Skip to main content

What can you use as a pfBlockerNG equivalent on OPNsense?

Published on:
.
14 min read
.
For German Version

pfBlockerNG is a pfSense® software package created by BBCan177 and used for IP/DNS-based filtering. It is based on Marcello Coutinho's and Tom Schaefer's earlier work. The project's purpose was to extend pfSense's fundamental firewall functionality by allowing users to use IP and DNS control lists to regulate and manage inbound and outbound access through the firewall.

Since most of the pfSense® software administrators put their network security into the hands of the pfBlockerNG, it is the highest barrier they need to step over to make a decision on migrating to the OPNsense firewall from the pfSense software. When they need to prepare a migration plan, the first and most important question is how they can protect their networks against cyber threats without the pfBlockerNG package on OPNsense. Finding the correct answer might be a challenge for them. Because, although most users agree that OPNsense has a more friendly and helpful community than the pfSense software, they also suspect that OPNsense does not have online resources as rich as the pfSense® software has.

Therefore, pfSense® software users who think about leaving the pfSense® software world and being a member of the OPNsense community need to dive deeply into the forums to make a correct decision. In fact, when they give OPNsense a chance, they will see that it provides them with more powerful and secure solutions than their expectations.

By installing various official or vendor plugins, especially Zenarmor (os-sensei), on the OPNsense firewall, users can not only use the features of the pfBlockerNG but also protect their network in a more secure way. This is due to the fact that, while pfBlockerNG is a DNS-based filtering solution, OPNsense, powered by Zenarmor, provides next-generation firewall capabilities such as deep packet inspection, application control, web content filtering, cloud threat intelligence, network analytics, integration with other systems, centralized management, and user-based filtering.

In this article, we will guide you through how you can migrate from pfSense® software to OPNsense safely without losing any benefits of pfBlockerNG. At the end of this article, you will see that OPNsense provides different security features as an alternative to the pfBlockerNG package.


Get Started with Zenarmor Today For Free

Can I find the functionality offered by pfBlockerNG on OPNsense?

Yes. And it gets even better on OPNsense. You have multiple options for this; all allowing you to enjoy even a greater level of network security protection.

By configuring the following OPNsense official or vendor plugins, Zenarmor in particular, you can not only utilize the functionalities of pfBlockerNG but also enhance the security of your network:

  1. Zenarmor (for all pfBlockerNG functionalities + much more)
  2. Firewall Aliases and Suricata IPS (for GeoIP blocking)
  3. Unbound DNS (for DNS blocking)
  4. Spamhaus (for spam filtering)
  5. Rspamd (for spam filtering)

Zenarmor is the best alternative to pfBlockerNG. By installing and configuring Zenarmor on supported platforms like OPNsense and pfSense CE, users can create a more secure environment. Even the free version of Zenarmor next-generation firewall offers superior security, and those migrating from pfSense to OPNsense will be more than satisfied.

This discrepancy arises from the fact that OPNsense, powered by Zenarmor, offers enterprise-level next-generation firewall features like application control, web filtering, deep packet inspection, AI-based CTI, user-based filtering, advanced reporting, network analytics, and integration with many security solutions like authentication platforms, SIEM, and API, among others. Moreover, it will soon provide full TLS inspection and device identification features for paid editions. Whereas pfBlockerNG merely performs DNS-based filtering.

Zenarmor is designed to meet all your expectations and security requirements, and therefore, there is no need to install any additional plugins. The installation and configuration of Zenarmor are straightforward and easy. If you wish to add an extra layer of security, you may consider installing other plugins.

pfBlockerNG featureAvailability on OPNsenseExplanation
IP FilteringYesZenarmor Plugin provides NGFW capabilities
GeoIP blockingYesFirewall Aliases and IPS has MaxMind GeoIP support
DNS blockingYesZenarmor provides DNS-based filtering and Unbound DNS service provides predefined and custom DNSBL
Inbound/Outbound traffic filteringYesOPNsense packet filtering and Zenarmor plugin has inbound/outbound filtering capability
DoH/DoT blockingYesZenarmor Plugin provides DoH/DoT blocking option
Spam FilteringYesZenarmor has IP reputation for spam filtering. OPNsense has Spamhaus support and rspamd plugin
WhitelistYesBoth Unbound DNS service and Zenarmor plugin provides whitelist feature
SafeSearchYesZenarmor Plugin provides SafeSearch option
YouTube RestrictionsYesZenarmor provides rich application control options for Youtube service and SafeSearch option for YouTube Restrictions

Table 1. pfBlockerNG feature availability on OPNsense

In this section, we'll do a deep dive and discuss all pfBlockerNG features one by one; and show you how to implement them on OPNsense.

IP Blocking

Even if the firewall is not configured with open internet-facing ports, local users may inadvertently initiate connections to malicious servers, posing a significant security risk to your network. You should restrict access to known sources of ransomware, malware, botnets, and Command & Control (C&C) servers to reduce the likelihood of this happening.

pfBlockerNG provides regularly updated blocklists via the bundled PRI1 feed. You can use pfBlockerNG to create firewall rules based on IPv4 and IPv6 address spaces. As a result, you can manage both incoming and outgoing traffic on a single or multiple interfaces.

Zenarmor, one of the best OPNsense plugins, offers you a more advanced security solution than the pfBlockerNG IP filtering and DNS-based filtering features. It has next-generation firewall capabilities that a DNS-based filtering solution can never provide. Zenarmor has a powerful and lightweight packet inspection engine that can scan both incoming and outgoing traffic on a single or multiple network interfaces. According to the predefined or custom user security policies, it allows the network packets to pass or block them. This decision can be made based on not only the source/destination IP address but also many criteria such as protocol, port, session time, application category, application, user/group name, etc. In other words, Zenarmor evolves your L4/packet filtering firewall to the L7/application layer firewall, which is vital to protecting your valuable assets and privacy against cyber attacks in today's world. It can provide a wide variety of enterprise-grade network security functions, such as application filtering and web content filtering

Zenarmor lets administrators create customizable web filtering profiles and policies based on a cloud-based web categorization of 300+ million websites under 60+ categories.

Zenarmor Cloud is a massive database that serves millions of queries per day and contains reputation and security information for over 300 million websites, with new ones being added on a daily basis. Zenarmor can respond to malware threats and virus outbreaks in real-time thanks to Zenarmor Cloud. Zenarmor also has the following Essential and Advanced Security options.

Essential SecurityAdvanced Security
Block Malware ActivityBlock Recent Malware/Phishing/Virus Outbreaks
Block Phishing ServersBlock Proxy
Block Spam sitesBlock Dead Sites
Block Hacking SitesBlock Dynamic DNS Sites
Block Parked DomainsBlock DNS Tunneling
Block Potentially Dangerous SitesBlock Newly Registered Sites
Block Firstly Seen SitesBlock Newly Recovered Sites
Block DNS over HTTPS (DoH)Block Botnet C&C
Block Compromised WebsitesBlock Botnet DGA Domains
Block Keyloggers and monitoring
Block Spyware and Adware

Table 2. Essential Security & Advanced Security options on Zenarmor

It is clear that Zenarmor has a bigger threat intelligence database than pfBlockerNG has. This means that Zenarmor provides more effective protection against cyberattacks than pfBlockerNG does. A significant advantage of Zenarmor over pfBlockerNG is that it has a lower rate of false positives due to its powerful, up-to-date, and efficient AI-based database.

GeoIP Blocking

The pfBlockerNG's GeoIP feature can be useful for restricting access to specific regions. This will not be applicable in all situations because not all regions are malicious. Allowing traffic from other regions, on the other hand, is pointless if all of your expected traffic comes from a specific geographic region because it exposes you to additional risk for no real benefit. In most cases, blocking inbound access based on GeoIP data is all that is required. This allows your local users to access any website in the world while blocking inbound traffic from regions where you don't expect it.

The OPNsense firewall also has a GeoIP blocking feature. You can define the GeoIP restrictions using aliases. After adding a GeoIP type alias, you can define a firewall rule to block the incoming traffic from certain countries or continents on the OPNsense firewall.

To accomplish GeoIP blocking, both OPNsense and pfBlockerNG use the MaxMind GeoIP database, which requires a license key. This license key is completely free of charge. A link to the MaxMind registration page is included in the MaxMind License Key field description. MaxMind, an industry leader in IP geolocation accuracy, provides and maintains the lists.

As another option on OPNsense, it allows you to set up an IPS system for blocking IP addresses based on their geographic location. You may add user-defined IPS rules and enable IPS mode on the WAN interface for GeoIP blocking.

warning

Remember that geoIP blocking is not a perfect defense that will allow you to sleep peacefully at night because attackers use more advanced techniques to alter security products, such as using fake IP addresses, changing IP addresses quickly and continuously, and using many different IP addresses all over the world. Websites host content and media on servers all around the world, so don't restrict yourself too much. Blocking some of these IP addresses inadvertently may result in broken websites or unavailable downloads.

How to enable GeoIP blocking on OPNsense Firewall

To enable GeoIP blocking on the OPNsense firewall, you may follow the steps below:

  1. Fill out the registration form on the MaxMind sign-up page to obtain your license key. When asked if you use "geoipupdate", select no during license key generation.

  2. On the OPNsense Firewall Web UI, navigate to FirewallAliasesGeoIP Settings.

    Figure 1. GeoIP settings on OPNsense firewall

  3. Enter the following address into the URL field replacing the [My_License_key](https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=My_License_key&suffix=zip) part with your own MaxMind license key.

  4. Click Apply.

  5. Click Aliases tab to create an alias for GeoIP blocking.

  6. Click + icon at the right bottom of the page.

  7. Enter name for the alias.

  8. Select GeoIP for the Type.

  9. Select the Region and the Countries as you wish, such as China and North Korea in Asia Region.

  10. You may enable the Statistics option.

  11. Enter a descriptive name for the alias, such as China_North_Korea.

    Figure 2. Adding GeoIP Type alias on OPNsense firewall

  12. Click Save.

  13. Navigate to the FirewallRulesWAN.

  14. Click + icon to create a firewall rule.

  15. Select Block to deny GeoIP connections.

  16. Set Direction to in for blocking incoming traffic from GeoIP locations.

  17. Select the newly created GeoIP alias, such as China_North_Korea, for the Source.

    Figure 3. Creating firewall rule for blocking incoming traffic from GeoIP locations-1

  18. Set the Destination to WAN Address.

  19. You may enable logging.

  20. You may set a name for the category such as GeoIP rules.

  21. Set a description for the rule such as China and North Korea IPs not allowed.

    Figure 4. Creating firewall rule for blocking incoming traffic from GeoIP locations-2

  22. Click Save.

  23. Click + icon to create a firewall rule for outgoing traffic.

  24. Select Block to deny GeoIP connections.

  25. Set Direction to in.

  26. Select WAN Address for the Source.

    Figure 5. Creating firewall rule for blocking outgoing traffic from GeoIP locations-1

  27. Set the Destination to the newly created GeoIP alias, such as China_North_Korea.

  28. You may enable logging.

  29. You may set a name for the category such as GeoIP rules.

  30. Set a description for the rule such as China and North Korea outbound not allowed.

    Figure 6. Creating firewall rule for blocking outgoing traffic from GeoIP locations-2

  31. Click Save.

  32. You may need to reorder your rules to work properly.

  33. Click Apply to activate the rules.

    Figure 7. GeoIP firewall rules

DNS Blocking

pfBlockerNG can restrict DNS Resolver access in order to prevent access to malicious websites such as advertisements, threats, and malware. Domain blocking is a powerful tool for filtering tracking domains, malicious domains, and advertisements. As you browse the internet, your DNS requests are checked against a blocklist. If there is a match, the request is denied. It's a great way to block ads without having to use a proxy server.

Domain names collected from various blacklist sources or entered manually are used to generate optimized DNS Resolver blocklists. You can subscribe to popular user-maintained blocklists or use pre-built 'EasyLists.'

info

The EasyList filter lists are sets of rules that were originally designed for Adblock to automatically remove unwanted content from the internet, such as annoying advertisements, bothersome banners, and inconvenient tracking. Many ad blockers use it as the foundation for over a dozen combinations and supplementary filter lists.

In a similar way, OPNsense provides a DNS blocking feature with the help of its Unbound DNS service. Unbound DNS is a validating, caching, recursive DNS resolver that is enabled by default on OPNsense. It has an integrated DNS blacklisting feature. This service intercepts DNS queries on your network and performs many tasks, like forwarding them through VPN, Blacklist/Whitelist, etc. It protects your network against malware, Ads, tracking, phishing, and other threats at the DNS layer. You can use predefined external DNSBL resources or use custom blacklists by giving the http[s] location to download blacklists from. You may find many lists on filterlists.com. UNbound DNS also has a whitelist option. When a blacklist item matches a pattern in the whitelist domains, it is removed from the results. DNSBL configuration options in Unbound DNS are given below:

OptionDescription
Type of DNSBLPredefined external sources
Blacklists URLAdditional http[s] location to download blacklists from. Only plain text files containing a list of fqdn's (e.g. my.evil.domain.com) are supported.
Whitelist DomainsWhen a blacklist item matches a pattern in the whitelist domains, it is removed from the results. e.g. .*.tr would exclude all .tr domains
Private DomainsList of domains to mark as private. You only need this for some DNSBL lists which resolve to private addresses.
Insecure DomainsList of domains to mark as insecure. DNSSEC chain of trust is ignored towards the domain name.

Table 3. DNSBL configuration options on Unbound DNS

Predefined DNSBL sources on Unbound DNS are listed below.

DNSBL NameURL
AdAwayhttps://adaway.org
AdGuard Listhttps://justdomains.github.io/blocklists/#the-lists
Blocklist.sitehttps://github.com/blocklistproject/Lists
EasyListhttps://justdomains.github.io/blocklists/#the-lists
Easyprivacyhttps://justdomains.github.io/blocklists/#the-lists
NoCoin Listhttps://justdomains.github.io/blocklists/#the-lists
PornTop1M Listhttps://github.com/chadmayfield/my-pihole-blocklists
Simple Ad Listhttps://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
Simple Tracker Listhttps://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
StevenBlack/hostshttps://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
WindowsSpyBlockerhttps://github.com/crazy-max/WindowsSpyBlocker
YoYo Listhttps://pgl.yoyo.org/adservers/

Table 4. Predefined DNSBL sources on Unbound DNS

How to enable DNS-based filtering on OPNsense

To enable DNS blocking on your OPNsense firewall, you may follow the next steps given below:

  1. Navigate to the ServicesUnbound DNSBlocklist.

  2. Enable the use of DNS blocklists by clicking on the check box.

  3. Select the lists as you wish from the Type of DNSBL option.

    Figure 8. Selecting predefined DNS blocking lists on OPNsense firewall

  4. You may need to add whitelist for some domains, for example *.tr will exclude all .tr domains.

  5. Click Apply to activate the DNSBL on your OPNsense firewall.

    Figure 9. Applying DNSBL on OPNsense

Inbound Traffic Filtering

By default, both the pfSense software and the OPNsense firewall block all inbound traffic. As a result, unless your firewall has open ports, there is no need to apply a rule to inbound traffic for additional protection. However, you may have a number of ports open on occasion, exposing a VPN endpoint and several self-hosted services. If this is the case, it is best to use a security solution for inbound traffic filtering.

pfBlockerNG has a custom IP list and GeoIP restriction features to limit inbound access.

In the same way, the OPNsense firewall provides a custom IP list and GeoIP restrictions using aliases. You can define a firewall rule to block incoming traffic from certain countries or continents.

On OPNsense, the Zenarmor plugin allows you to apply security rules, web content filtering, and application control to inbound traffic that may be initiated by externally harmful IPs.

Outbound Traffic Filtering

Outbound blocking is available in pfBlockerNG to prevent users from visiting malicious websites by accident. When used in conjunction with logging, this is an effective method for identifying potentially compromised devices.

To block compromised clients from accessing malicious websites on OPNsense, Zenarmor provides a powerful and lightweight security solution. You can easily define security rules, web filtering, and application control policies in your network for outgoing traffic.

Blocking DNS over HTTPS/TLS

You can use pfBlockerNG to block DNS over HTTPS/TLS packets on your network. It contains an extensive list of known public DNS servers that support DNS over HTTPS. Because DNS over HTTPS poses a significant privacy and security risk, you should enable the DoH/DoT (DNS over HTTPS/DNS over TLS) feature on your pfBlockerNG. Otherwise, some of your network's users may circumvent pfBlockerNG's ad blocking and pfSense's DNS server.

On your OPNsense firewall, you can block the DoH/DoT (DNS over HTTPS/DNS over TLS) by enabling the DNS over HTTPS application control on the Zenarmor plugin to easily lower the privacy and security risks. Zenarmor provides a rich application database that is updated frequently.

Figure 10. Blocking DNS over HTTPS on Zenarmor firewall

Spam Filtering

If your network has a mail server, both the pfBlockerNG in pfSense software and the OPNsense firewall have excellent mail security solutions for spam filtering. Zenarmor next-generation firewall plugin has essential security protection for even free users.

Zenarmor® offers AI-driven threat intelligence that protects your network against over 300 million websites and domains. This exceptional feature is included in all Zenarmor subscriptions, ranging from the Free Edition to the Business Edition, and provides sophisticated protection. By combining Zenarmor CTI DB and BrightCloud Threat Intelligence, Zenarmor's strong security architecture offers a cutting-edge way to protect against new threats.

Zenarmor CTI DB evaluates Zenarmor Cloud requests and queries in real-time to determine whether to permit or deny access. In milliseconds, it evaluates more than 300 million websites across 120+ categories.

BrightCloud Threat Intelligence detects threats across over 4.39 billion active IPv4 and IPv6 addresses, owing to its extensive reach. It analyzes insights from over one billion domains in order to generate policy-based decisions automatically. It protects against malicious and whitelisted file behaviors through real-time lookups of more than 48 billion records. It augments this repository on a daily basis through the examination of around 25,000 threats and URLs. Moreover, it actively inhibits zero-day and polymorphic malware.

In addition to Zenarmor, by including a spam blacklist, such as 'Spamhaus', on your OPNsense firewall, you can prevent spam from reaching your server.

The Spamhaus DROP (Don't Route Or Peer) lists are advisory drop all traffic lists that are made up of IP blocks that have been owned or hijacked by professional spam or cyber-crime operations (used for spreading trojan downloaders, malware, botnet controllers). The DROP lists are a subset of the SBL that firewalls and routing equipment can use to filter harmful traffic from certain netblocks.

The Spamhaus DROP lists, when implemented at a network route, will help protect clients from spamming, harvesting, scanning, DNS-hijacking, and DDoS attacks originating on rogue network blocks.

To enable the Spamhaus protection on OPNsense, you may define aliases for Spamhaus DROP and EDROP lists and then define firewall rules for blocking both incoming and outgoing connections for the drop and edrop lists on the related interfaces.

OPNsense provides rspamd plugin for spam protection. Rspamd is an advanced spam filtering system that evaluates communications using a variety of rules, such as statistical analysis, regular expressions, and specialized services like URL ban lists. It examines each message and assigns a spam score.

Rspamd proposes an action for the MTA to do with the message based on the spam score and the user's settings, such as passing, rejecting, or adding a header. It can handle hundreds of messages per second and has a lot of useful features.

How to Configure Spamhaus on OPNsense Firewall

To configure Spamhaus on your OPNsense firewall, you may follow the next steps given below.

  1. Navigate to FirewallAliases.

  2. Click + icon at the right bottom of the page.

  3. Enter name for the alias, such as spamhaus_drop

  4. Enter a descriptive name in the description field, such as Spamhaus DROP.

  5. Select URL Table (IPs) as a Type.

  6. Set Content to the [https://www.spamhaus.org/drop/drop.txt](https://www.spamhaus.org/drop/drop.txt).

  7. Set the Refresh frequency to 1 day.

    Figure 11. Creating alias for Spamhaus Drop on OPNsense

  8. Click Save.

  9. Click + icon at the right bottom of the page.

  10. Enter name for the alias, such as spamhaus_edrop

  11. Enter a descriptive name in the description field, such as Spamhaus EDROP.

  12. Select URL Table (IPs) as a Type.

  13. Set Content to the [https://www.spamhaus.org/drop/edrop.txt](https://www.spamhaus.org/drop/drop.txt).

  14. Set the update frequency to 1 day.

    Figure 12. Creating alias for Spamhaus EDrop on OPNsense

  15. Click Save

  16. Click Apply to activate the aliases settings.

Figure 13. Aliases for Spamhaus on OPNsense

  1. Navigate to the FirewallRulesWAN.

  2. Click + icon to create a firewall rule.

  3. Select Block to deny incoming connections.

  4. Set Direction to in for blocking incoming traffic from Spamhaus Drop list.

  5. Select the newly created spamhaus drop alias, such as spamhaus_drop, for the Source.

    Figure 14. Creating firewall rule for blocking Spamhaus Drop list-1

  6. You may enable logging.

  7. You may set a name for the category such as Spamhaus rules.

  8. Set a description for the rule such as Block Spamhaus DROP.

  9. You may leave other settings as default.

Figure 15. Creating firewall rule for blocking Spamhaus Drop list-2 26. Click Save. 27. Repeat the steps 18-26 for spamhaus_edrop aliases.

Figure 16. Creating firewall rule for blocking Spamhaus EDROP list

Figure 17. Firewall rules list for blocking Spamhaus (E)DROP lists on incoming traffic

  1. Click Apply Changes to activate the firewall rules.

  2. Navigate to the FirewallRulesLAN.

  3. Click + icon to create a firewall rule.

  4. Select Block to deny outgoing connections.

  5. Set Direction to in for blocking outgoing traffic for Spamhaus DROP list.

  6. Select the newly created spamhaus drop alias, such as spamhaus_drop, for the Destination.

    Figure 18. Creating firewall rule for blocking Spamhaus Drop list on LAN interface-1

  7. You may enable logging.

  8. You may set a name for the category such as Spamhaus rules.

  9. Set a description for the rule such as Block Spamhaus DROP.

  10. You may leave other settings as default.

    Figure 19. Creating firewall rule for blocking Spamhaus Drop list on LAN interface-2

  11. Click Save.

  12. Repeat the steps 30-38 for spamhaus_edrop aliases.

    Figure 20. Creating firewall rule for blocking Spamhaus EDROP list on LAN interface

    Figure 21. Firewall rules list for blocking Spamhaus (E)DROP lists on incoming traffic

  13. Click Apply Changes to activate the firewall rules.

Whitelists

All of the security applications in the cybersecurity industry cause false positives so do pfBlockerNG. Also, while you need to block a web category or an application category in your company network, one/some of the websites/applications under the banned category should be accessible by some or all of the users, temporarily or permanently. To solve such circumstances, you may use the whitelisting capability of your security system. The trick here is to add exceptional websites/applications to the whitelist easily and quickly. The easier and quicker whitelisting, the better the security system.

pfBlockerNG provides the pfSense software users with a simple whitelisting mechanism. If you don't want a domain to be blocked, you can add it to the whitelist in pfBlockerNG easily.

If you are planning to use Zenarmor on OPNsense as a replacement for pfBlockerNG on pfSense Software, you can use the great whitelisting capability of Zenarmor without any hesitation. You can define your custom whitelist and add a domain to the whitelist easily and quickly with just one click.

UNbound DNS service of the OPNsense has a whitelist option too. When a blacklist item matches a pattern in the whitelist domains, it is removed from the results.

SafeSearch

SafeSearch can be set up to work with the most popular search engines. You can also use Firefox to restrict YouTube and block DNS over HTTPS.

pfBlockerNG includes a 'SafeSearch' feature that forces search sites to use "Safe Search" algorithms. SafeSearch is currently supported by Google, Yandex, DuckDuckGo, Bing, and Pixabay.

If you are planning to use Zenarmor on OPNsense as a replacement for pfBlockerNG on pfSense Software, you can use the Safe Search capability of Zenarmor. Zenarmor allows you to activate Safe Search enforcement per-policy for all network users. This feature is ideal for school networks where Safe Search is enabled by default for students but not for instructors and other staff. This feature enables IT departments to control Safe Search globally and efficiently across the network.

Youtube Restrictions

pfBlockerNG allows you to use YouTube Restrictions which are defined by Google on your network. YouTube Restricted Mode filters out potentially mature videos while leaving a large number of videos still available. You may use the following settings for Youtube restrictions on your pfBlockerNG:

  • Strict: This setting is the most restrictive. Strict Mode does not block all videos but works as a filter to screen out many videos based on an automated system while leaving some videos still available for viewing.

  • Moderate: This setting is similar to Strict Mode but makes a much larger collection of videos available.

Although there is no OPNsense plugin that supports the Youtube Restrictions feature, Zenarmor next-generation firewall plugin has a strong and flexible application control feature that allows you to restrict your clients from accessing youtube videos and using youtube applications. You can accomplish the following tasks on your network by customizing application control on your Zenarmor:

  • Blocking/allowing all Youtube videos
  • Blocking/allowing Youtube Kids
  • Blocking/allowing Youtube TV
  • Blocking/allowing Youtube Comment
  • Blocking/allowing Youtube Upload
  • Blocking/allowing Youtube Video Share
  • Blocking/allowing Youtube Video Upload

Moreover, Zenarmor Safe Search feature offers Youtube Restrictions for protecting the kids against harmful content on Youtube.

Figure 22. Restricting Youtube on Zenarmor

Comparison of pfBlockerNG and Zenarmor

pfBlockerNG is a free and open-source package developed by BBcan177 for the pfSense. It provides advertisement blocking, malicious content blocking, IP filtering and geo-blocking capabilities.

Zenarmor is a software-only instant firewall that can be installed virtually anywhere. Zenarmor provides cutting-edge, next-generation firewall features for open-source firewalls that are not currently available in products such as OPNsense and pfSense® software. pfSense® has been supported in Zenarmor Release 1.8 since March 2021. The FreeBSD operating system serves as the foundation for pfSense. In this regard, the Zenarmor FreeBSD 12 package for the pfSense® software 2.5.x release series can be installed. If you want to use an open-source firewall and require features such as Application Control, Network Analytics, and TLS Inspection, Zenarmor has these and more.

In the preceding chapters, pfBlockerNG and Zenarmor were compared in certain ways. In this section, we'll compare them in ways that aren't covered in the previous sections.

Stability and Reliability

pfBlockerNG which is a pfSense® software package has been widely used in the pfSense® software community since 2014. It is being released after being thoroughly tested by its developer BBcan177. Also, there are many deployed pfBlockerNG systems in both home networks and small businesses networks and even in some enterprise-level networks. We can confidently say that pfBlockerNG is a stable and reliable security software you can use in your production environment without any doubt.

Zenarmor is a very widespread web content filtering/application control software in the OPNsense community and a top useful OPNsense plugin. Like pfBlockerNG, it is being released after being thoroughly tested by the Sunny Valley Networks team. There have been thousands of Zenarmor deploymehomesin homes, small businesses, and some enterprise-level networks all over the world since 2017. It is obvious that Zenarmor provides a stable and dependable system that can be used in production networks with confidence as well.

Portability

pfBlockerNG is a software developed as a pfSense® software package. If you want to use and get the benefits of pfBlockerNG you must have a pfSense® software firewall installed on your network infrastructure.

Sunny Valley Networks Cybersecurity Inc., the company behind the Zenarmor , aims to be able to run their software on any networking environment; be it a container, cloud, virtual or bare-metal deployment (firewalls, switches, UTMs) which processes Layer 3-4 traffic. As of March 2021, OPNsense®/pfSense® firewalls, Centos, AlmaLinux, Debian, Ubuntu, and FreeBSD are among the supported list of platforms. In terms of portability, Zenarmor is ahead of pfBlockerNG.

Licensing and Cost

pfBlockerNG is open-source software and free. You can install and use the pfBlockerNG on your pfSense® software to secure your clients free of charge forever.

On the other hand, Zenarmor has the following three components with the different licenses:

  • PHP Code & Python Scripts which provide the OPNsense Web User Interface Functionality is open source.
  • The Packet Engine coded in C++ is closed source.
  • Cloud Management Portal software is also closed source.

Although the Zenarmor core engine is a closed project, Zenarmor has a Free Edition with limited capabilities, and you may install Zenarmor without paying any money. Free Edition is satisfactory for especially Home networks. But, it is recommended to use one of the Zenarmor Premium Editions in SOHO and Enterprise networks.

How They Work

pfBlockerNG has two main features: IP blocking and DNS blocking. You can use pfBlockerNG to create firewall rules based on IPv4 and IPv6 address spaces. As a result, you can manage both incoming and outgoing traffic on a single or multiple interface. You can also limit the IP address based on its geolocation. pfBlockerNG can also restrict DNS Resolver access in order to prevent access to malicious websites such as advertisements, phishing, and malware. As clients browse the internet, their DNS requests are checked against a blocklist. If there is a match, the request is denied.

pfBlcokerNG uses the Feeds that are publicly available blocklists for IP and DNS filtering. pfBlockerNG is configured to synchronize with these feeds on a regular basis. At the time of writing, the available Number of Feeds per Category Type is given below:

CategoryNumber of Feeds
IPv492
IPv614
DNSBL140

Table 5. Number of Feeds on pfBlockerNG

IPv4 Category feeds are divided into 16 groups:

  • PRI1-5
  • Scanner (Internet Storm Center)
  • Mail (Known sources of spam; useful for protecting mail servers)
  • Forum Spam
  • Tor nodes(Known Tor exit points; not inherently dangerous but you may want to isolate users anonymizing their traffic.)
  • Internic (Contains root name servers needed to initialize the cache of Internet domain name servers)
  • Proxy IP
  • Torrent IP
  • Public DNS
  • DOH (DNS over HTTP)
  • VPN
  • BlocklistDE

PRI1-5 groups belong to Known Ransomware, malware, botnets, Command & Control (C&C) servers, bots, web scripts, phishing & compromised servers, malicious IP's found attacking SSH, SMTP, IMAP, TELNET, FTP endpoints and other known originators of malicious behavior. In general, the lower the number, the more pfBlockerNG tries to avoid false positives.

Other IPv4 category feed groups aimed at blocking specific types of malicious or undesirable traffic.

At the time of writing, there are 140 DNSBL Category Feeds available. DNSBL feeds are group grouped into 18 categories on pfBlockerNG aimed at blocking specific types of malicious or undesirable traffic:

  • EasyList
  • ADs
  • Email
  • Malicious
  • Phishing
  • BBCAN177
  • STUN
  • DoH
  • Torrent
  • BBC
  • Malicious2
  • Cryptojackers
  • Compilation
  • Firebog_Suspicious
  • Firebog_Advertising
  • Firebog_Trackers
  • Firebog_Malicious
  • Firebog_Other

Zenarmor is a lightweight and powerful application layer/L7 packet inspection core. It can perform a wide range of enterprise-level network security functions. Administrators may construct bespoke online filtering profiles and rules with Zenarmor, which is based on a cloud-based web categorization of 300+ million websites divided into 60+ categories.

Zenarmor Cloud is a huge database that serves millions of searches per day and has reputation and security information on over 300+ million websites, with new ones added regularly. Thanks to Zenarmor Cloud, we can respond to malware threats and viral outbreaks in real-time.

Business Edition users gain access to enhanced protection that includes an additional 1+ billion categorized domains and 4+ billion recorded IPv4/6 addresses. By analyzing approximately 25,000 threats and URLs daily, over 48 billion domains are evaluated and added to an Zenarmor AI-based threat intelligence database.

It is clear that Zenarmor has a bigger database than pfBlockerNG. This means that Zenarmor provides more effective protection against cyberattacks than pfBlockerNG does. A significant advantage of Zenarmor over pfBlockerNG is that it has a lower rate of false positives due to its powerful, up-to-date, and efficient database.

Moreover, Zenarmor has a well-designed, well-organized, and easily navigable web and application categorization system. Each category has a descriptive name that helps you understand what it contains. They are also divided into subcategories for a clear distinction. Just by searching in categories, you can easily select and manage the web and application categories, as well as subcategories, to block on the web GUI.

While pfBlockerNG depends on pfSense® software firewall rules and DNS resolver to accomplish IPv4/v6 filtering and DNS blackholing, Zenarmor runs its predefined and user-customized rules independently from your firewall, whatever it is OPNsense®/pfSense® or Linux firewall. You may find more information about how Zenarmor works on official documentation.

Moreover, Zenarmor can be deployed in three different deployment modes:

  1. Passive Mode: In this mode, Reporting only and no blocking are available.
  2. Routed Mode: In this mode, Zenarmor runs in L3 Mode, and both Reporting and Blocking capabilities are available.
  3. Bridge Mode: In this mode, Zenarmor runs in L2 Mode, and both Reporting and Blocking are available. Bridge mode can only be deployed on OPNsense GUI for experimental purposes.

In some cases, you may not want to bother your users too much with false positives caused by security solutions. Then, it is very useful to run the security software in reporting mode without blocking anything to see what is happening in your network. While Zenarmor can provide this flexibility, pfBlockerNG doesn`t have a variety of deployment modes. You can create rules that only log the filtered IPv4/v6 and GeoIP feeds without blocking them on pfBlockerNG. But, it is not possible to log DNSBL feed access without blocking. The only way to determine whether the DNSBL category feeds cause false positives or not is to block the DNSBL lists on your network. This means you should exercise extreme caution and thoroughly examine the DNSBL list contents in order to avoid bothering your users and shorten the troubleshooting time.

Management

You can manage the pfBlockerNG package by adding IP filters, including GeoIP and DNSBL feeds, creating customized lists, whitelisting, and viewing or customizing reports through your pfSense® software web GUI. Zenarmor deployed on the OPNsense system can be managed and configured through both the OPNsense GUI and the Zenconsole cloud management portal. If you install the Zenarmor engine on pfSense® software or other Zenarmor-supported Linux firewalls such as Centos, Ubuntu, or Debian, you can manage it through the Zenconsole cloud management portal all around the world. Zenconsole cloud management portal provides you with centralized firewall management, which means that if you have more than one Zenarmor installed firewall, you can manage all of the firewalls from a single web page. Also, you can define and apply a centralized policy which is a common Zenarmor policy for all your firewalls.

It is clear that centralized management of Zenarmor is a very useful and attractive feature for security administrators, especially MSSPs who have many firewalls to manage.

Logging and Reporting

Both pfBlockerNG and Zenarmor have rich logging and reporting capabilities. You may apply a filter to the reports or sort them based on a column/field. But Zenarmor provides more advanced reporting and analytics capabilities. It has 6 types of report views and live sessions explorers for these views. It also provides 40 types of charts. You may drill down to the charts and view the session details on the reports. Another advantage of Zenarmor is exporting the reports to pdf/png files and emailing them. Also, these reports have a very intuitive user interface that provides administrators with an enjoyable workspace. It offers three types of reporting databases as options:

  • local Elastic search,
  • remote Elastic search,
  • MongoDB
  • and SQLite.

Since Zenarmor has stronger and richer logging and reporting capabilities than the pfBlockerNG package, it may be easier to perform network traffic analysis and threat hunting on Zenarmor than pfBlockerNG.

User/Device-based Filtering

pfBlockerNG protects the network(s) behind one or multiple interfaces of your pfSense® software firewall. These interfaces may be a physical network interface card or a virtual network such as VLAN. When you enable pfBlockerNG software on a network, all clients on this network are protected with the same policies. It is not possible to define an exception for a client device or apply different rules for the different device groups on the pfBlockerNG-enabled network. When one or some of the users need exceptional internet access, they must be placed on a separate network. Since client requirements change quite often, configuring the network infrastructure repeatedly, again and again, is a challenging problem and not applicable.

Zenarmor provides user-based and device-based filtering features which are very useful especially for managing SOHO and enterprise networks. You can define and apply different policies for your clients. Zenarmor supports MS Active Directory and OPNsense Captive Portal for username resolution. When defining policies, you may differentiate the users with the following criteria:

  • VLANs
  • IP and Networks
  • MAC Address
  • User (MS Active Directory user or OPNsense Captive Portal user -OPNsense only-)
  • Group (MS Active Directory group -OPNsense only-)
  • Devices (As of 2024)

Figure 23. Defining user/device-based policy on Zenarmor firewall

Time Scheduling

Time scheduling is a very useful feature, especially for managing internet bandwidth. For example, you may need to block YouTube videos during business hours in your company network. pfBlockerNG doesnt have a time-scheduling feature. Although you can use your pfSense firewalls time scheduling capability for IP filtering rules, you cannot define a schedule for DNS blocking rules on your pfBlockerNG.

Zenarmor provides a time scheduling mechanism that is very easy to configure for your policies. You can easily add a time schedule to your policy if you want your policy to be active only at certain times of the day or days of the week

Figure 24. Time schedules for policies on Zenarmor

Documentation

While Zenarmor has official documentation, pfBlockerNG does not. Zenarmor has already published well-organized, up-to-date, and neat documentation site and youtube channell about Zenarmor. Although it has clear, well-written, and satisfactory product documentation, there may be a few missing points or a few gaps. However, Zenarmor team attaches great importance to documentation. Every day that you visit the site, you may find a new document not only about Zenarmor but also about top trending topics on cybersecurity, Linux, information technology, etc.

pfBlockerNG has many online resources, such as blog posts, videos, and tutorials on any topic, possibly because it is an open-source project and the open-source community has a culture that encourages people to help projects by donating, writing code, or documenting them. If you don't know what you can do by using pfBlockerNG or how to configure your pfBlockerNG, you'll almost certainly find an answer to your question on the Internet.

Furthermore, pfBlockerNG has info buttons that are represented by a blue circle with an i on the web GUI. You may click on them to get the information about the corresponding field on pfBlockerNG GUI. They include a brief but comprehensive set of help notes. Zenarmor OPNsense GUI and Zenconsole Cloud Management Portal GUI, on the other hand, lack the rich and informative help buttons found in pfBlockerNG. They are few and brief, which may not satisfy newcomers, so they may need to read the official documentation.

Support

Since both of the security software are very popular in the open-source world, they have great community support. BBcan177, the pfBlockerNG developer, is very active and helpful on the Reddit forum and Twitter. Zenarmor has a friendly and helpful support team. Forum, Reporting your Bug via Web UI, and e-mail are three methods from which you can get help from the Zenarmor engineers. They are very active on OPNsense and Reddit forums too. Zenarmor also has paid support plans that you can buy depending on your requirements. If you do not have experienced staff on your IT team or don't have enough knowledge to secure your Home/SOHO network, Zenarmor may be the ideal solution with its great support for you.

Table 6. pfBlockerNG vs Zenarmor

Hands-on Video on pfBlockerNG Alternatives for OPNsense

The following video shows you how to migrate from pfSense software to OPNsense safely without losing any benefits of pfBlockerNG. You will see that OPNsense provides different security features as an alternative to the pfBlockerNG package.

Last updated on by Zenarmor