To integrate a custom threat feed into a pfSense firewall, you can use the pfBlockerNG package. This package allows you to automatically block or monitor IP addresses, domains, or URLs based on custom feeds. Here's a step-by-step guide to implement your feed into pfSense:
Step 1: Install pfBlockerNG on pfSense
Log into the pfSense Web Interface:
Open a browser and go to your pfSense management IP.
Example: https://<pfSense_IP>
Navigate to System > Package Manager.
Click on the Available Packages tab.
Search for pfBlockerNG.
Click Install next to pfBlockerNG.
Once installed, you will see pfBlockerNG appear in the main menu under Firewall.
Step 2: Enable and Configure pfBlockerNG
Navigate to Firewall > pfBlockerNG.
Click on the General tab.
Under General Settings, ensure the following:
Enable pfBlockerNG: Check this option.
Update Interval: Set the update frequency for your feeds (e.g., Once a Day or Every Hour).
Log Settings: Enable logging if you want to track blocked/monitored entries.
Click Save at the bottom.
Step 3: Create a New Alias for the Custom Feed
Go to Firewall > pfBlockerNG.
Click on the IP tab to configure the IP blocking lists.
Click on Add to create a new custom list.
Fill in the following details:
Name: Give a unique name, such as AbuseFirewall_Bad_IPs.
Description: Optional. Add a brief description like Custom feed from AbuseFirewall.
List Action: Choose an action for the list:
Deny Both: Blocks both inbound and outbound traffic from these IPs.
Deny Inbound: Blocks inbound traffic only.
Deny Outbound: Blocks outbound traffic only.
Permit: Allows traffic (for monitoring purposes).
Choose Deny Both to block all traffic from this feed.
IP Format: Set to Auto.
State Order: Leave as Default.
Under the IPv4 Lists Section:
Source: Enter the URL for your feed. For example:
https://www.abusefirewall.com:5000/bad-ips?api_key=4ExampleAPIKEYadsadaXZZZZZZXDsdsd
Header/Row: Set to 0 if you want to include all entries, or define it based on your feed structure.
Under Advanced Inbound/Outbound Firewall Rule Settings:
Auto Rule Order: Leave as Default.
Logging: Enable Log Permit/Block to log entries matching the feed.
Click Save and Apply Changes.
Step 4: Apply the Feed to pfBlockerNG
Navigate back to Firewall > pfBlockerNG.
Go to the Update tab.
Click Run to manually update the feed.
Wait for the update process to complete. You should see messages indicating that the feed was successfully pulled and applied.
Step 5: Verify the Feed Integration
Go to Firewall > pfBlockerNG.
Click on the Reports tab.
Check the Alert Logs to see if any IPs from the feed are being blocked.
Alternatively, go to Firewall Logs to see if any traffic is being blocked based on the new feed.
Step 6: Create a Firewall Rule Using the Feed (Optional)
If you want more granular control, you can create custom firewall rules using the feed:
Go to Firewall > Rules.
Click on the Floating tab.
Click Add to create a new rule.
Set the following:
Action: Select Block or Reject.
Interface: Choose the interface(s) to which this rule applies (e.g., WAN, LAN).
Direction: Choose in or out depending on your requirement.
Source: Set to Single host or alias.
Alias: Select your newly created alias (AbuseFirewall_Bad_IPs).
Click Save and Apply Changes.
Step 7: Test the Feed and Monitor Logs
Go to Status > System Logs.
Check the Firewall logs to see if IPs from the custom feed are being blocked.
Verify that the traffic is being filtered as per the settings.
Additional Considerations:
Regular Feed Updates: Ensure that the Update Frequency for the feed is set correctly in pfBlockerNG.
Whitelist Critical IPs: If there are certain IPs in the feed that should never be blocked, add them to a Whitelist.
Feed Format Compatibility: Ensure that the feed URL is returning a compatible format for pfSense (plain text, CSV, or IP list).
With this setup, your pfSense firewall will automatically pull updates from the custom feed and block/monitor malicious IPs, enhancing your network's security posture.
Comments