PfBlocker duplicate rules
-
Anybody else seeing duplicate rulesets being created whenever you add a new list to pfBlocker? I have 2 WAN connections, and LAN, with pfBlocker enabled. On both my LAN and OPT1, when I add a new list to pfBlocker, the rules are created again identical to the original set of rules. Before I cleaned up, I had 4 identical copies of some rules.
2.0.1 amd64
-
This should have been fixed a while ago - see http://forum.pfsense.org/index.php/topic,42543.msg250712.html#msg250712
It only happened for me when I also had some floating rules in my config.
You might need to re-install the latest version of pfblocker to get the fixes to the code that creates the firewall rules from the pfblocker lists. -
Thanks - according to package manager, I'm on the latest version. I'll open something with support, I think.
-
I've reduces duplicate cases and also applied some forum users patches but there are still duplicates on some cases.
This does not affect pfsense performance or load, is just a minor bug I could not fix 100% yet.
To workaround, you can change pfblocker action to alias only and create your own rules on wan.
att,
Marcello Coutinho -
Thanks, I'll give that a try! Will the dashboard plugin still work?
-
Thanks, I'll give that a try! Will the dashboard plugin still work?
Yes, you need just to follow alias only description format.
-
I'm going through these now - is there a reason we need to have pfBlocker running on the WAN interfaces? WAN interfaces already deny all. Couldn't they simply be run on the LAN interface with deny by destination?
If you do recommend pfBlocker on WAN interfaces, is there any reason I couldn't simply make a set of floating rules?
-
I'm going through these now - is there a reason we need to have pfBlocker running on the WAN interfaces? WAN interfaces already deny all. Couldn't they simply be run on the LAN interface with deny by destination?
if you do not have any service published on wan, then no need to use pfblocker for inbound restriction.
If you do recommend pfBlocker on WAN interfaces, is there any reason I couldn't simply make a set of floating rules?
sure, floating rules with pfblocker aliases will work.
-
if you do not have any service published on wan, then no need to use pfblocker for inbound restriction.
Excellent point! Thanks again!
