pfBlockerNG
pfBlockerNG provides outbound threat-list/reputation blocking (and can do inbound GeoIP blocking, though the primary use here is outbound).
The FireHOL level1 / RFC1918 gotcha
The FireHOL level1 blocklist intentionally includes 10.0.0.0/8 as part of its
bogon coverage — it's a legitimate bogon range on the public internet, and the list is
built for WAN-facing use. On a WAN-bridge-mode router where WAN and internal traffic
share the same rule evaluation, this becomes dangerous:
- Set the list's action to
Deny_Inbound. - Never
Deny_Both.Deny_Bothalso creates a LAN-outbound reject rule, which blocks all RFC1918 traffic — including pfSense's own DNS Resolver talking to itself and to internal hosts. This one setting broke internal DNS in a way that looked like a completely unrelated resolver bug. - This is a durable config change, not a one-time cleanup — pfBlockerNG's cron re-download will silently reset any manual suppression-list workaround, so the fix has to be the action setting itself, not an exception list.
Ongoing maintenance
Blocklists auto-update on a cron schedule; the only thing that needs periodic
attention is confirming the Deny_Inbound action survives after any pfBlockerNG
package update (updates have been known to reset per-list settings to defaults).