Only allow inbound traffic from my own country
-
hey there,
if you really need to allow inbound (on wan interface, i assume) then an easy way would be to work with pfblocker-ng_devdev, there use geo ip lists, create an allow switzerland, done (since all other incoming should be blocked by default on wan).- install package pfbng dev
- register for geo ip
- create ip blocklist for your needs
-
@nizo67 you then just use this country code or specific list you create on your port forward you setup.
I do this for my plex, I only allow countries where my users are..
-
Thanks a lot.
I am using Squid and SquidGuard too to block storage services Provider. What already works fine till now.I installed pfblng and configured it and used the GeoIP( All Deny Inbound, except Europa-Switzerland), and added DNS 53 LAN Rule
1- Pass - IPV4(TCP/UDP)- * * LAN 53(DNS) * ----- Pass DNS to the firewall
2- Block - IPV4(TCP/UDP)- * * * 53(DNS) * ----- Block DNS to Everything elseNow can not get any website from TestVM.
Furthermore "pfb_dnsbl pfBlockerNG DNSBL service" dose not started. Trying more times.Any advice?
Thanks
-
@nizo67 not sure what that has to do with your thread title question?
-
@nizo67 Only advisory I have here is you might have other unforeseen consequences... I had a customer block all things not in Oceania and they lost access to, among other things, AWS and Microsoft Azure.
-
@nizo67
As stated by others (with much more knowledge and experience than I have):- it might have unwanted consequences. So (as always) be sure what you really need and want from it...
Why are you doing all those DNS rules? I cannot see any sense in that. What is your goal, what do you want to archieve?
(edit: never mind, a little bit of good old "thinking about it" solved it...you want to permit only certain dns-server requests, I guess), silly me...
So, if you have i.e your dns resolver unbound running on pfsense, it should be something like:
first
allow IPv4 (udp/tcp)-----Source: your (sub)net (i.e. LAN / VLANxy)-----Dest: this firewall-------port 53deny IPv4 (udp/tcp)-----Source: your (sub)net--------Dest: any-------Port 53
You might want to put something for port 853 (DNSoverTLS) in as well...
And then you could add a rule for a DNS Blocklist including all kinds of DNSover HTTPS Servers (via pfsblockerNG_dev)...And DNS Blocklists have nothing to do with blocking incoming traffic blocked by IPs.
:)
-
@the-other said in Only allow inbound traffic from my own country:
with much more knowledge and experience than I have
careful, that might go to my head...
Ryan
Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
Requesting firmware for your Netgate device? https://go.netgate.com
Switching: Mikrotik, Netgear, Extreme
Wireless: Aruba, Ubiquiti -
@rcoleman-netgate
careful, you don't know about my knowledge skills and experience about networking in general and pfsense...so, it could be quite the contrary to being a compliment...:D
-
Thanks for all of you.
I disabled the both rules and still can not reach any website :(
I'll uninstall it and try again.
Is there any conflict between Squid and pfBlNG?
-
@nizo67 might be helpful, if you could just post a Screenshot with...
...your ruleset
...your dns settingsHave you tried to reach a site with its ip (i.e. ping 8.8.8.8 vs ping Google.com)
What does a ping ip Adress result in?
-
Thanks for all of you :)
It works, just re-Install it and configure GeoIP. No DNS Rules needed.
Cheers,
Nizo
