Good results with URL Table Aliases package
-
-
after using pfsense for years now , this is a great addon, which I missed. I feel better to have a blocklist on the firewall beside moblock or iplist on the desktop.
I asked me about the supported Blocklistformat. Jimp mentioned above that only plain text files are supported-what a pitty! Most availible blocklist are compressed and in IP RANGE format with additional information such as nipfilter.dat.gz or level1.gz .
Has the list to be only in CIDR format or Ip range too?
I can download uncompress, convert the list manually and upload to pfsense box by sftp, but to which location?thanks
peteSomeone else has another package ("ip blocklist") which can work on the level1 list and ranges and such. The author of that package converted it to pf (at my suggestion) and it may be viable for that now. I haven't used it myself yet.
The problem with ranges is they take a lot of time to calculate. IPs and CIDRs are what pf supports natively. Ranges and compressed files have to be processed before they can be used by pf, which increases the burden on the router.
-
@jimp: ok, i modified filter.inc the following way :
$rules .= "set limit table-entries 300000\n";
in the filter_configure_sync function
and it seems to work.
@pete : you can also store the updated list to a local web server, then use the corresponding url into the table alias.Where in the filter_configure_sync section did you put your statement in?
I was thinking of adding it before
$rules .= "\n";
$rules .= "set skip on pfsync0\n"; -
I notice that is package can not be uninstalled and I was wondering what were the reasons and could it possibly be detrimental in anyway.
-
If you uninstall it and leave a URL table alias configured, the behavior would be unpredictable and could result in the filter rules failing to load.
-
I installed it. I installed cron. I added a US CIDR txt url for allowing only us ips. I added the cron job specified on the first post. It does not seem to be working. Using a proxy to test, i could still gain access to pcs behind the firewall.
-
Did you use the alias in a firewall rule? Can you post a screencap of your firewall rules? If it got through, then it either matched a rule above it in the ruleset that passed it, it wasn't used in a rule properly, or the proxy you used was really in the US and not another country.
-
i havent had a chance to check yet, but just to mention I am running NanoBSD version. Does that matter?
-
i havent had a chance to check yet, but just to mention I am running NanoBSD version. Does that matter?
I thought it was safe to use on NanoBSD but I don't recall at the moment.
-
So how should i add an alias to my rules? I want to only allow us ips to connect. So, i add the CIDR US list to the URL alias. Then what?
-
You make a new alias, choose the URL table type, put in the URL for the US IPs list.
Then use the alias in a rule like any other alias. You'd make a rule on WAN like so:
pass <protocol>from <single host="" or="" alias,="" us_ip_alias="">, port: any, to <local_ip>, port: <whatever>.
The real contents of that rule are up to you and whatever your app is.</whatever></local_ip></single></protocol>
-
Will that by default block all other ips? do i need to put a rule below allow us ips to block all?
-
All traffic is blocked on pfSense by default.
If you have no other pass rule that matches the same traffic, then all other traffic will be blocked.
