Good results with URL Table Aliases package
-
@jimp: ok, i modified filter.inc the following way :
$rules .= "set limit table-entries 300000\n";
in the filter_configure_sync function
and it seems to work.
@pete : you can also store the updated list to a local web server, then use the corresponding url into the table alias.Where in the filter_configure_sync section did you put your statement in?
I was thinking of adding it before
$rules .= "\n";
$rules .= "set skip on pfsync0\n"; -
I notice that is package can not be uninstalled and I was wondering what were the reasons and could it possibly be detrimental in anyway.
-
If you uninstall it and leave a URL table alias configured, the behavior would be unpredictable and could result in the filter rules failing to load.
-
I installed it. I installed cron. I added a US CIDR txt url for allowing only us ips. I added the cron job specified on the first post. It does not seem to be working. Using a proxy to test, i could still gain access to pcs behind the firewall.
-
Did you use the alias in a firewall rule? Can you post a screencap of your firewall rules? If it got through, then it either matched a rule above it in the ruleset that passed it, it wasn't used in a rule properly, or the proxy you used was really in the US and not another country.
-
i havent had a chance to check yet, but just to mention I am running NanoBSD version. Does that matter?
-
i havent had a chance to check yet, but just to mention I am running NanoBSD version. Does that matter?
I thought it was safe to use on NanoBSD but I don't recall at the moment.
-
So how should i add an alias to my rules? I want to only allow us ips to connect. So, i add the CIDR US list to the URL alias. Then what?
-
You make a new alias, choose the URL table type, put in the URL for the US IPs list.
Then use the alias in a rule like any other alias. You'd make a rule on WAN like so:
pass <protocol>from <single host="" or="" alias,="" us_ip_alias="">, port: any, to <local_ip>, port: <whatever>.
The real contents of that rule are up to you and whatever your app is.</whatever></local_ip></single></protocol>
-
Will that by default block all other ips? do i need to put a rule below allow us ips to block all?
-
All traffic is blocked on pfSense by default.
If you have no other pass rule that matches the same traffic, then all other traffic will be blocked.