recently removed pfBlockerNg from my system.  For me it wasn't causing any performance-related issues to start.  However, I started thinking about why I had it running and the original intent was to geo-block certain countries.  Once I started thinking about it, I figured that most actors who would be able to penetrate my next layer of security would also have the means to attack from anywhere in the world, so my conclusion is that geo-blocking is probably not all that effective since it can easily be bypassed.

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 662
  • Karma: +141/-129
    • View Profile
    • Netgate
Re: pfBlockerNg, What's the real need? Think you'll be surprised
« Reply #4 on: December 14, 2017, 09:49:56 am »
pfBlockerNG is much more than simple geo-blocking. I use it with many blacklists that stop bad IP's, ranges and domains. In the upcoming version it will be easy to block specific services. See here https://www.patreon.com/pfBlockerNG
Need help fast? Commercial support: https://www.netgate.com/support/

Offline pilotboy72

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: pfBlockerNg, What's the real need? Think you'll be surprised
« Reply #5 on: December 14, 2017, 09:57:55 am »
The new version looks very useful and looks like it will be a replacement for SquidGuard (or work with it).  When will it be available on pfSense 2.4.2?

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 662
  • Karma: +141/-129
    • View Profile
    • Netgate
Re: pfBlockerNg, What's the real need? Think you'll be surprised
« Reply #6 on: December 14, 2017, 10:06:16 am »
Ask @bbcan177 :) he's the developer. I'm hoping soon, once the bugs are ironed out.
Need help fast? Commercial support: https://www.netgate.com/support/

Offline motific

  • Jr. Member
  • **
  • Posts: 38
  • Karma: +4/-0
    • View Profile
Re: pfBlockerNg, What's the real need? Think you'll be surprised
« Reply #7 on: December 14, 2017, 11:53:46 am »
The OP seems to be conflating the fact that they weren’t using pfBlockerNG appropriately with the value of the pfBlockerNG package itself...

Yes, geo-blocking on a SoHo network where you aren’t running servers is of limited value because everything should hit a dead-end.  pfBlocker also does IP and DNS blackholing and that is very valuable in that environment.

I can recall a specific incident with a friend of mine, they would be a client but they’re too far away.  A customer of theirs picked up something nasty, which emailed itself to my friends’ business, the AV at their provider missed it, a colleague opens it (because they’re expecting a document) and it was game over.  They nearly lost the business and their home as a result (no backups of certain key data.)

Whilst by no means the only mitigation, but a firewall is one component of “defence in depth”.  pfBlockerNG *could* have stopped issues by blocking outbound access to the C&C and payload servers through blackhole lists.  It’s not just about what comes in unsolicited - sometimes nasty things get pulled in by client devices.  We had a long chat and they now have much better IT suppliers now btw.

I also use mine at home to block ads and tracking servers, but the prime use case for pfBlockerNG in a SoHo environment is the same principle.  The firewall covers Outbound as well as inbound traffic.




Offline dhaselhorst

  • Newbie
  • *
  • Posts: 13
  • Karma: +2/-0
    • View Profile
Re: pfBlockerNg, What's the real need? Think you'll be surprised
« Reply #8 on: December 16, 2017, 08:16:26 am »
Whether home or business, if I could only choose one package to install it would be pfBlockerNG. First, DNSBL is fantastic (think built-in Pi-hole). Yes, the default WAN rules will already block everything if you don't have any forwards. But as motific and others have alluded to, even then, if you deny both directions (LAN and WAN) via the IP component your *internal* clients will get blocked when trying to communicate with known bad addresses. The alerts/reports will show this activity as well. This is a pic of the alerts on the new version, but the older version had similar functionality. On this particular firewall, if the LAN interface shows up in the list of "denies" I need to investigate the cause of the alert.
« Last Edit: December 16, 2017, 08:25:28 am by dhaselhorst »