pfBlockerNG block traffic
-
firewall-lan
firewall-wan
firewall-aliases-all
the Aliases URL's empty
I have few more vlan's but they have no relation to this issue.
the connection issue is on the lan network (if it will be needed I can add screen shots too) -
@sbh I don't see any evidence of IP block rules from pfblocker. Is pfblocker shutdown? I see above that you were using Deny Inbound and Deny Both rules. Those would be auto-generated rules. I'm not sure how pfblocker handles the removal of those rules if you shut it off or what it does with the Reports and the logs. That probably explains why on the dasbboard widget there are no aliases, or any traffic in the IP, or blocks in for either IP or DNSBL.
If pfblocker IP is shutdown I would suggest restarting it, then trying to update your Ubuntu machine again. I'm expecting that it will fail again. Once that happens repost new screen shots of the LAN, WAN, Floating, Alises, and dashboard widget if they have changes from the ones you posted. Also post a screenshot of the Reports, and IP, IPv4 and GeoIp in pfbocker.
-
What you expect to see that you don't see in the firewall rules?
-
I noticed I get this message:
There were error(s) loading the rules: /tmp/rules.debug:27: cannot define table pfB_Top_v4: Cannot allocate memory - The line in question reads [27]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"
@ 2022-01-28 12:48:13it may related?
by disabling and enabling the floating rules check box, I get now all the rules.
-
Not sure about the error message that you have and will think about it a bit. I take it that the rules you are showing are all floating rule?
The first thing I notice is that you do not need any of the rules for the WAN. The WAN has a default (hidden) rule on it that prohibits any packets coming into pfsense. So those rules you have on the WAN are already being handled by the default rule. You don't need to block the world from coming into pfsense.....it's done by default. :)
It's best practice to apply rules manually to each interface as needed. So the next thing I would do is change the "Action" of each of the pfb_Top_v4, pfB_Top_v6, and pfB_PRI aliases to "Alias Native". This will then create that aliases but will not create any firewall rules. You can manually create rules on each of the interfaces where you need them. It's best to not put them in floating rules.
Also, are you using IPv6 on your network? if not then you don't need any of the IPv6 feeds.
-
You correct, they all come from the floating rules. I didn't creating them. its look like they created by default by the pfblockerNG when I check the floating rules.
when I enable it, it all the rules popup the WAN and the LAN.
I use the geoIP as I don't want attempt to connect to my server from anyplace in the world beside North America.
If I understand it right. the default block any access from the WAN to the LAN. but if I did a port forward then now they can access from the WAN to the LAN via this port
the blocking of the world is to block based on location so only someone from inside the US can access this port. anyone from any other place will be blocked from accessing it.If I wrong let me know as I tested it and it work well and I may missed something there.
-
@sbh said in pfBlockerNG block traffic:
I use the geoIP as I don't want attempt to connect to my server from anyplace in the world beside North America.
If I understand it right. the default block any access from the WAN to the LAN. but if I did a port forward then now they can access from the WAN to the LAN via this portHere's what you need to do to protect the server:
- Create an Alias Permit feed for North America in pfblocker.
- Create a Permit Rule on your WAN interface with the North America alias as the Source and the Server's IP and Port as the destination.
- Immediately below the rule in #2, create a block rule with a source of any and Server's IP and Port as the destination.
Connections from North America will be allowed, everything else will be blocked from reaching the server.
One other thing, do you know the IP addresses of the things that will be connecting to the server? If so, don't use a North American alias. Instead manually create an alias with the IP's of the connecting devices and use that alias.
-
In the solution above I don't need anymore the al pfBlockerNG? since it not using it any more?
There are any other benefit to use the pfBlockerNG? -
@sbh said in pfBlockerNG block traffic:
In the solution above I don't need anymore the al pfBlockerNG? since it not using it any more?
Not sure what you are asking me here. If your're going to use an alias of North America as I described above then you create that alias using pfblocker. You would pick out the countries in North America that you want in the alias from this list:
Then on this page make sure you have the Action set to "Alias Permit" for North America
This will create an alias, pfB_NAmerica_v4 that you can then use in the firewall rules as I described.
@sbh said in pfBlockerNG block traffic:
There are any other benefit to use the pfBlockerNG?
Lot's! The most typical case would be to use it to block your devices on your internal networks from reaching out to bad sites on the internet. It can block advertising, known bad ip's and domains, malware sites, trackers, etc.
The default LAN rule in pfsense will allow your LAN devices to communicate with anything out in the internet. PFblockerNG creates the ability to block any of those devices from communicating with known places that you would rather they not communicate with.
-
Thank you for the info, I'll try to follow it and give you update. it will take some time as I'm still figuring out how to do things on pfsense.
-
I did it and it work very nice. Thanks
in the screenshot above you set Top Spammers as Alias Deny. it mean that you needed to create rule using the alias to block this top spammers. can you send me the rule as it something that I defiantly want to block.
Thanks so much
-
Congratulations on getting the rules set up on your WAN!
in the screenshot above you set Top Spammers as Alias Deny. it mean that you needed to create rule using the alias to block this top spammers. can you send me the rule as it something that I defiantly want to block.
This is easy. As you know now, by enabling the Top Spammers above it will create an alias for you to be able to use manually in any rule you want. So you can use it on any interface that you want. But remember that the WAN will block all unsolicited incoming traffic by default so you don't want to create a rule on the WAN for that alias. Instead, you would want to use it on your internal networks to block them from communicating the the IPs in the alias.
So let's look at a quick example of how this works. By default, all traffic initiated on the LAN is allowed into pfsense and can exit the WAN. When a data packet leaves the WAN it creates a state in the firewall. So when a computer (192.168.162.10) on your LAN initiates a request to go to a site at 111.111.111.111 a state is written into the state table 192.168.162.10 -> 111.111.111.111. (You can see all the states in Diagnostics/States.)
Now when 111.111.111.111 responds to 192.168.162.10's request the returning packet hits the WAN on pfsense. PFsense checks the State Table and sees that the packets is a response to a request initiated by 192.168.162.10 and therefore allows the packet through the WAN and to the LAN to the computer.
So you use a list like Top Spammers to block local resources from initiating the requests to bad IPs. So in the example above, if we want to protect the LAN clients from those bad IPs the rule would be placed on the LAN and would look like this:
You should see the IPs that were blocked in the reports tab like this:
Keep in mind that none of these lists are perfect. There will be times when you will definitely get some IPs that are blocked that are legitimate places (like your Ubuntu update). When that happens you can click the red lock icon to temporarily allow the IP to be accessed, or click the "+" sign to add it to the IP whitelist.
-
Thank you very much, the explanations was great and everything is setup and working now.
-
@sbh I'm glad it all worked out for you! And I was really happy to help. Thanks for the feedback!
One thing I'd like to revisit quickly. It was early in the morning when I wrote this:
Here's what you need to do to protect the server:
- Create an Alias Permit feed for North America in pfblocker.
- Create a Permit Rule on your WAN interface with the North America alias as the Source and the Server's IP and Port as the destination.
- Immediately below the rule in #2, create a block rule with a source of any and Server's IP and Port as the destination.
I need to clairfy that you do not need the rule I described in #3 above. The reason for that is that anything other than the IP's from the North America alias would be blocked by the default deny rule on the WAN.
I must have not had enough coffee that early in the morning to get the fog out of my head!
-
Thank you for the correction, I did not put the rule that you mentioned in #3 as the firewall block everything by default, so I just open the server port for north America - US and that's all.
Do you know if I can make it even more specific and allow only specific states in the US?
-
@sbh said in pfBlockerNG block traffic:
Do you know if I can make it even more specific and allow only specific states in the US?
No I don't. But the OpenVPN protocol is pretty robust. By design it does not respond to port scans so people shouldn't even know that port is open. And if someone was to try to access the tunnel they woulds still have to authenticate with the correct credentials which would be extremely unlikely.