Netgate SG-1000 microFirewall

Author Topic: DNSBL Config Question  (Read 182 times)

0 Members and 1 Guest are viewing this topic.

Offline tagit446

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +5/-0
    • View Profile
DNSBL Config Question
« on: January 02, 2018, 07:56:07 pm »
In "DNSBL Configuration" --> "DNSBL Listening Interface" - I have LAN1, LAN2 , W_LAN, ExpressVPN_NY and ExpressVPN_NJ. Does it matter which one I choose?

Same for "DNSBL Configuration" --> "DNSBL Firewall Rule" - I have the same options plus OpenVPN. Currently I have LAN1, LAN2 and W_LAN selected. The VPN runs on LAN2 and W_LAN Should they all be selected?

For "DNSBL IP Firewall Rule Settings" --> "List Action" - Some tutorials i read say to set it to "Deny Both" and other tutorials say to set it to "Deny Outbound". Which setting is typically best?
pfSense v2.4.3 - RELEASE (amd64) running on AMD Phenom(tm) II X4 965 Processor, Asus M4A89GTD PRO motherboard, Dell / Intel Pro/1000 VT Quad Port PCI-E Gigabit NIC Dell P/N 0H092p

Offline RonpfS

  • Hero Member
  • *****
  • Posts: 740
  • Karma: +96/-2
    • View Profile
Re: DNSBL Config Question
« Reply #1 on: January 02, 2018, 08:06:19 pm »
In "DNSBL Configuration" --> "DNSBL Listening Interface" - I have LAN1, LAN2 , W_LAN, ExpressVPN_NY and ExpressVPN_NJ. Does it matter which one I choose?
You select the Interfaces where devices use pfsense/DNSBL for DNS services resolution. This will create NAT rules to forward Web request to the VIP.

Quote from: tagit446
Same for "DNSBL Configuration" --> "DNSBL Firewall Rule" - I have the same options plus OpenVPN. Currently I have LAN1, LAN2 and W_LAN selected. The VPN runs on LAN2 and W_LAN Should they all be selected?
Select the interfaces that have devices using pfsense as the router for IP blocking.

Quote from: tagit446
For "DNSBL IP Firewall Rule Settings" --> "List Action" - Some tutorials i read say to set it to "Deny Both" and other tutorials say to set it to "Deny Outbound". Which setting is typically best?
Deny outbound should be enough if you have no open port on the WAN side as the default block rule already block traffic.

Deny both is when you have open port on the WAN side.
« Last Edit: January 02, 2018, 08:57:02 pm by RonpfS »
2.3.5-RELEASE-p1 (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
pfBlockerNG 2.1.2_2/Dev, suricata 4.0.4_1

Offline tagit446

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +5/-0
    • View Profile
Re: DNSBL Config Question
« Reply #2 on: January 02, 2018, 08:27:55 pm »
In "DNSBL Configuration" --> "DNSBL Listening Interface" - I have LAN1, LAN2 , W_LAN, ExpressVPN_NY and ExpressVPN_NJ. Does it matter which one I choose?
You select the Interfaces where devices use pfsense/DNSBL for DNS services resolution. This will create NAT rules to forward Web request to the VIP.
Please elaborate as I use it on all interfaces (I thought?) but this option only allows you to choose one from the drop down.

Quote from: tagit446
Same for "DNSBL Configuration" --> "DNSBL Firewall Rule" - I have the same options plus OpenVPN. Currently I have LAN1, LAN2 and W_LAN selected. The VPN runs on LAN2 and W_LAN Should they all be selected?
Select the interfaces that have devices using pfsense as the router for IP blocking.
Have to admit this one confuses me due to the VPN.

Quote from: tagit446
For "DNSBL IP Firewall Rule Settings" --> "List Action" - Some tutorials i read say to set it to "Deny Both" and other tutorials say to set it to "Deny Outbound". Which setting is typically best?
Deny outbound should be enough if you have no open port on the WAN side as the default block rule already block traffic.

Deny both is when you have open port on the WAN side.
This is good to know since I do have several ports open for my COD game.
pfSense v2.4.3 - RELEASE (amd64) running on AMD Phenom(tm) II X4 965 Processor, Asus M4A89GTD PRO motherboard, Dell / Intel Pro/1000 VT Quad Port PCI-E Gigabit NIC Dell P/N 0H092p

Offline RonpfS

  • Hero Member
  • *****
  • Posts: 740
  • Karma: +96/-2
    • View Profile
Re: DNSBL Config Question
« Reply #3 on: January 02, 2018, 09:03:53 pm »
You select the Interfaces where devices use pfsense/DNSBL for DNS services resolution. This will create NAT rules to forward Web request to the VIP.
Please elaborate as I use it on all interfaces (I thought?) but this option only allows you to choose one from the drop down.
Yeah, I wasn't on the DNSBL tab at the time. So you select one of the LAN interfaces then  ;)

Quote from: tagit446
Have to admit this one confuses me due to the VPN.
I don't have VPNs here.

2.3.5-RELEASE-p1 (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
pfBlockerNG 2.1.2_2/Dev, suricata 4.0.4_1