PfBlockerNG
-
What would be the point of that?
Everything is passed through to the servers no matter what country it origins from.
:D
pfB pass/reject -> all others comes second.
-
I have set it to the second option as well..
pfSense Pass | PfB Pass | PfB Block/Reject
Now exactly which IP do I need to add to the top of the floating rules for HE Tunnel to work. I have tried the typical 66.220.2.74 and the gif remote address as well. Also where is the whitelist option?
The gif address (remote) should make it work. Are you sure the floating rule you created is a quick pass rule?
-
This is exactly what I have done… let me know what I may have missed..
PfBlocker enabled
All countries - Deny InboundIPv4 tab - Alias named Whitelist. Added IPv4 Custom Address - 66.220.2.74 and the gif remote address - List action is set to Permit both (open communications between pfSense and the 2 HE IP addresses)
Checked the Rules and its on the top by default through PfBlocker configuration.
Reloaded and even rebooted pfSense. Yet the tunnel is blocked. The moment I deselect the entire NA country list the tunnel is back on.
-
This is exactly what I have done… let me know what I may have missed..
PfBlocker enabled
All countries - Deny InboundIPv4 tab - Alias named Whitelist. Added IPv4 Custom Address - 66.220.2.74 and the gif remote address - List action is set to Permit both (open communications between pfSense and the 2 HE IP addresses)
Checked the Rules and its on the top by default through PfBlocker configuration.
Reloaded and even rebooted pfSense. Yet the tunnel is blocked. The moment I deselect the entire NA country list the tunnel is back on.
Looks like its configured ok. Dunno why it's not working. I'll let someone else with access to a pf box to help along.
-
Made progress…
If I de-select the US IPv6 list in the NA country list then the tunnel seems to be fine. Also I am back to the default PfB block/Reject rule load. So looks like the culprit is an IPv6 address on the US list..but now the question is which one is it that's blocking the HE tunnel?
-
If your using pfBlockerNG to create floating rules and not using it to create your pass list for whitelisted IPs, then pfSense Pass | PfB Pass | PfB Block/Reject would be the way to go. This way your whitelisted alias is before the pfBlockerNG rules.
-
This is working for me with floating rules enabled.
Default Order: | pfB_Block/Reject | All other Rules | (original format)
but now the US IPv6 list is de-selected.
-
So I tried to create a IPv6 Whitelist to see if it helps by adding my gif tunnel remote address 2001:470:xxxx:xxx::1 but it gives me this error while reloading
[ WhitelistIPv6_custom_v6 ] Custom List Error ]
I tried adding /64 in the end to that IP as well. Doesn't work.
-
Create an alias outside of pfSenseNG for the IPv6 subnet you want to whitelist. Then add a manual permit rule to your floating rules (with quick checked). You will probably have to change the rule order to what I suggested before.
The IPv6 regex still needs some adjustments in pfBlockerNG. When we tested this a few months ago, I was able to get it work with some test IPv6 addresses I was using for testing. At the time, I couldn't locate any good list to thoroughly test like I did with IPv4
-
PfBlocker enabled
All countries - Deny InboundHmmm… There's default deny rule already. The above is an exercise in wasting memory and creating useless rules, or what exactly have I missed here?
So I tried to create a IPv6 Whitelist to see if it helps by adding my gif tunnel remote address 2001:470:xxxx:xxx::1 but it gives me this error while reloading
I tried adding /64 in the end to that IP as well. Doesn't work.Yeah, of course the /64 does not work. Should be 2001:470:xxxx:xxx::/1 without the bogus trailing 1. Other than that, seeing people shooting themselves in the foot by completely nonsensical blocking makes me wonder. WTF.
-
PfBlocker enabled
All countries - Deny InboundHmmm… There's default deny rule already. The above is an exercise in wasting memory and creating useless rules, or what exactly have I missed here?
So I tried to create a IPv6 Whitelist to see if it helps by adding my gif tunnel remote address 2001:470:xxxx:xxx::1 but it gives me this error while reloading
I tried adding /64 in the end to that IP as well. Doesn't work.Yeah, of course the /64 does not work. Should be 2001:470:xxxx:xxx::/1 without the bogus trailing 1. Other than that, seeing people shooting themselves in the foot by completely nonsensical blocking makes me wonder. WTF.
Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install. PfBlocker has the settings unchecked and disabled at first install and is at users discretion to enable them how one wants for tighter control.
-
Create an alias outside of pfSenseNG for the IPv6 subnet you want to whitelist. Then add a manual permit rule to your floating rules (with quick checked). You will probably have to change the rule order to what I suggested before.
The IPv6 regex still needs some adjustments in pfBlockerNG. When we tested this a few months ago, I was able to get it work with some test IPv6 addresses I was using for testing. At the time, I couldn't locate any good list to thoroughly test like I did with IPv4
I will try it and if it doesn't work will hold off till there is a good update to the IPv6 address list.
-
Educate me where you see the default deny inbound global (all countries) rule on a base pfSense install.
Nowhere. It's not visible, it's implicit. Anything not allowed is denied by default. Unless you have some "allow from any" rule you wish to restrict via country blocking on your WAN, there's just no point in creating inbound country-based rules at all.
-
2001:470:xxxx:xxx::/1 or even just 2001:470:xxxx:xxx:: has not change. It still gives the same error…
[ WhitelistIPv6_custom_v6 ] Custom List Error ]
IPv6 area of PfBlocker definitely needs some work.
-
I have no idea what you are trying to to. First of all, if you wish to block the entire world except for one particular subnet, then nuke your "allow any" rule, allow only the respective subnet and forget about creating an incredibly huge "All countries" alias for blocking something that'd get implicitly blocked anyway if you designed your rules in a sane way.
-
Just installed the latest updates on 2 nategate pfsense firewalls and installed the latest pfblockerng on both. I selected all of the top 20 spammer countries IPV4 list set it to deny both and enabled. When I enable pfblockerng and hit save it is not creating any fire wall rules. I see where it created the alias URL but no rules under floating, Wan or Lan. I tried selecting the floatiing rules but that didn't do anything either. I tired running the force update, Force Cron and Force Reload and still no rules.
On my dashboard I enabled the pfblockerng widget and it shows pfblockerng is active but has a red down arrow that says No rules are defined for this alias.
The error log does not show any errors.
When I do a reload this shows in the logs
"No Changes to Firewall Rules, Skipping Filter Reload"Any suggestions on what I need to do to get the rules created?
-
Any suggestions on what I need to do to get the rules created?
Changes are Applied via CRON or 'Force Update'. In red, and in bold letters at the bottom.
-
I don't have a terribly compelling use for pfblockerng right now, but I was playing around with it just to see if I could get it to block ads with reasonable effectiveness. I added some lists from iblocklist (the ads list there, plus the YoYo list) and configured them to reject on outbound LAN. When I had logging on, I saw lots of hits (so many I turned off logging), but no noticeable decrease in ads. Is this to be expected?
I'm guessing that DNSBL+Adblock-easylist functionality in pfblockerng-v2 will improve things, I'm just curious how this lines up with other users' experiences.
-
Install adblock in firefox and "borrow" the list from there…it works.
-