Can I manually create the WAN rule for incoming traffic for PFBlockerNG
-
This seems like a simple thing but PFBlocker doesn't seem to want to let me do it.
I want to block all incoming connections on all but specific ports from all countries that are not France for example. So i have configured GeoIP with France Selected and Deny Inbound. (Yep Deny - please read on)
In PFBlockerNG I apply this to my WAN interface under Inbound Firewall Rules and PFblocker creates a firewall rule pfB_Top_v4 with a Block.
My ordering is pfSense Pass/Match | pfB_Pass/Match | pfB_Block/Reject | pfSense Block/Reject so this rule goes to the bottom of the WAN rules firewall tab (floating not ticked).
Now i have a web server that is sitting in the DMZ, and i want to permit 80 and 443 incoming on the WAN, but only from France, soooo..
I manually create another rule where I say Block all !pfB_Top_v4 - in other words block all that ISN'T France and put this ABOVE my port 80 and 443 rule which in turn sits above the PFBlocker auto-created rule that blocks all that IS FRANCE.
So my logic here is:-
Is the source traffic not from France - Yes Block - No Proceed
Is the destination port 80 or 443 - Proceed
Is the source traffic From France - Yes BlockThis means that i ONLY allow 80 and 443 in IF they are from France. Otherwise if i dont do this that open all other ports (SSH etc) IF the source is from France.
The problem is that PFBlockerNG reorders my manually created rule to the bottom every time it updates. So i then have
Is the destination port 80 or 443 - Proceed
Is the source traffic From France - Yes Block
Is the source traffic not from France - Yes Block - No ProceedMeaning i get no blocking..
When i try to specify in PFBlockerNG NOT to create a WAN rule under Inbound Firewall Rules it wont let me leave this blank and I cant leave it as it is as it reorders my manually created rule.
So how can i get PFBlockerNG to ignore my manually created WAN rule and not reorder it? Or is there another way of doing this?
In GeoIP if I try "permit inbound" pfB_Top_v4 (with no manually created rule) that will allow things like SSH and open all ports for people in France as an example so that wont work either.
Any ideas?
-
If the pre-defined Auto-rules do not fit your needs, then use "Alias Type" rules and manually create your own rules..
See the blue infoblock icons in the IPv4 Tab for further details… ie : "Alias Deny"
To make it easier for you. The Auto-Rules are already created, but maybe not in the order which you would like... So goto each one of pfBlockerNG auto-created rules, and change the Rule Description prefix:
From: pfB_
To: pfb_ (Lowercase)Then you can re-order these rules as you wish and the package will not change any rules that have a description that starts with "pfb_". This will also allow the widget to populate properly.
Then goto each Alias and set them as "Alias Type" rules...
Hope that helps...
-
Yup - that's exactly what i needed - many thanks for that BBcan177.
And a personal thank you for all your hard work on PfBlockerNG too!
-
This post is deleted!
