pfBlockerNG in pfSense - IP and DNS Blocking

pfBlockerNG is a pfSense package providing comprehensive network traffic filtering based on IP address and domain name reputation lists. The package combines two core functions: blocking IP addresses from threat lists (including GeoIP country-based filtering) and DNSBL (DNS Blackhole List) - intercepting DNS queries to malicious, advertising, and unwanted domains. Unlike IDS/IPS, which analyzes traffic content, pfBlockerNG operates at the IP address and DNS query level, providing a first layer of defense with minimal performance impact.

pfBlockerNG integrates with the pfSense firewall through automatic alias and rule creation that blocks or permits traffic based on regularly updated lists from external sources.

Installing pfBlockerNG

Installation is performed through the package manager:

Navigate to System > Package Manager > Available Packages
Search for pfBlockerNG-devel (the -devel version is recommended as the actively maintained release)
Click Install and confirm the installation
Wait for the installation to complete

After installation, configuration is accessible at Firewall > pfBlockerNG.

Warning:
The pfBlockerNG-devel version is the developer-recommended release for production environments despite its name. The base pfBlockerNG version is no longer actively maintained.

System Requirements

Parameter	Minimum	Recommended
RAM	1 GB	2 GB or more
Disk	5 GB free space	10 GB
DNS Resolver	Unbound (required for DNSBL)	Unbound in Resolver mode

DNSBL requires Unbound DNS Resolver as the primary pfSense DNS service. DNSBL functionality is unavailable when using DNS Forwarder (dnsmasq).

Initial Configuration

After installation, perform the base configuration through the setup wizard.

General Parameters

Configuration is performed on the General tab (Firewall > pfBlockerNG > General).

Parameter	Description	Recommendation
Enable pfBlockerNG	Activate the package	Enable
Keep Settings	Preserve settings during reinstallation	Enable
CRON Settings	List update schedule	Every hour or Every 6 hours
Global Logging	Event logging	Enable
MaxMind License Key	Key for downloading the GeoIP database	Required for GeoIP

Obtaining the MaxMind Key

To use GeoIP blocking, a free MaxMind license key is required:

Register an account at maxmind.com
Create a License Key in the account dashboard
Copy the key into the MaxMind License Key field in pfBlockerNG settings
Run an update through Update to download the GeoIP database

IP Address Blocking

IP address blocking provides traffic filtering based on reputation lists containing addresses of known threat sources - botnet servers, spam campaigns, vulnerability scanners, and other malicious resources.

Configuring IP Blocking

Configuration is performed on the IP tab (Firewall > pfBlockerNG > IP).

IPv4 and IPv6 Groups

Each list is assigned to a group with individual parameters:

Parameter	Description
Alias Name	Alias name (used in firewall rules)
List Action	Action on match
Update Frequency	List update frequency
Source	List URL and format
Header/Label	List description

Match Actions

Action	Description
Deny Both	Block traffic in both directions
Deny Inbound	Block only inbound traffic from listed addresses
Deny Outbound	Block only outbound traffic to listed addresses
Permit Inbound	Allow inbound traffic (whitelist)
Permit Outbound	Allow outbound traffic (whitelist)
Alias Only	Create alias without automatic rule

For most threat lists, the Deny Both action is recommended for complete blocking of interaction with malicious addresses.

Popular IP List Sources

Source	Description	URL
Spamhaus DROP	Addresses hijacked for spam and attacks	https://www.spamhaus.org/drop/drop.txt
Spamhaus EDROP	Extended Spamhaus list	https://www.spamhaus.org/drop/edrop.txt
DShield	Top 20 attacking IPs over the last 24 hours	https://feeds.dshield.org/block.txt
Feodo Tracker	Banking trojan C2 server IP addresses	https://feodotracker.abuse.ch/downloads/ipblocklist.txt
Emerging Threats	Active threat IP addresses	https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
CINS Army	Distributed attacker list	https://cinsscore.com/list/ci-badguys.txt
Abuse.ch SSLBL	Malicious SSL server IP addresses	https://sslbl.abuse.ch/blacklist/sslipblacklist.txt

GeoIP Blocking

GeoIP filtering allows blocking or permitting traffic based on the geographic location of IP addresses. This feature is useful for restricting access from countries where legitimate traffic is not expected.

GeoIP configuration is performed on the IP tab under GeoIP:

Verify the MaxMind key is entered in general settings
Navigate to IP > GeoIP
Select continents or countries for blocking
Set the action (Deny Inbound, Deny Both, etc.)
Save and run an update

GeoIP Filtering Strategies

Strategy	Description	Application
Block by country	Deny traffic from selected countries	Servers with a region-specific audience
Permit by country	Allow traffic only from selected countries, block all others	Local services without international access
Inbound only	Block inbound connections from countries, outbound permitted	Standard protection without restricting outbound access

Warning:
GeoIP databases do not provide absolute location accuracy. Some IP addresses (VPN, CDN, cloud providers) may be associated with incorrect countries. Test GeoIP rules before deploying in production environments.

DNSBL - DNS Query Blocking

DNSBL (DNS Blackhole List) blocks access to unwanted domains by intercepting DNS queries. When a client requests resolution of a blocked domain, pfBlockerNG returns a dummy IP address (typically 10.10.10.1) instead of the actual server address. This prevents connections to malicious, advertising, and tracking resources at the DNS level.

How DNSBL Works

Client                 Unbound DNS              pfBlockerNG
   |                      |                         |
   |-- DNS query -------->|                         |
   |   malware.example.com|                         |
   |                      |-- Check DNSBL --------->|
   |                      |                         |
   |                      |<-- Domain blacklisted --|
   |                      |   return: 10.10.10.1    |
   |                      |                         |
   |<-- Response: --------|                         |
   |    10.10.10.1        |                         |
   |                      |                         |
   |-- Connection to 10.10.10.1 (pfBlockerNG virtual IP)
   |-- Receives block page or RST

Configuring DNSBL

Configuration is performed on the DNSBL tab (Firewall > pfBlockerNG > DNSBL).

Core Parameters

Parameter	Description	Recommendation
Enable DNSBL	Activate DNS filtering	Enable
DNSBL Virtual IP	Virtual IP for blocked domains	10.10.10.1 (default)
DNSBL Listening Port	Block page web server port	8081 (default)
DNSBL SSL Listening Port	HTTPS port for block page	8443
DNSBL Whitelist	Domains excluded from blocking	As needed
TLD Exclusion	Top-level domain exclusions	As needed

DNSBL Groups

Each blocklist is assigned to a group with the following settings:

Parameter	Description
Group Name	List group name
DNSBL Sources	Domain list URLs
List Action	Action: Unbound (recommended)
Update Frequency	Update frequency
Header/Label	Source description

Popular DNSBL Sources

Ad and Tracker Blocking

Source	Description
EasyList	Primary ad blocking list (Adblock Plus)
EasyPrivacy	Tracking script and pixel blocking
AdGuard DNS	Ad filters from AdGuard
Peter Lowe’s Ad List	Compact list of ad and tracking domains
Steven Black’s Hosts	Consolidated malware and ad domain list

Malware Domain Blocking

Source	Description
Abuse.ch URLhaus	Domains distributing malware
Malware Domain List	Malware-associated domains
Phishing Army	Phishing domains
SANS ISC Suspicious	Suspicious domains from SANS Internet Storm Center
Disconnect Malware	Malware domains from Disconnect

Telemetry Blocking

Source	Description
Windows Telemetry	Microsoft Windows telemetry domains
Smart TV Tracking	Smart TV tracking domains

DNSBL Block Page

When accessing a blocked domain, the user sees the pfBlockerNG block page displaying:

The blocked domain
The DNSBL group containing the domain
Block time
A button to whitelist the domain (when authorized)

Block page appearance is configured on the DNSBL > DNSBL Customization tab.

Whitelists

Whitelists allow excluding specific IP addresses or domains from blocking.

IP Address Whitelist

To exclude IP addresses from blocking, create a group with a Permit Inbound or Permit Outbound action on the IP tab. Addresses in permit groups take priority over blocking groups.

DNSBL Whitelist

Domain whitelists are configured in several locations:

Method	Location	Description
DNSBL Whitelist	DNSBL > DNSBL Configuration	Global domain whitelist
Custom Whitelist	DNSBL > DNSBL Groups	Whitelist for a specific group
TLD Whitelist	DNSBL > DNSBL TLD	Top-level domain exclusions
Wildcard Whitelist	DNSBL > DNSBL Whitelist	Supports masks `*.domain.com`

Whitelist Entry Format

# Exact domain match
example.com

# Domain and all subdomains
.example.com

# Comment with description
example.com # Corporate portal

Whitelist Recommendations

During initial pfBlockerNG deployment:

Enable DNSBL with a minimal set of lists
Monitor the block log for several days
Add domains required by business applications to the whitelist
Gradually expand the number of active lists

Typical domains for whitelisting:

Corporate service domains (Microsoft 365, Google Workspace)
CDN providers (Akamai, CloudFront, Cloudflare)
Operating system update services
Payment systems and banking services

Custom Lists

pfBlockerNG supports creating custom IP address and domain lists to tailor filtering to specific requirements.

Custom IP Lists

On the IP tab, click Add and complete:

Alias Name - list name
List Action - action (Deny/Permit)
Source - select Custom and enter IP addresses or subnets, one per line
Save and run Force Update

Custom DNSBL Lists

On the DNSBL tab, click Add and complete:

Group Name - group name
DNSBL Source - select Custom and enter domains, one per line
List Action - Unbound
Save and run Force Update

Logging and Monitoring

pfBlockerNG Logs

Logs are accessible through Firewall > pfBlockerNG > Logs:

Log	Contents
DNSBL	Blocked DNS queries showing client and domain
IP Block	Blocked IP addresses showing source list
GeoIP	Blocked connections by geographic origin
Error	List update errors and package issues

Statistics

The Reports tab provides pfBlockerNG operational statistics:

Blocked request counts by category
Top blocked domains and IP addresses
Top clients by blocked request count
Activity graphs over time

Dashboard Widget

pfBlockerNG adds a widget to the pfSense dashboard with summary blocking statistics for the current period.

Firewall Integration

pfBlockerNG automatically creates aliases in the pfSense firewall for each active IP blocking group. These aliases are visible at Firewall > Aliases and can be used in custom rules.

Automatic Rules

When selecting the Deny Both/Inbound/Outbound action, pfBlockerNG automatically creates firewall rules on the Floating Rules tab. These rules are processed before user-defined rules on interfaces.

Manual Alias Usage

When selecting the Alias Only action, only an alias is created without an automatic rule. This alias can be used in custom rules on any interface for more granular control.

Troubleshooting

DNS Filtering Not Working

Verify DNSBL is enabled on the DNSBL tab
Confirm DNS Resolver (Unbound) is the primary pfSense DNS service (Services > DNS Resolver)
Verify clients use pfSense as their DNS server
Confirm Python is installed (required for DNSBL in pfBlockerNG-devel)
Run a forced update: Firewall > pfBlockerNG > Update > Force
Check the error log: Firewall > pfBlockerNG > Logs > Error

DNSBL False Positives

Identify the blocked domain in the DNSBL log
Add the domain to the whitelist through DNSBL Whitelist or the block page
For widespread false positives, disable the problematic list
Use nslookup or dig to verify domain resolution through pfSense

High Memory Usage

Check active list entry counts: Firewall > pfBlockerNG > Logs > Summary
Reduce the number of active IP lists
Increase the firewall table size: System > Advanced > Firewall & NAT > Firewall Maximum Table Entries
When using GeoIP, verify only necessary databases are loaded
Consider increasing RAM

List Update Errors

Verify DNS availability: Diagnostics > DNS Lookup
Check routing: Diagnostics > Ping to the list source address
Confirm outbound HTTPS traffic (port 443) is not blocked
Verify the source URL has not changed (sources periodically change addresses)
Check the list format - some sources change formats without notice

Package Not Working After pfSense Upgrade

Remove and reinstall pfBlockerNG through System > Package Manager
Re-run the configuration wizard
Execute Force Update to download all lists
Verify package version compatibility with the current pfSense version

Deployment Recommendations

Phased Implementation

Phase 1: Install pfBlockerNG with a minimal set of IP lists (Spamhaus DROP, DShield)
Phase 2: Enable DNSBL with primary malware domain lists
Phase 3: Add ad and tracker lists
Phase 4: Configure GeoIP filtering
Phase 5: Add custom lists based on log analysis

Post-Deployment Monitoring

After each implementation phase:

Monitor block logs for at least 48 hours
Verify business-critical application functionality
Build the whitelist based on user reports
Monitor resource consumption (RAM, CPU, table sizes)

Related Sections

Package Management - installing and updating pfSense packages
DNS in pfSense - configuring DNS Resolver (Unbound) required for DNSBL
Firewall Rules - interaction between firewall rules and pfBlockerNG aliases
Firewall Aliases - using pfBlockerNG aliases in custom rules

Last updated on 7, April 2026

HAProxy in pfSense - Reverse Proxy and Load Balancing pfSense Package Management - Install and Update