Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNSBL & GEOIP Whitelisting + FW Rule order

    pfBlockerNG
    2
    4
    634
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shon
      last edited by shon

      I am using the following services

      DNSBL (Unbound Python Mode) - Ad / Malware blocking, Python Group Policy (whitelist)
      GeoIP - blocking

      I have the following rules setup in the Firewall:

      Floating Rules

      • whitelist alias (any protocol / any destination + this matches the whitelist in dnsbl's python group policy)
      • pfblocker geo IP blocking

      LAN Rules

      • allow any/any according to whitelist alias
      • Allow 80, 443, 53,
      • Deny All (bottom of list)

      The weird problem is I still see deny entries for port 80/443 in the Firewall log file sometimes stating that pfblocker GEO IP rules were hit in the Floating Rules list even though the very first floating rule in the list allows any/any referencing the alias used in DNSBL Python Group Policy. Plus I see the Deny Rule in the LAN rule set being hit too.

      The firewall processing order for pfblocker IP is the following:

      pfsense pass/match
      pfb pass/match
      bfb block/reject
      pfsense block/reject

      S 1 Reply Last reply Reply Quote 0
      • S
        shon @shon
        last edited by

        @shon said in DNSBL & GEOIP Whitelisting + FW Rule order:

        I am using the following services

        DNSBL (Unbound Python Mode) - Ad / Malware blocking, Python Group Policy (whitelist)
        GeoIP - blocking

        I have the following rules setup in the Firewall:

        Floating Rules

        • whitelist alias (any protocol / any destination + this matches the whitelist in dnsbl's python group policy)
        • pfblocker geo IP blocking

        LAN Rules

        • allow any/any according to whitelist alias
        • Allow 80, 443, 53,
        • Deny All (bottom of list)

        The weird problem is I still see deny entries for port 80/443 in the Firewall log file sometimes stating that pfblocker GEO IP rules were hit in the Floating Rules list even though the very first floating rule in the list allows any/any referencing the alias used in DNSBL Python Group Policy. Plus I see the Deny Rule in the LAN rule set being hit too.

        The firewall processing order for pfblocker IP is the following:

        pfsense pass/match
        pfb pass/match
        bfb block/reject
        pfsense block/reject

        Maybe I'm seeing logs because of this:

        https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

        However, I'm still wondering why I'm seeing LAN rules hit, when Floating rules are set using a whitelist Alias list with Quick enabled.

        S 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Rebel Alliance @shon
          last edited by

          @shon Are the rules marked as Quick? Quick and floating are a bit different, see the three sections at https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html#processing-order

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          S 1 Reply Last reply Reply Quote 0
          • S
            shon @SteveITS
            last edited by

            @steveits Hey Steve -- Yeap, the Floating Rule at the top has Quick enabled.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.