Skip to content

pfBlockerNG

pfBlockerNG provides outbound threat-list/reputation blocking (and can do inbound GeoIP blocking, though the primary use here is outbound).

The FireHOL level1 / RFC1918 gotcha

The FireHOL level1 blocklist intentionally includes 10.0.0.0/8 as part of its bogon coverage — it's a legitimate bogon range on the public internet, and the list is built for WAN-facing use. On a WAN-bridge-mode router where WAN and internal traffic share the same rule evaluation, this becomes dangerous:

  • Set the list's action to Deny_Inbound.
  • Never Deny_Both. Deny_Both also creates a LAN-outbound reject rule, which blocks all RFC1918 traffic — including pfSense's own DNS Resolver talking to itself and to internal hosts. This one setting broke internal DNS in a way that looked like a completely unrelated resolver bug.
  • This is a durable config change, not a one-time cleanup — pfBlockerNG's cron re-download will silently reset any manual suppression-list workaround, so the fix has to be the action setting itself, not an exception list.

Ongoing maintenance

Blocklists auto-update on a cron schedule; the only thing that needs periodic attention is confirming the Deny_Inbound action survives after any pfBlockerNG package update (updates have been known to reset per-list settings to defaults).