pfBlockerNG block traffic

sbh

You correct, they all come from the floating rules. I didn't creating them. its look like they created by default by the pfblockerNG when I check the floating rules.

when I enable it, it all the rules popup the WAN and the LAN.

I use the geoIP as I don't want attempt to connect to my server from anyplace in the world beside North America.
If I understand it right. the default block any access from the WAN to the LAN. but if I did a port forward then now they can access from the WAN to the LAN via this port
the blocking of the world is to block based on location so only someone from inside the US can access this port. anyone from any other place will be blocked from accessing it.

If I wrong let me know as I tested it and it work well and I may missed something there.

dma_pf

@sbh said in pfBlockerNG block traffic:

I use the geoIP as I don't want attempt to connect to my server from anyplace in the world beside North America.
If I understand it right. the default block any access from the WAN to the LAN. but if I did a port forward then now they can access from the WAN to the LAN via this port

Here's what you need to do to protect the server:

1. Create an Alias Permit feed for North America in pfblocker.
2. Create a Permit Rule on your WAN interface with the North America alias as the Source and the Server's IP and Port as the destination.
3. Immediately below the rule in #2, create a block rule with a source of any and Server's IP and Port as the destination.

Connections from North America will be allowed, everything else will be blocked from reaching the server.

One other thing, do you know the IP addresses of the things that will be connecting to the server? If so, don't use a North American alias. Instead manually create an alias with the IP's of the connecting devices and use that alias.

sbh

In the solution above I don't need anymore the al pfBlockerNG? since it not using it any more?
There are any other benefit to use the pfBlockerNG?

dma_pf

@sbh said in pfBlockerNG block traffic:

In the solution above I don't need anymore the al pfBlockerNG? since it not using it any more?

Not sure what you are asking me here. If your're going to use an alias of North America as I described above then you create that alias using pfblocker. You would pick out the countries in North America that you want in the alias from this list:

Then on this page make sure you have the Action set to "Alias Permit" for North America

This will create an alias, pfB_NAmerica_v4 that you can then use in the firewall rules as I described.

@sbh said in pfBlockerNG block traffic:

There are any other benefit to use the pfBlockerNG?

Lot's! The most typical case would be to use it to block your devices on your internal networks from reaching out to bad sites on the internet. It can block advertising, known bad ip's and domains, malware sites, trackers, etc.

The default LAN rule in pfsense will allow your LAN devices to communicate with anything out in the internet. PFblockerNG creates the ability to block any of those devices from communicating with known places that you would rather they not communicate with.

sbh

Thank you for the info, I'll try to follow it and give you update. it will take some time as I'm still figuring out how to do things on pfsense.

sbh

I did it and it work very nice. Thanks

in the screenshot above you set Top Spammers as Alias Deny. it mean that you needed to create rule using the alias to block this top spammers. can you send me the rule as it something that I defiantly want to block.

Thanks so much

dma_pf

Congratulations on getting the rules set up on your WAN!

in the screenshot above you set Top Spammers as Alias Deny. it mean that you needed to create rule using the alias to block this top spammers. can you send me the rule as it something that I defiantly want to block.

This is easy. As you know now, by enabling the Top Spammers above it will create an alias for you to be able to use manually in any rule you want. So you can use it on any interface that you want. But remember that the WAN will block all unsolicited incoming traffic by default so you don't want to create a rule on the WAN for that alias. Instead, you would want to use it on your internal networks to block them from communicating the the IPs in the alias.

So let's look at a quick example of how this works. By default, all traffic initiated on the LAN is allowed into pfsense and can exit the WAN. When a data packet leaves the WAN it creates a state in the firewall. So when a computer (192.168.162.10) on your LAN initiates a request to go to a site at 111.111.111.111 a state is written into the state table 192.168.162.10 -> 111.111.111.111. (You can see all the states in Diagnostics/States.)

Now when 111.111.111.111 responds to 192.168.162.10's request the returning packet hits the WAN on pfsense. PFsense checks the State Table and sees that the packets is a response to a request initiated by 192.168.162.10 and therefore allows the packet through the WAN and to the LAN to the computer.

So you use a list like Top Spammers to block local resources from initiating the requests to bad IPs. So in the example above, if we want to protect the LAN clients from those bad IPs the rule would be placed on the LAN and would look like this:

You should see the IPs that were blocked in the reports tab like this:

Keep in mind that none of these lists are perfect. There will be times when you will definitely get some IPs that are blocked that are legitimate places (like your Ubuntu update). When that happens you can click the red lock icon to temporarily allow the IP to be accessed, or click the "+" sign to add it to the IP whitelist.

sbh

Thank you very much, the explanations was great and everything is setup and working now.

dma_pf

@sbh I'm glad it all worked out for you! And I was really happy to help. Thanks for the feedback!

One thing I'd like to revisit quickly. It was early in the morning when I wrote this:

Here's what you need to do to protect the server:

1. Create an Alias Permit feed for North America in pfblocker.
2. Create a Permit Rule on your WAN interface with the North America alias as the Source and the Server's IP and Port as the destination.
3. Immediately below the rule in #2, create a block rule with a source of any and Server's IP and Port as the destination.

I need to clairfy that you do not need the rule I described in #3 above. The reason for that is that anything other than the IP's from the North America alias would be blocked by the default deny rule on the WAN.

I must have not had enough coffee that early in the morning to get the fog out of my head!

sbh

Thank you for the correction, I did not put the rule that you mentioned in #3 as the firewall block everything by default, so I just open the server port for north America - US and that's all.

Do you know if I can make it even more specific and allow only specific states in the US?

dma_pf

@sbh said in pfBlockerNG block traffic:

Do you know if I can make it even more specific and allow only specific states in the US?

No I don't. But the OpenVPN protocol is pretty robust. By design it does not respond to port scans so people shouldn't even know that port is open. And if someone was to try to access the tunnel they woulds still have to authenticate with the correct credentials which would be extremely unlikely.