Creating a rule to bypass pfBlocker
-
Hey Nachfalke,
sorry buddy, I didnt understand well…
In a nutshell, I want to:
-have pfblocker rules ALWAYS active. They CANNOT be scheduled based or time based and must be protecting my network continuously.
-the "peak" rule is meant to limit bandwidth during certain periods of the day. My ISP doesnt count data usage between 2AM & 8AM so during that time span, I want pfSense to use the WAN's D/L & U/L speeds at maximum capacity. Otherwise, restrict to lets say 1Mbps D/L & 800Kbps U/L.. I already have a schedule implemented and its using limiters. So the real question is: should the Peak rule be on TOP of the list or somewhere else?
-Finally, the allowedaliases rule is meant to allow connectivity to & from the usenet servers I am trying to use. Likewise to the pfblocker rule, it should be permanent and continuously active.
What modifications do you suggest?
-
@lpallard
Now it's clear I think :)
The "allowedaliases" must be on TOP of the pfblocker rules. So the order should be this:
allowedaliases
pfblocker
peak
other rulesI think now we got it 8)
-
And remember- anytime you click "Save" on the pfblocker screen it will move its rules back to the top on the firewall page.
-
Hmmm.. doesnt work.
I double checked my schedule, it seems OK to me.
I double checked the Alias, it is set to "Host(s)" with the FQDN addresses such as news.supernews.com.
I double checked the Traffic shaper > Limiter, and I have 2 limiter rules: one for incoming traffic, one for outgoing. Both are enabled and their rates are specified.
Right now I did not create any custom rules in LAN. pfBlocker created its own stuff but thats it. Earlier you had mentioned:
If the case is b) then pfblocker has nothing to do with that and you need to check your LAN firewall rules.
But before I installed pfBlocker, all was fine with the usenet servers. As a matter of fact, if I didable pofblocker, I can connect to the servers. I have even created a duplicate of the allowedaliases rule in the LAN list of rules and put it at the top before pofblocker's rules. Not helping either.
In the firewall logs I see:
pf: 192.168.0.101.60025 > 178.22.82.40.5563: Flags [s], cksum 0x45cd (correct), seq 3250693445, win 5840, options [mss 1460,sackOK,TS val 793546639 ecr 0,nop,wscale 6], length 0 Is this log entry relevant? [/s] -
Do you use pfblocker on LAN or on WAN or on both?
In general you only use this on WAN - but probably you can use it on LAN, too.Can you post you actual WAN and LAN rules?
For your allowedalias - you should enable the firewall log and check all relevant IPs and their DNS name to make sure you really got all the IPs in your alias. I suppose that "news.supernews.com" is the only URL needed.
-
I am using pfBlocker on WAN only. I will confirm when I get back home tonight but I am 99.99999% sure..
WAN rules I already posted in one of my posts above. Hasnt changed. LAN rules are identical (with the newly created allowedaliases rule on top) but other than that, its the pfblocker rules. Again I will post a screenshot tonight.
I have enabled the FW logs for allowedalias. There are 4 usenet servers to be able to connect to. In the alias for these servers, I added all 4.
All I see in the logs are similar messages as posted before, with the IP address changing all the time (resolving to a cloud of servers I guess…). Thats it. I dont know how to interpret these messages. The IP in bold below is the usenet server I am trying to connect to. This IP changes from time to time.
pf: 192.168.0.101.60025 > 178.22.82.40.5563: Flags, cksum 0x45cd (correct), seq 3250693445, win 5840, options [mss 1460,sackOK,TS val 793546639 ecr 0,nop,wscale 6], length 0
-
Attached are screenshots of both LAN & WAN rulesets.
THis is what I see in pfsense's logs (firewall) when I try to connect to either one of the 4 servers:
Server 1 (eunews.blocknews.net):
pf: 192.168.0.101.44670 > 178.22.82.42.5563: Flags [s], cksum 0x417f (correct), seq 2814321279, win 5840, options [mss 1460,sackOK,TS val 36477375 ecr 0,nop,wscale 6], length 0 Server 2 (news.eu.supernews.com): [code]pf: 192.168.0.101.53238 > 138.199.67.30.563: Flags [s], cksum 0x6809 (correct), seq 927555493, win 5840, options [mss 1460,sackOK,TS val 36359922 ecr 0,nop,wscale 6], length 0 Server 3 (news.supernews.com): [b]WORKED[/b] [b]Nothing appeared in Firewall logs[/b] Server 4 (usnews.blocknews.net): [code]pf: 192.168.0.101.34235 > 198.186.190.126.563: Flags [s], cksum 0x439c (correct), seq 2491495109, win 5840, options [mss 1460,sackOK,TS val 36460013 ecr 0,nop,wscale 6], length 0    [/s][/code][/s][/code][/s] -
dangerous setup there.
-
dangerous setup there.
Any way you can explain why?? What I am doing wrong? The rules you see were either:
created by a normal pfsense installation
created by pfblocker (pfblocker…)
created by me (allowedaliases) -
@lpallard:
dangerous setup there.
Any way you can explain why?? What I am doing wrong? The rules you see were either:
created by a normal pfsense installation
created by pfblocker (pfblocker…)
created by me (allowedaliases)Your last rule is allowing everything in on your WAN that isn't blocked by pfBlocker above that rule, which is dangerous.
You should only pass in the exact ports/IPs that you need, never pass everything in on WAN if you can help it.
-
Your last rule is allowing everything in on your WAN that isn't blocked by pfBlocker above that rule, which is dangerous.
The last rule being peakperiod right?
Nachtfalke said:
PS: Your ALLOW rule "peak times" allows every traffic from everywhere when this rule/shedule is active. Your pfblocker rules cannot do anything until the peak rule if active. Just for your information.
I believe he was saying exactly the same thing. Then I misunderstood him at that time.
Then I dont understand how to have the dangerous rule (peakperiod) active 24/7. This rule has to control the bandwidth speeds on the WAN for whatever is going in/out. Its NOT meant to allow/block traffic (its not a firewall rule in my mind, more a choking/traffic shaping rule).
-
@lpallard:
I have a service trying to use a SSL server located in a region that is currently being blocked by pfBlocker.
…
Action : Pass
Disabled: Unchecked
Interface: WAN
Protocol TCP
Source type: Single host or alias : my aliasYou want to connect from LAN (or any other local subnet) to a server on WAN, right?
Move the rule to the local interface where your traffic originates from.
In your setup you would allow the server in to you. I doubt you wanna do that… -
OK I am still having problems…
Basically the speed limiter is not working. ON the good side, the allowedaliases rule is now working. Initially I didnt understand the way rules really worked but now I think I am better at it.
On LAN, I added my custom rule to allow connection to the outside servers. I added a destination to the rule so now this rule sits on top of the list and AFAIK allows connection from the local client to the alias. See screen shot for details. It is working, but is it safe now??
On WAN, the speed limiter rule doesnt work. I am not sure how to add a rule on the WAN side to limit the in/out speeds without allowing the entire world to get in as chpalmer said…
