Filtering by a list of NCCCs in pfSense
On March 2, 2022, the National Computer Incident Coordination Center (NCCC) released bulletin with a list of recommendations for countering information security threats. Lists published in addition to the bulletin IP addresses And DNS names for blocking. This article will describe how to add these lists to pfSense and set up filtering. Despite the fact that enough time has passed since the publication of the lists, they have not yet lost their relevance, and when new ones are released, this article will also be useful. This article does not discuss pfSense import substitution and similar topics. It is described how to set it up for those who have everything working, and who are not going to change pfSense to another firewall right now. It is assumed that readers have sufficient experience with pfSense.
IP address filtering
We read the 15th paragraph of the bulletin: “To protect against DDoS attacks on network information protection tools, restrict network traffic from the IP addresses listed in the proxies.txt file. The IP addresses specified in it belong to proxy servers used in DDoS attacks.“.
The usual option is to create an alias with a list of addresses. Let’s go to the page Firewall / Aliases / URLs and click the Add button. Choose a type URL Table (IPs)name whatever you like, copy https://safe-surf.ru/upload/ALRT/proxies.txt in the address field, and select 1 in the field after the slash (update once a day).
Next, we create a blocking rule on our WAN interface:
Action: Block
Interface: WAN
Address Family: IPv4
Protocol: Any
Source: Single host or alias – enter the name of our alias
Destination: better to leave Any, especially if the firewall covers hosts with public addresses
Log: can be enabled for a while to see DoS IP addresses in the logs
IP address filtering with pfBlockerNG
Details about the functionality of this package were described in three articles – pfBlockerNG for home networking, Setting up pfBlockerNG on pfSense (Part 1), Setting up pfBlockerNG on pfSense (Part 2). We will not repeat the detailed description of the settings, and go directly to the page Firewall / pfBlockerNG / IP / IPv4 and add a new group with the Add button:
Since we have indicated Deny Inbound as an Action, pfBlockerNG will automatically place a deny rule on our WAN interface. More precisely, on all interfaces that are highlighted in Inbound Firewall Rules On the page Firewall/pfBlockerNG/IP:
Setting up a DNSBL list in pfBlockerNG
We look at the 15th paragraph of the bulletin: “To protect against DDoS attacks on firewalls, limit network traffic that contains values from the referer_http_header.txt file in the Referer field of the HTTP header.“.
Let’s go to the page Firewall / pfBlockerNG / DNSBL / DNSBL Groups and add a new group by clicking on Add:
It should be noted that github.com is present in the list of sites, so if you do not want to block it yourself, add it to the white list on the page Firewall / pfBlockerNG / DNSBL in the DNSBL Whitelist field.
Next, don’t forget to run Update on the page Firewall/pfBlockerNG/Update for the changes to take effect.
Additionally
It would not be superfluous to switch to using the DNS servers of the National Domain Name System (NCDN) – 195.208.4.1 and 195.208.5.1 (setting on the page System / General Setup).
If there are suspicions (and who doesn’t have them now) that some kind of surprise may come with the update, then turn off the check on the page System / Update / Update Settings – check mark Dashboard checkand no longer go to update And package manager menu.