@thecatsandi

A loss ?
If you can use pfBlockerng(-devel), you could uses these :

b4a528da-f696-4fa1-8187-6a9088a57b98-image.png

I didn't show the entire list, but it is long. Commercial sites are listed in their category.

Do not use the XXX list before reading about, as it uses 4++ Mbytes of RAM, (and a big disk).

Remember : pfBlockerng is a host name (DNS) or URL filter.

@Bambos
Simply put the pass rule for allowing the needed services above of the block rule.

@johnpoz said in Ingress Filtering question:

How did that lead you to false understanding?

i mean like i'm in LAN, looking to the incoming traffic and apply the firewall rules to limit the traffic. So according to this diagram, i was thinking that for LAN interfaces i was applying rules for the outbound of firewall / interface / LAN ingress traffic, so we can limit traffic going to that network (to protect that network) because we are on the firewall rules of it's interface.

Instead of that, as what i'm learning now, i have to put the firewall rules to the outgoing traffic of the other interface (because this is where is the filtering happening).

Also after reading through your comments, on this post and also others, assuming the pf filtering happening before the packet entering the interface, and NAT happening before the packet leave the interface, it seems that the NAT positioning for LAN is the correct, instead of the Guest. Last we have 3 different designs for interface attachment to the routing plane. which one you feel is more close to reality ?

96b03bfa-4825-4bae-879c-defe7f692959-image.png

@Bambos ok

@nbk333 said in Blocking Youtube with firewall rules:

@bmeeks said in Blocking Youtube with firewall rules:

pfBlockerNG

First of all, thank you for this detailed explanation, it's completely understandable. I still have a question: if I don't deal with the separation, but only with the "youtube" blocking itself, is it possible to schedule the blocking somehow using pfBlockerNG? Do I block it during the week and allow it on the weekend? Or can this only be solved manually in pfBlockerNG?

Yes, you can schedule when particular firewall rules are active. See the official documentation here: https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html.

Where a tool such as pfBlockerNG comes in handy is that it can be configured to automatically populate and then keep updated firewall aliases containing the ASN IP ranges of chosen networks (controlled by the lists you download and enable within pfBlockerNG itself). You then create your own firewall rules using the alias or aliases you configured pfBlockerNG to maintain. Then after creating your rules containing the pfBlockerNG aliases, place the rules on a schedule.

One last unsolicited piece of advice -- do not depend on technology to "be the parent" 🙂. There are simple and fail-safe ways to control device time for children that do not involve any technology at all.

@johnpoz said in I can not block WAN port?:

so - for your own sanity, do the packet capture on pfsense wan when you do that test, do you see that 1024 hit pfsense wan, do you see a response.

You're right. :)
I did not try Packet Capure until now. I will googling and inform you.

But it'looks modem answerign it?

Regards,
Mucip:)

@chris-doldolia could but just block that - that is not filling your single pipe..

You know a lot of users new to pfsense and first see all the noise they see on the internet and they think they are being attacked ;)

Lets see this this dos.. You said your pfsense is logging just fine - so lets see some of this attack..

@keyser I was also surprised that you can't set a time interval. I didn't notice that if I click on the days (header) it doesn't give you a specific date, but the days in general. Thanks for the help!

@Gertjan said in PfSense keeps Port 21 open??:

Gibson is special ^^)

hahah - yeah remember when he said the sky was falling when XP had raw sockets. it was going to crash the internet ;)

He term stealth for not answering ping is just more nonsense. Not sure he is playing with all 52 cards if you know what I mean ;)

@mj9768
If you allow any on OPT1 also access to your local network is allowed from this interface of course. But there is nothing allowed from WAN, even OPT1 is bridged with it.

All you need to allow might be access to public destinations, however. So just add a proper rule to the interface.
To achieve this, I create an RFC 1918 alias and use it as destination in a pass rule with "invert match" checked:

9120df6d-057b-4b55-bc3d-9055be0632d6-grafik.png

This here is a floating rule, but in your case you should put it on OPT1 and you might want to allow any protocols.

This presumes, that the tunables net.link.bridge.pfil_member is enabled and net.link.bridge.pfil_bridge is disabled.

@CatSpecial202 A reject is fine on a lan side rule - it sends an answer back.. But your blocking outbound.. I don't even know if it would work to be honest you would have to sniff to see..

but say you have a rule to block say ping to your wan IP from bad guys.. You would send them a reject every time they scanned a port that was blocked.

So here is a rule on my lan that rejects going to 8.8.8.8 - see how I get a RST back, when it really should of just timed out..

reset.jpg

Might be ok since your traffic is going outbound. But it is normally not a good idea to use a reject on a wan interface unless your sure you want to actually send back something to the sender.

Ok I tested changing my block outbound rfc1918 to reject - and yup I do get back a rst.. So guess its fine inbound traffic from the internet would not trigger that rule anyway.

rejectwan.jpg

Just be aware you normally don't want reject on a internet facing interface - unless your sure you want to send an answer back.. Which could lead to sort of dos attack with your firewall busy answering stuff it should just drop and pay no attention too.

@KNG-Taco

Do you have more info ?

@pfuser23984 said in CPU 100%, unbound and dhcpd restarting whenever the filter reloads:

Just don't automatically discount the NIC, though. As mentioned, the Realtek devices can work okay and then start to get flaky when traffic loads increase. Lots of Google search results detailing that.

When you installed the latest kmod driver, did you follow the steps outlined in this post:
https://forum.netgate.com/topic/160529/realtek-nic-and-watchdog-timeout/13?

SOMMOMMA!@##@!!

That did it.
I am used to linux where loading kernel drivers is easy to do and easy to verify. I did ithe install with pkg install realtek-re-kmod and rebooted... but the echo 'if_re_load="YES"' >> /boot/loader.conf.local was needed to load the new driver. Not really an intuitive process.

I ran through my tests, and the problem is gone now. I've even restored gateway monitoring, patches and watchdog. The rc.newwanip still does its thing, but the re1 NIC no longer flaps, the dhcpd / unbound services no longer crash, the CPU no longer spikes making the system unusable until php-fpm is restarted.

Thank you so much.

Glad that fixed it for you 🙂.

@SteveITS Hello Stevel, thanks for your comment. I have been get it working. Did port forwarding like you advised.

yeah it could be clearer in the GUI. But basically Type 3 covers all the subtype's codes the OP mentions, including re: fragmentation.

More info on the subtypes can be found online but the IANA site has a very good page on it: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

@CatSpecial202 said in Interface Groups and dns redirect:

What makes individual rules per interface easier to troubleshoot?

because your looking in 1 place for all the rules that could effect traffic coming into this interface, vs looking at groups, is this interface in that group? Is the group rule correct for the source IP into specific interface? etc..

But hey you do you.. Doing this since there were firewall, before actually - when they were just packet filters.. And seeing all the rules in one place in the specific order they are applied is easier ;)

@michmoor said in *Allow* IOS Facetime/iMessage Home Network:

Why would anyone need to create firewall rules for IoT device(s) ?

If you need to ask...

@johnpoz said in Firewall rules for Guests network on IPv6?:

You want a simple solution - don't give your guests an IPv6 address ;)

For a simple solution, look at my post of my guest WiFi rules.

@CatSpecial202 No. If you do not have any rules then everything is denied by default. Once you start adding rules then the top rule is parsed first.

block
block
block
then "allow all" that does not violate the block rule(s) above it.

Anything not expressly stated by the rules above then hit the default deny rule.

@Wylbur

Sorry I replied to the wrong person. But I think you were also having a similar problem.