pfSense Firewall Integration

Step-by-step guide to configuring the ThreatHive blocklist using pfBlockerNG

Integration Steps
  1. Log in to pfSense Web Interface: Access your firewall via a web browser, e.g., https://<firewall-ip>.
  2. Install the pfBlockerNG Package:
    1. Go to System > Package Manager > Available Packages.
    2. Search for pfBlockerNG.
    3. Click Install next to pfBlockerNG (use the -devel version for the latest features if preferred).
    4. Wait for the installation to complete, then click Finish.
  3. Run the pfBlockerNG Setup Wizard:
    1. Go to Firewall > pfBlockerNG.
    2. If prompted, click Wizard to run the initial configuration.
    3. Set your Inbound Firewall Rules interface to WAN and Outbound to your LAN interface, then complete the wizard.
  4. Add the ThreatHive Blocklist as an IP Feed:
    1. Go to Firewall > pfBlockerNG > IP > IP Feeds.
    2. Click + Add to create a new feed.
    3. Configure the feed:
      • Name: ThreatHive_Blocklist
      • Description: ThreatHive.net Blocklist - Malicious IPs
      • Feed URL / Header: https://www.threathive.net/hiveblocklist.txt
      • Format: Auto
      • State: ON
      • Action: Deny Both (or Deny Inbound to block incoming connections only)
      • Update Frequency: Every 1 Hour
    4. Click Save.
  5. Force an Update and Apply the Blocklist:
    1. Go to Firewall > pfBlockerNG > Update.
    2. Under Run, select Force and choose IP from the dropdown.
    3. Click Run to download the ThreatHive feed immediately.
    4. Verify the output log shows the feed was fetched and loaded successfully.
  6. Enable Logging and Monitoring:
    • Go to Firewall > pfBlockerNG > Reports > Alerts to view blocked IPs in real time.
    • Ensure Logging is enabled on the IP feed (set Log Blocked to ON) to capture events.
    • Blocked traffic also appears in Status > System Logs > Firewall.
  7. Confirm It's Working:
    • Go to Firewall > pfBlockerNG > IP > IP Feeds.
    • Check the Statistics column next to ThreatHive_Blocklist — it should show the number of IPs currently loaded.
    • Go to Diagnostics > Tables and select the pfB_ThreatHive_Blocklist table to inspect the full IP list.
Additional Notes
  • The ThreatHive blocklist updates automatically once the feed is configured.
  • If you installed pfBlockerNG-devel, the menu paths may vary slightly — look under Firewall > pfBlockerNG > IP.
  • The Deny Both action blocks both inbound and outbound traffic to/from listed IPs. Use Deny Inbound if you only want to block incoming connections.
  • Ensure pfBlockerNG firewall rules are ordered above other allow rules on the WAN interface to ensure blocklist rules take precedence.
  • This guide focuses on IP-based blocking. pfBlockerNG also supports DNS-level blocking (DNSBL) which can be configured separately.