pfSense is a registered trademark of Electric Sheep Fencing LLC

pfSense is used as a short form for pfSense® software

pfBlocker is one of pfSense's add-on packages and it provides the ability to block the IP addresses that have been allocated to various countries. pfBlocker makes it easy to select a collection of countries from which traffic is to be filtered.

Since pfBlocker is a supported/installable package, it's rather easy to install and configure.

(below, click on an image to view it full-sized)

1. Install the pfBlocker package

in pfSense, visit the System → Pakcages → Available Packages tab

tab you should see something like:

press the + button to the right of the pfBlocker entry

button to the right of the entry press the OK button in response to the "Do you really want to install PfBlocker package?" alert

button in response to the "Do you really want to install PfBlocker package?" alert after a short time, you should see something like:

2. Enable pfBlocker

in pfSense, visit the Firewall → pfBlocker → General tab

tab click-to-check Enable pfBlocker

optionally, click-to-check Enable Logging – this could result in much logging activity

– this could result in much logging activity select the applicable Inbound Interface(s) – normally this will be WAN

– normally this will be select the applicable Inbound deny action Block will drop the incomming requests without any response – i.e., to the blocked IPs, that inbound interface/address will appear to be nonexistent and cause the connection-attempt to timeout Reject will drop the incomming requests after providing a rejection response – i.e., the blocked IP's connection attempt will know that your interface/address does exist note that this will not apply when the "Action" you choose (see below) is "Alias only"

select the applicable Outbound Interface(s) – normally this will be WAN

– normally this will be press the Save button

button you should now have something like:

3. Configure pfBlocker Lists

The pfBlocker "Lists" capability enables custom IP-blocking lists to be defined based upon downloadable lists (in a conforming format) and/or your own IP/CIDR entries.

in pfSense, visit the Firewall → pfBlocker → Lists tab and press the + button

Although it looks quite usable in various scenarios, I have not used the pfBlocker "Lists" capability because:

I already had my own lists that I was using via pfSense's Firewall → Aliases → URL Table capabilities

capabilities some of the lists I use don't conform to the format required by pfBlocker lists

Regardless, you may decide to use the pfBlocker "Lists" capability if they meet your requirements. For the equivalent capabilities with additional features, albeit with increased setup complexity, see the Setting Up Blocking Lists section.

4. Configure pfBlocker Top Spammers

The pfBlocker "Top Spammers" tab provides a shorthand for selecting the countries with the reputation for having the most prolific and/or dangerous criminals, hackers and/or spammers and to apply some actions to the traffic that originates from IP addresses assigned to the selected countries.

in pfSense, visit the Firewall → pfBlocker → Top Spammers tab

tab select the applicable Top Spammers countries

countries select the applicable Action you want to have applied: Disabled will turn off this capability any of the Deny ... or Permit ... options will disallow or allow, respectively, all traffic that originates from IP addresses assigned to the selected countries this is sufficient if you have a simple network/firewall setup but will be too simplistic for more involved setups, in which case you can use the "Alias only" selection use "Deny Inbound" to prevent incoming connections to your network from the selected countries, but still allow systems on your network to connect to systems with IPs that were assigned to those countries use "Deny Both" to prevent both incoming connections to your network from the selected countries and outgoing connections from your network to systems with IPs that were assigned to those countries this offers some additional security in that, if a system on your network was compromised (e.g., via a "trojan"), it would not be able to communicate back to a system which had an IP address assigned to one the selected countries this is likely more useful when the blocking list is a known list of criminal-controlled systems, for example, than for an entire country's IPs Alias only will create an entry in Firewall → Aliases → URLs and a table entry (view via the Diagnostics → Tables → Table pop-up menu) that alias can be used in defining firewall rules so provides more flexibility but requires additional configuration (see Setting Up Blocking Firewall Rules section)

you want to have applied: press the Save button

button you should now have something like:

and, if you selected "Alias only" as the "Action" and visit the Firewall → Aliases → URLs tab, you now have the following entry:

I have not used the pfBlocker "Top Spammers" capability because I've selected a broader range of countries based upon the collection of countries in each of the 6 "world area" tabs.

5. Configure pfBlocker "world areas"

The pfBlocker "world area" tabs each provide the ability to select a collection of countries located within a "world area" and to apply some actions to the traffic that originates from IP addresses assigned to the selected countries. For each "world area":

in pfSense, visit the applicable "world area" tab – e.g., Firewall → pfBlocker → South America tab

tab select the applicable Countries

select the applicable Action you want to have applied: Disabled will turn off this capability any of the Deny ... or Permit ... options will disallow or allow, respectively, all traffic that originates from IP addresses assigned to the selected countries this is sufficient if you have a simple network/firewall setup but will be too simplistic for more involved setups, in which case you can use the "Alias only" selection use "Deny Inbound" to prevent incoming connections to your network from the selected countries, but still allow systems on your network to connect to systems with IPs that were assigned to those countries use "Deny Both" to prevent both incoming connections to your network from the selected countries and outgoing connections from your network to systems with IPs that were assigned to those countries this offers some additional security in that, if a system on your network was compromised (e.g., via a "trojan"), it would not be able to communicate back to a system which had an IP address assigned to one the selected countries this is likely more useful when the blocking list is a known list of criminal-controlled systems, for example, than for an entire country's IPs Alias only will create an entry in Firewall → Aliases → URLs and a table entry (view via the Diagnostics → Tables → Table pop-up menu) that alias can be used in defining firewall rules so provides more flexibility but requires additional configuration (see Setting Up Blocking Firewall Rules section)

you want to have applied: press the Save button

button you should now have something like:

and, if you selected "Alias only" as the "Action" and visit the Firewall → Aliases → URLs tab, you now have the following entry:

6. Create pfBlocker firewall rules

If the Alias only option was selected for the Action in the "Top Spamers" tab or any of the "world area" tabs, you'll need to create firewall rules which define how traffic that originates from IP addresses assigned to the selected countries will be treated. The firewall rules will use the applicable Firewall → Aliases → URLs entry(s) created by pfBlocker.

Now, setup your blocking firewall rules.

... or return to the Bad-Guy Blocking article's overview page.