Shigar da Sanya pfBlockerNg don DNS Black Listing a pfSense Firewall

A cikin wani labarin da ya gabata an tattauna yadda za'a girka ingantaccen gidan wuta na FreeBSD wanda aka fi sani da pfSense. pfSense, kamar yadda aka ambata a cikin labarin da ya gabata, ingantaccen zaɓi ne na Firewall wanda zai iya amfani da tsohuwar kwamfutar da za ta iya kwanciya ba ta yin abubuwa da yawa.

Wannan labarin zaiyi magana game da kunshin ƙari mai ban sha'awa don pfsense da ake kira pfBlockerNG.

pfBlockerNG wani kunshin ne wanda za'a iya sanya shi a cikin pfSense don samarwa mai gudanar da wutar da damar fadada karfin Firewall din sama da na gargajiya L2/L3/L4 firewall.

Kamar yadda karfin maharan da masu aikata laifuka ta yanar gizo ke ci gaba, to dole ne kariyar da ake sanyawa ta dakile kokarin su. Kamar yadda yake tare da kowane abu a cikin duniyar lissafi, babu wata mafita guda daya da zata gyara duk samfuran daga can.

pfBlockerNG yana samar da pfSense tare da karfin katangar don bada izini/ƙin yanke shawara dangane da abubuwa kamar yanayin ƙasa na adireshin IP, sunan yanki na albarkatu, ko ƙididdigar Alexa na wasu rukunin yanar gizo.

Ikon takura kan abubuwa kamar sunayen yanki yana da fa'ida sosai saboda yana bawa masu gudanarwa damar dakile yunƙurin injunan cikin gida waɗanda suke ƙoƙarin haɗawa da sanannun yankuna da aka sani (a wasu kalmomin, yankuna waɗanda ƙila za a san suna da malware, abubuwan da ke cikin doka, ko wasu idananan bayanan bayanai).

Wannan jagorar zaiyi tafiya ta hanyar daidaita na'urar firewall ta pfSense don amfani da kunshin pfBlockerNG da kuma wasu misalai na yau da kullun na jerin yanki wanda za'a iya karawa/sanya su a cikin kayan aikin pfBlockerNG.

Wannan labarin zaiyi zato biyu kuma zai iya gina labarin shigarwar farko game da pfSense. Tsammani zai zama kamar haka:

  • an riga an shigar da pfSense kuma ba shi da dokoki a halin yanzu an tsara shi (tsaftataccen shara).
  • Tacewar zaɓi kawai tana da WAN da tashar LAN (mashigai 2).
  • Tsarin IP ɗin da ake amfani da shi a gefen LAN shine 192.168.0.0/24.

Ya kamata a lura cewa pfBlockerNG za a iya saita shi a kan Tacewar zaɓi ta pfSense da ke gudana/ta riga ta daidaita. Dalilin wadannan zato a nan shine kawai don lafiyayyar hankali kuma yawancin ayyukan da za'a kammala, ana iya yin su akan akwatin pfSense mara tsabta.

Hoton da ke ƙasa shine zane na lab don yanayin pfSense wanda za'a yi amfani dashi a wannan labarin.

Sanya pfBlockerNG don pfSense

Tare da dakin gwaji da ke shirin tafiya, lokaci yayi da za a fara! Mataki na farko shine haɗawa zuwa haɗin yanar gizo don pwSense Firewall. Har ila yau wannan yanayin muhallin yana amfani da hanyar sadarwar 192.168.0.0/24 tare da Tacewar zaɓi da ke aiki a matsayin ƙofa tare da adireshin 192.168.0.1. Amfani da burauzar gidan yanar gizo da kewayawa zuwa 'https://192.168.0.1' zai nuna shafin shiga pfSense.

Wasu masu bincike zasu iya yin korafi game da takaddar takaddar SSL, wannan al'ada ce tunda takaddar takan sanya hannu ne ta hanyar Firewall na pfSense. Kuna iya karɓar saƙon gargaɗin a amince kuma idan ana so, za a iya shigar da takaddar takaddar hannu wacce ta halatta ta CA ta halal amma ta wuce iyakar wannan labarin.

Bayan ka latsa nasarar 'Advanced' sannan kuma 'Add Exception…', danna don tabbatar da keɓancewar tsaro. Shafin shiga na pfSense zai nuna sannan kuma ya baiwa mai gudanarwa damar shiga cikin na'urar ta Tacewar zaɓi.

Da zarar ka shiga babban shafin pfSense, danna maballin 'System' sannan sai ka zaɓi 'Manajan Gudanarwa'.

Danna wannan hanyar haɗin yanar gizon zai canza zuwa taga manajan kunshin. Shafin farko da za'a fara lodawa zai zama duka kunshin da aka sanya yanzu kuma zai zama fanko (kuma wannan jagorar yana ɗaukar tsaftace pfSense) Latsa rubutun 'Akwai Kunshe-kunshe' don samar muku da jerin abubuwanda za'a iya sanyawa don pfSense.

Da zarar shafin ya 'Kunshe-kunshe na Kunshe-kunshe, sai a rubuta' pfblocker 'a cikin akwatin' Kalmar neman 'sai a latsa' Binciken '. Abu na farko da aka dawo dashi ya zama pfBlockerNG. Nemo maballin 'Shigar' a hannun dama na bayanin pfBlockerNG kuma danna '+' don girka fakitin.

Shafin zai sake loda kuma ya nemi mai gudanarwa ya tabbatar da kafuwa ta latsa 'Tabbatar'.

Da zarar an tabbatar, pfSense zai fara girka pfBlockerNG. Kada ku yi nesa da shafin mai sakawa! Jira har sai shafin ya nuna nasarar shigarwa.

Da zarar an gama shigarwa, tsarin pfBlockerNG zai iya farawa. Aiki na farko da yakamata a kammala duk da cewa wasu bayanai ne akan abinda zai faru da zarar an daidaita pfBlockerNG da kyau.

Da zarar an saita pfBlockerNG, yakamata a shigar da buƙatun DNS don shafukan yanar gizo ta pfSense firewall da ke aiki da software pfBlockerNG. pfBlockerNG zai sake sabunta jerin sunayen sanannun yankuna waɗanda aka zana taswira zuwa adireshin IP mara kyau.

Tacewar zaɓi na pfSense yana buƙatar katse buƙatun DNS domin ya sami damar iya sarrafa ƙananan yankuna kuma zai yi amfani da ƙudurin DNS na gida wanda aka sani da UnBound. Wannan yana nufin abokan ciniki akan layin LAN suna buƙatar amfani da katangar pfSense azaman mai warware DNS.

Idan abokin ciniki ya nemi yankin da yake kan jerin abubuwan toshe pfBlockerNG, to pfBlockerNG zai dawo da adireshin ip na ƙarya don yankin. Bari mu fara aiwatarwa!

Saitin pfBlockerNG don pfSense

Mataki na farko shine don bawa UnBound DNS mai yanke shawara akan pfSense Firewall. Don yin wannan, danna maɓallin saukar da 'Ayyuka' sannan zaɓi 'Resolver DNS'.

Lokacin da shafin ya sake loda, saitunan DNS masu sassaucin ra'ayi zasu daidaita. Wannan wani zaɓi na farko da yake buƙatar daidaitawa shine akwati don 'Enable DNS Resolver'.

Saituna na gaba sune saita tashar sauraren DNS (yawanci tashar 53), saita hanyoyin sadarwar da mai warware DNS zai saurara (a cikin wannan daidaitawa, yakamata ya zama tashar LAN da Localhost), sannan saita tashar jirgin ruwa mai kyau (ya kamata zama WAN a cikin wannan daidaitawar).

Da zarar an yi zaɓe, tabbatar da danna 'Ajiye' a ƙasan shafin sannan kuma danna maɓallin 'Aiwatar da Canje-canje' wanda zai bayyana a saman shafin.

Mataki na gaba shine farkon matakin daidaitawa na pfBlockerNG musamman. Kewaya zuwa shafin daidaitawa na pfBlockerNG a ƙarƙashin 'Firewall' menu sannan danna 'pfBlockerNG'.

Da zarar pfBlockerNG ya loda, danna maballin 'DNSBL' da farko don fara saita jerin abubuwan DNS kafin kunna pfBlockerNG.

Lokacin da shafin 'DNSBL' ya loda, za a sami sabon salo na menu a ƙarƙashin menu na pfBlockerNG (wanda aka haskaka a kore a ƙasa). Abu na farko da ake buƙatar magancewa shine akwatin 'Enable DNSBL' (wanda aka haskaka a kore a ƙasa).

Wannan akwatin binciken zai buƙaci a yi amfani da mai warware DNS na UnBound akan akwatin pfSense don bincika buƙatun dns daga abokan cinikin LAN. Kar ku damu UnBound an saita shi a baya amma wannan akwatin zai buƙaci a duba shi! Wani abin da ake buƙatar cikawa a wannan allon shine 'DNSBL Virtual IP'.

Wannan IP ɗin yana buƙatar kasancewa a cikin keɓaɓɓen hanyar sadarwar sirri kuma ba ingantaccen IP akan hanyar sadarwar da ake amfani da pfSense ba. Misali, hanyar sadarwar LAN akan 192.168.0.0/24 na iya amfani da IP na 10.0.0.1 tunda shi IP ne mai zaman kansa kuma baya cikin cibiyar sadarwar LAN.

Ana amfani da wannan IP ɗin don tattara ƙididdiga gami da saka idanu kan yankuna waɗanda pfBlockerNG ke ƙi.

Sauke shafin, akwai wasu ƙarin saitunan da za a ambata. Na farko shi ne ‘DNSBL Listing Interface’. Don wannan saitin, kuma mafi yawan saiti, ya kamata a saita wannan saitin zuwa 'LAN'.

Sauran saitin shine 'Jerin Ayyuka' a ƙarƙashin 'DNSBL IP Firewall Settings'. Wannan saitin yana ƙayyade abin da ya kamata ya faru yayin ciyarwar DNSBL ta samar da adiresoshin IP.

Dokokin pfBlockerNG na iya zama saita don yin kowane adadin ayyuka amma mai yiwuwa 'Deny Both' zai zama zaɓin da ake so. Wannan zai hana haɗin shigowa da fita zuwa IP/yanki akan abincin DNSBL.

Da zarar an zaɓi abubuwan, gungurawa zuwa ƙasan shafin kuma danna maballin 'Ajiye'. Da zarar shafin ya sake loda, lokaci yayi da za a daidaita jerin abubuwan toshewa na DNS wanda ya kamata ayi amfani da su.

pfBlockerNG yana ba mai gudanar da zaɓuɓɓuka guda biyu waɗanda za a iya daidaita su da kansu ko kuma a haɗa su dangane da fifikon mai gudanarwa. Zaɓuɓɓukan biyu sune ciyarwar hannu daga wasu shafukan yanar gizo ko EasyLists.

Don karanta game da daban-daban EasyLists, da fatan za a ziyarci shafin farko na aikin: https://easylist.to/

Sanya pfBlockerNG EasyList

Bari mu tattauna kuma mu saita EasyLists da farko. Yawancin mai amfani da gida za su sami waɗannan jerin don isa har ma da ƙaramar nauyin sarrafawa.

Wadannan EasyLists guda biyu da ake dasu a pfBlockerNG sune 'EasyList w/o Element Hiding' da 'EasyPrivacy'. Don amfani da ɗayan waɗannan jerin, fara danna ‘DNSBL EasyList’ a saman shafin.

Da zarar shafin ya sake lodawa, za a samar da sashin sanyi na EasyList. Saituna masu zuwa za a buƙaci a daidaita su:

  • Sunan Rukuni na DNS - Zaɓin mai amfani amma babu haruffa na musamman
  • Bayani - Zaɓin mai amfani, an ba da haruffa na musamman
  • EasyList Feeds State - Ko an yi amfani da jerin abubuwan da aka saita
  • Ciyarwar EasyList - Wanne jerin don amfani (EasyList ko EasyPrivacy) duka ana iya ƙara su
  • Header/Label - Zaɓin mai amfani amma babu haruffa na musamman

Ana amfani da sashe na gaba don tantance waɗanne ɓangarorin jerin za'a katange su. Bugu da ƙari waɗannan duk zaɓin mai amfani ne kuma ana iya zaɓar yawa idan ana so. Muhimman saituna a cikin 'DNSBL - EasyList Saituna' sune kamar haka:

  • Categories - Zaɓin mai amfani da yawa ana iya zaɓar
  • Jerin Ayyuka - Ana buƙatar saitawa zuwa 'Unbound' domin bincika buƙatun DNS
  • Sabunta Frequency - Sau nawa pfSense zai sabunta lissafin mummunan shafuka

Lokacin da aka saita saitunan EasyList zuwa abubuwan da mai amfani yake so, tabbatar cewa gungurawa zuwa ƙasan shafin kuma danna maɓallin 'Ajiye'. Da zarar shafin ya sake lodawa, gungura zuwa saman shafin kuma danna shafin 'Sabunta'.

Da zarar kan shafin sabuntawa, bincika maballin rediyo don 'Sake shigar' sannan kuma bincika maɓallin rediyo don 'Duk'. Wannan zai gudana ta hanyar jerin saukar da yanar gizo don samun jerin abubuwan toshewar da aka zaba a shafin sanyi na EasyList a baya.

Wannan dole ne a yi shi da hannu in ba haka ba ba za a sauke jerin ba har sai aikin cron da aka tsara. Duk lokacin da aka yi canje-canje (an ƙara jerin ko an cire su) tabbas za a gudanar da wannan matakin.

Dubi taga taga a ƙasa don kowane kuskure. Idan komai ya tafi shiryawa, injiniyoyin kwastomomi a bangaren LAN na katangar yakamata su iya tambayar pfSense firewall don sanannun shafuka kuma su karɓi adiresoshin ip mara kyau a dawo. Bugu da ƙari dole ne a saita injiniyoyin abokan ciniki don amfani da akwatin pfsense azaman mai warware DNS ɗinsu kodayake!

Sanarwa a cikin nslookup da ke sama cewa url ya dawo da IP ɗin ƙarya wanda aka saita a baya a cikin abubuwan daidaitawa na pfBlockerNG. Wannan shine sakamakon da ake so. Wannan zai haifar da duk wata buƙata ga URL '100pour.com' ana tura shi zuwa adireshin IP ɗin ƙarya na 10.0.0.1.

Sanya Ciyarwar DNSBL don pfSense

Ya bambanta da AdBlock EasyLists, akwai kuma ikon amfani da wasu Lissafin Baƙi na DNS a cikin pfBlockerNG. Akwai daruruwan jerin abubuwan da ake amfani dasu don bin umarnin malware da sarrafawa, kayan leken asiri, adware, nodes, da duk wasu jerin abubuwa masu amfani.

Waɗannan jerin ana iya jan su sau da yawa cikin pfBlockerNG kuma ana amfani dasu azaman ƙarin furtherananan Layi na DNS. Akwai wadatattun albarkatu waɗanda ke ba da jerin abubuwa masu amfani:

  • https://forum.pfsense.org/index.php?ma'ana=114499.0
  • https://forum.pfsense.org/index.php?topic=102470.0
  • https://forum.pfsense.org/index.php?topic=86212.0

Hanyoyin haɗin yanar gizon da ke sama suna ba da zaren a kan dandalin pfSense inda membobin suka sanya adadi mai yawa na jerin abubuwan da suke amfani da su. Wasu daga jerin abubuwan da marubucin ya fi so sun haɗa da masu zuwa:

  • http://adaway.org/hosts.txt
  • http://www.malwaredomainlist.com/hostslist/hosts.txt
  • http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext
  • https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
  • https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw

Bugu da ƙari akwai tarin wasu jerin abubuwa kuma marubucin ya ƙarfafa mutane da yawa su nemi ƙarin/sauran jerin. Bari mu ci gaba da ayyukan daidaitawa duk da haka.

Mataki na farko shine shiga cikin tsarin daidaitawar pfBlockerNG kuma ta hanyar 'Firewall' -> 'pfBlockerNG' -> 'DSNBL'.

Da zarar kan shafin daidaitawa na DNSBL, danna kan 'DNSBL Feeds' rubutu sannan ka danna maballin 'Addara' da zarar shafin ya wartsake.

Buttonara maɓallin zai ba mai ba da izini damar ƙara ƙarin jerin sunayen adiresoshin IP marasa kyau ko sunayen DNS zuwa software na pfBlockerNG (abubuwa biyu da suka riga sun kasance a cikin jerin sune marubucin daga gwaji). Buttonara maɓallin ƙarawa ya kawo mai gudanarwa zuwa shafi inda za a iya haɗa jerin DNSBL a cikin Firewall.

Muhimman saituna a cikin wannan fitarwa sune masu zuwa:

  • Sunan Rukuni na DNS - Zaɓaɓɓun mai amfani
  • Bayani - Yana da amfani don kiyaye ƙungiyoyi masu tsari
  • Saitunan DNSBL - Waɗannan su ne ainihin jerin
    • Jiha - Ko ana amfani da wannan asalin ko a'a da yadda ake samu
    • Tushen - Haɗin/tushen asalin Jerin Baƙin DNS
    • Header/Label - Zaɓin mai amfani; babu haruffa na musamman

    Da zarar an saita waɗannan saitunan, danna maɓallin ajiyewa ƙasa a ƙasan shafin. Kamar yadda yake tare da kowane canje-canje ga pfBlockerNG, canje-canjen zasu fara aiki akan tazarar cron na gaba ko mai gudanarwa zai iya tilasta sake loda hannu ta hanyar tafiya zuwa shafin 'Sabunta', danna maɓallin rediyo na 'Reload', sannan danna 'Duk' maballin rediyo. Da zarar an zaɓi waɗannan, danna maɓallin 'Run'.

    Dubi taga taga a ƙasa don kowane kuskure. Idan komai ya tafi shiryawa, gwada cewa jerin suna aiki ta hanyar yunƙurin yin nslookup daga abokin ciniki a lan lan zuwa ɗayan yankuna da aka jera a ɗayan fayilolin rubutu da aka yi amfani da su a cikin tsarin DNSBL.

    Kamar yadda ake iya gani a cikin fitarwa a sama, na'urar pfSense tana dawo da adireshin IP ɗin kama-da-wane wanda aka saita shi a cikin pfBlockerNG azaman IP mara kyau don ƙananan yankuna.

    A wannan lokacin mai gudanarwa zai iya ci gaba da daidaita jerin sunayen ta ƙara ƙarin jerin abubuwa ko ƙirƙirar yanki na al'ada/jerin IP. pfBlockerNG zai ci gaba da tura waɗannan ƙananan yankuna zuwa adireshin IP na karya.

    Na gode da karanta wannan labarin game da pfBlockerNG. Da fatan za a nuna jin daɗinka ko goyan baya ga software na pfSense da pfBlockerNG ta hanyar ba da gudummawa ta kowace hanya don ci gaba da ci gaba da waɗannan samfuran masu ban mamaki. Kamar koyaushe don Allah a yi sharhi a ƙasa tare da kowane shawarwari ko tambayoyi!