Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Not blocking any location

    Scheduled Pinned Locked Moved pfBlockerNG
    10 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Viconnect
      last edited by Viconnect

      Hey guys,

      I'm new to pfSense and very excited about it. Bought a license and everything and installed pfBlockerNG to prevent access from unwanted geolocations and other stuff.

      1. I only want to allow Europe and drop any other packets.
        2. If possible, make an invert match to reduce the amount of data by changing to drop all except for European addresses.

      Currently, I took the first way and a floating rule was created with IP address lists of IPv4 and IPv6 to drop packets from unwanted geolocations like Asia, America, and so on. I had to increase the amount of database entries of the pfSense to store the data, and it uses 14GB of RAM currently, but blocks nothing. I tried IPVanish, NordVPN, and 2 custom IPs from Asia, America, Africa, but nothing is blocked.

      Currently, it's completely useless and it reduces the pfSense performance, consumes RAM, and does (feels like) nothing.

      First question: How to invert match the rule to reduce the RAM and make it the opposite way, using drop all and allow all European GeoIPs?
      Second, how to get it to work?

      I really appreciate any help, but please only if you know what you are talking about. :-)

      pfblocker.JPG

      johnpozJ 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8
        last edited by Bob.Dig

        Only one hint from me: Top-Spammers is not about Spammers but about Countries other than the US.
        Blocking this list is the worst you can do if you are outside the US and you do it even in both directions.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @Viconnect
          last edited by johnpoz

          @Viconnect blocking the planet is not the way to do it anyway.. Allow the traffic you want.. Can you show us your rules, and what exactly is those tables.. What are you trying to block them from.. You going to them, them hitting some port forward you have open?

          I only allow US IPs to my port forwards and ports, and drop and log all inbound traffic to any port that is a syn..

          So you can see my rule that would allow traffic to 443, is limited to my pfblock alias that includes US ips.. Notice this traffic was not allowed and dropped down to my logging rule.. Because was not on my allow list..

          block.jpg

          Trying to create lists of IPs that contain every IP on the planet vs the ones you want to allow is not very efficient way to do it.. Its better to just allow what you want to allow..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          Bob.DigB 1 Reply Last reply Reply Quote 0
          • V
            Viconnect
            last edited by Viconnect

            The specific case is: i have a nginx proxy open with port 80 and 443 and some other services at 8443, 7654...., the pfsense is infront of all the vms, services and servers, and i like to block any traffic out of europe only to reduce the ammount of attacks on devices behind the firewal (i know all reason why it doesn't make sense ... blabla) i want that and no discussion about why.
            ipv6 does not interest me at all, is there an easy way to remove ipv6 at all? i could reduce a lot with that i think, simple deny rule in firewall for all ipv6 subnets or ipv6 option for the entire interface?

            Screenshot 2024-03-10 at 21-53-17 pfSense.ViconnectSense - Firewall Rules Floating.png

            my pf database is still growing currently reaching 22GB of ram

            1 Reply Last reply Reply Quote 0
            • V
              Viconnect
              last edited by

              @johnpoz can you tell me please how to add america, france, swiss or any other to the allowed list? and drop the rest?

              1 Reply Last reply Reply Quote 0
              • Bob.DigB
                Bob.Dig LAYER 8 @johnpoz
                last edited by

                @johnpoz said in Not blocking any location:

                and drop and log all inbound traffic to any port that is a syn..

                Out of curiosity, how much less blocked TCP-traffic gets logged by only doing it for SYN?

                1 Reply Last reply Reply Quote 0
                • V
                  Viconnect
                  last edited by

                  @Bob-Dig said in Not blocking any location:

                  syn

                  dont get it what is a syn?

                  1 Reply Last reply Reply Quote 0
                  • V
                    Viconnect
                    last edited by Viconnect

                    would you be so kind and tell me what to do to allow only sweeden, switzerland and .. another country and deny the rest.
                    i can see in your rule table in the end you deny all and at the allowed pfB_AllowPfb_v4 to 443, but where is pfB_AllowFb_v4 from? when i try to allow in pfblock it tells me an error message i have to be sure to allow inbound from many crountrys security risk ...... and so on.
                    Unbenannt.JPG

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @Viconnect
                      last edited by johnpoz

                      @Viconnect said in Not blocking any location:

                      but where is pfB_AllowFb_v4 from?

                      its a list I created.

                      allow.jpg

                      I allow US ips, some other lists for uptime robot and status cake - they could be international IPs, and I currently have family living in Morocco and they stream off my plex server.

                      As to how much less when only doing just syn than all.. I would have to turn all back on and let it run for a day.. But its not insignificant.. And just no desire to see that what I know what would be block because no state. But interesting to see who actually trying to create a state.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 1
                      • V
                        Viconnect
                        last edited by

                        Great, I'll give it a try.
                        However, could anyone advise on how to reset PFBlocker to its default settings?
                        Ever since I activated geoblocking, my PFsense setup has become quite problematic.
                        It's using an enormous amount of RAM, around 40GB. I've tried deselecting all countries in PFBlocker, disabling the PFBlocker GeoIP feature, and even completely uninstalling the plugin, but nothing has changed.
                        Consequently, I installed a new PFsense and attempted to download and import a config file from the existing setup.
                        However, the backup’s XML config still contains all the PFBlockerNG data, including geoblocking addresses, IPs, and more.
                        Is there no way to remove PFBlocker without causing PFsense to crash or having to reinstall everything?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.