How to block ads and trackers on your firewall with pfBlocker

If there’s one thing I cannot stand online, it’s ads. At best they are a nuisance, at worst they are dangerous. A few months back I encountered a serious problem when I asked a user to download the CyberDuck¹ FTP program. I had ublock on and did not realise that on the ‘raw’ version of the page, there was an ad which simply said ‘DOWNLOAD’. The user clicked that instead of the real download link and ended up with some shit on their Mac that took hours to get rid of.

There are some great tools out there like uBlock Origin² which work as browser extensions to block out ads, trackers and dodgy domains and I recommend everyone go out and install it. Rooted Android users should use AdAway³.

However, pfSense⁴ users can take it one step further by blocking this sludge at the firewall level. This way, any device on your network will be ad-blocked whether they have the extension installed or not.

Anyone with a firewall can block IPs and domains, but I want to talk about an extension, pfBlockerNG, which simplifies the task by automatically downloading lists of ad servers and creating rules to block them.

You may find you have not had much joy with pfBlocker in the past, I am one of those people, but recent updates and new features have made it work reliably for me now, so I’m posting this to share how I got it working.

Installation

This is painless.

1. Go to your pfsense web interface
2. System->Packages
3. Click ‘Available Packages’
4. Scroll down to pfBlockerNG and click the little + icon.
5. Click ‘Confirm’ and wait for the installer to finish.

Set up

If the install worked then you should see pfBlockerNG in the ‘Firewall’ drop down menu.

I’ll take you through the relevant tabs.

General Settings

pfBlockerNG General Settings

• Tick ‘enable’
• CRON settings is how often the lists update. I have it set to once a day.
  • Careful with this, some lists block you if you try too much.

Interface/Rules Configuration

• Normally you want ‘WAN’ for Inbound and ‘LAN’ for outbound. I like to keep the default ‘block’ and ‘reject’ settings here.
• Floating rules - I enable this for various reasons. If you are not sure, you can leave it.
• Rule order. This determines weather pfBlocker comes before or after your rules.
  • Default works for me but look at the options, you may find that you want to pick one that is better suited to your needs.

IPv4

Click ‘add new alias’

IPv4

• Alias name - give it a name
• Description - a longer description works here
• IPv4 Lists - enter the URL for a block list.
  • Some good ones can be found at iBlockList⁵, look at the bluetack ones in particular
    • Don’t go crazy here. Pick ads, spammers trackers etc… but bear in mind if you pick too many you will block sites you may not want to block.
  • Clump similar ones together, create new aliases for other lists in different categories.
• List action - ‘deny both’ is a good default. Sometimes you want to just ‘deny incoming’, this is where having different aliases helps, since you can apply different actions to different lists. You can even explicitly allow lists in this manner (see below).
• Update frequency - try to set it to the same as on the general page.

IPv4 Custom list

This is a good place to put extra stuff in. I have an alias where I just use this box and no lists, to block specific IPs. I have another alias where I allow specific IPs too.

You can also use a firewall rule with a ‘regular’ pfSense alias but I use this because it puts it all in one place.

When you are done click save. Then where you are done adding aliases, click save on the ‘index’ page.

DNSBL

This is a trick I had missed before, but I wish I had seen it sooner. Since enabling this, lots more ads have been blocked. I also have not seen it mentioned on other guides.

DNSBL

• Tick ‘Enable’ - make sure you are using the Unbound DNS Resolver. This is by default on pfSense now I think.

DNSBL IP Firewall Rule Settings

• List action - deny both
• Custom Domain Suppression - add any specific addresses you want to block

DNSBL Feeds

Very similar to above. Make sure your feeds are lists of host names, not IP addresses.

DNSBL EasyList

Easylist is a popular and effective list, for some reason built into pfBlocker. Makes life easy for us.

• DNSBL - EasyList
  • Name: I just called it ‘EasyList’
  • Feeds: At the time of writing there were two, I enabled both
• DNSBL - EasyList Settings
  • Use ctrl to select all categories
• List action: unbound
• Update - as you like, I have once a day

Hit save.

Loading the rules

This will happen on its own at the set time, but you can manually update the lists.

For testing purposes I like to open a site with ads first, then reload the site to make sure the ads are gone.

1. Go to the ‘Update’ tab
2. Click ‘Force Update’
3. Look at the live-view of the logs to make sure there are no errors.

Conclusion

That’s it! This is an easy way to stop users on your network getting ads.

If you get lots of stuff blocked that you do not want blocking, look at the logs to determine which list is causing the problem. When I first set this up I went way overboard and ended up trimming the list down considerably!