Do you know if I can always "upgrade back" again if I go from 2.4 to 2.5, if something breaks?
Not you can not auto "upgrade" to 2.4.. Just make sure you have a backup of your config.. And install media.. Be that CE or if your FE, open a ticket with netgate and they will send you link to FE copy you can download.
So if you decide you want to roll back, its really simple.
But to be honest 2.5 is close - I would be surprised if there was an issue that would force you to roll back.
While I was going to suggest that - its not really the same thing as ipset. But ipset ties in with iptables, and pfsense doesn't use iptables - even if has dnsmasq..
But yeah its the closest thing.. But what is kind of kewl with ipset, is you can set netflix.com - and then anything.netflix.com would be in the rule. I don't believe, off the top of my head there is anyway to do that with aliases.. You have to be able to resolve the fqdn, or use a list of ip/netblocks..
@teamits and that was it. its working now I had turned off tagging on 5 earlier on opt 1 because i saw that the default lan didnt have 5 tagged. Probably everytime i did the setup there would always be one step i messed up because on other attempts i had it tagged properly. anyways its working now thank you!
@asdjklfjkdslfdsaklj I'm still having this problem. Like in the original post, I've tried it with scrub disabled etc. with no luck. Before it would work when pf was disabled, which lead me to think that it was a issue with pf (maybe something like https://redmine.pfsense.org/issues/8165), but now it doesn't seem to work even with pf disabled.
self-hosted email where it actually thwarts quite a bit of spam messages
I know all about that one.
Back, in the 'good old days' I was said ones to myself : want to have my own domain names (private and company (a hotel)) and taking care of my own mails, as using a mail server from some where else binds you to the mail reputation of the host. Shared mails can be great, and the next day you can't mail to gmail, or yahoo, or whatever. Or the other way around : one of the biggest (Belgium) mail suppliers, skynet.be (don't laugh) was often blocked, me not being able to do anything about it.
So I went for the 'do it myself'.
What I did : tell postfix to be far more stricter as 'default' : for the incoming mail :
No reverse host name ? => Hang up the phone.
=> You say "Paul' but your reverse lookup says "Jack" >= assign a big penalty to start with (this one has a identity crisis / split personality / other issue )
No SPF ? => assign a big penalty to start with.
No DKIM ? => assign a big penalty to start with.
No DMARC (and IPv6) => assign a big penalty to start with.
Mail with added files that are forbidden, like exe, com, docx, etc etc ? => Drop it.
Then, with the already scored penalties, filter through spamassassin. And amavis - and razor. and more. If the mail is a winner => off to the spam box it goes.
We have a guy called fail2ban that analyses the main postfix mail log 24h/24. For every mail that comes in, and the simple server to server transaction 'stinks'or the mail looks like spam, that mail server gets blacklisted at firewall level. This is the result. And this one to check for the reason why as SSH connects, Apache2 connects etc is also treated. Check out the "Postfix tab for more details.
After more then a decade, me doing close to nothing these days, 80 % of all mail is stopped right at the doorstep - reduced to a line in the mail log :
Like : 2021-01-21 16:10:10 postfix : From host a.b.c.d : Hi - and bye.
Take note : for me, blocking IPs based on a country is not possible, as our clients are from all over the world.
Example : last month, some agency called Expedia (States based) started to use a bunch of IPv4, formerly known as "from Pakistan ....".
What also happens is : I get mail from Egypt, Cairo. From a fried. LIves in Germany. Who forgot to shut down his VPN (he has a complicated live and many issues with things called "torrents").
Geoip IPv6 database will probably never exist as the one wouldn't fit in our galaxy. 25 of all our incoming mail is IPv6. And as aid in another thread this morning : my first IPv6 are already banned.
Btw : I even added some domain names used by friends to my mail server, as I knew they would send and receive a lot of mails. That was just perfect to auto-train my anti spam AI.
All this beauty is available of the selves, free, and keeps working over time.
I use a dedicated IPv4 and IPv6 for each domain. This is VERY important.
Also : self-hosted means for me : a 50 $ / month dedicated server in a big data center, as hosting behind an ISP line (our case) is a big no-no.
@captaindarth Yes you are right.
Denying outbound what is blocked by dns is an extra level of protection.
If you were using eg pihole, then you would hope the client does what pihole instructs (and doesn't try any hardcoded ip's directly)
My ip tab looks like this
and a test scenario blocking inbound would be like this
And I m not using the automatic rule generation, which puts rules first, which isn't what is required most of the times.
i have no need to connect on ip 10.0.0.100 or to be able to ping ip 10.0.0.100. It was just something that i was wondering is possible to do?
It is very possible to do, just not in the sort of setup you have. If you had an upstream router, where you could create another network/vlan to use as a transit. And also allow that upstream router to nat downstream networks.
Neither of which are possible with your typical soho wifi router, atleast ones not running 3rd party firmware.
Then yes it would be quite easy and simple to have downstream router not doing nat where you could route to downstream networks, ie your 10.x network And then firewall off different protocols or ports if you wanted to.
But in your sort of setup, with the lack of features of your edge(upstream router) and your ability to do vlans on your infrastructure - no its not really possible. And the double nat setup is the easiest solution to isolate your network from the houses network. While still allowing access to resources behind pfsense via simple port forwards.
If your upstream router, ie the router you have connected to the internet was also say pfsense. And your switching and APs in use could do vlans - then there really isn't anything you couldn't do from a networking perspective.
I will try to keep both updated. Thank you for posting your success. I LOVE it when people do that.
Can't stand when people don't follow up with their own question or just say "fixed it".
So you sir, ROCK.
maybe try to temporarily disable "Block bogon networks" under interface / wan
i don't see any 5.102.x.x on my /etc/bogons, strange.. i don't have that option enabled, firewall rule are more than enought, maybe a bug or it was present on that old version you are using
Well, finished my tests and got it to work. No changes to the ISP equipment.
I might have a problem with that installation as changes are not applying after filters reloads. It takes over 5 minutes after it completes to start working.
The box is an i5-3470 with 4MB RAM and the it's running using 1% of the CPU, so no other reason for the delay I can think of, besides some garbage inside that install.
It is working now, but I can't say what caused to stop working in the first place (I do hate those it was working before and not it is not statement).
If I find out will post again.
nah! doesn't do a thing!
As long as the VIP is existing, the second filter gets created and therefore applies the Block to anything not coming from whatever the VIP's IP is.
The VIP itself is created automatically by pfBlocker. So no way around the !Net Problem. However - it should'nt have any impact as the rules effect is applied by default deny anyway.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.