PfBlockerNGSuppress: Added host Alias List but not allowing through
-
Greetings!
I'm having issues getting some IP's that are located in the Top20 to be allowed through pfBlockerNG.
I have a list of hosts I've added to an Alias and added that Alias to the pfBlockerNGSuppress Alias. I also checked the Enable Suppression.
Is there anything else I have to do?
Dinoe
-
Hi Dino, your mixing some things up… Please read the following first and see if it answers your question...
https://forum.pfsense.org/index.php?topic=86212.msg513676#msg513676
-
Thanks for responding so quickly!
I read it but, sorry still not sinking in that I'm doing something other than what it's saying.
To clarify, I'm not referencing the pfblockerNG Suppression alias in any rule.
I did add an alias with hosts to the pfblockerng suppression alias.
I added the IP's that were being blocked directly to the pfblockerng suppression alias to see if that worked. But it didn't.Also, I'm confused about the 'Whitelist' alias. Is this something I create on my own and pfBlockerNG will reference that alias or is there some place within pfblockerng that I add IP's to and it creates the whitelist.
Lastly, I've been reading a lot about '+' in the alert section. I haven't seen one yet.
Your help is greatly appreciated.
Dino
-
Hey Dino,
In the pfBlockerNGSuppress alias, you can't stack another pfSense alias in it… You have to add the IPs individually to this alias (/24 or /32).
To get the "+" icon to show in the Alerts Tab, you need to enable the "Suppression" checkbox in the "General Tab".
Did you by chance manually create this alias? If so, please delete that alias, and let the package auto-create this alias, and then you can add to it...
For the "Whitelist" alias, you will need to create a new pfBlockerNG alias, goto the "IPv4" tab, and click the "+" icon to add a new alias. Then define it as "Permit Outbound", enter the IPs that you want to allow Outbound in the Custom Box, save and run a "Force Update".
-
Thank you very much for the reply and the well spoken instructions!
Oh ok. I have been cleaning out and consolidating a number of items in our firewall including the aliases. So I didn't think twice about simply being efficient and adding the alias with all the IP's in it because there are a lot of them.
The check box was checked but still no "+" icon yet. I did not manually create the pfBlocker alias but I'll go ahead and delete it. Once it recreates the alias I'll go and add a few IP's to test. Once it's created, I assume I can go in export the Aliases and bulk import the ip's I need into that alias without issue correct? Basically, once created I can treat it like any other Alias (other then adding other aliases to it)?
My Top20 rule is blocking inbound 'Email Ports'. If I were to create a whitelist to allow Outbound that would only work for those on the inside, correct? The IPs I need to be allowed through are for monitoring our infrastructure but there is a specific port alias I want to use. With that said, I assume my only option is a whitelist and allow inbound. Is there anything I should be careful to NOT do in doing this?
Thanks very much for your responses and sharing your Knowledge!
Dino
-
When you enable "Suppression" in the General tab, the "+" icon should appear in the Alerts Tab beside the Blocked IP address.
Maybe you can use the "Adv Inbound Settings" for those Open Ports :
https://forum.pfsense.org/index.php?topic=86212.msg524957#msg524957
For the Whitelist, be careful with Permit Inbound or Permit Both… You only want to use those if you set the specific ports and destination Lan IP addresses that is allowed to enter from the WAN. Otherwise you are allowing those IPs to bypass any other Firewall rules in the WAN Firewall tab. Rules are processed top to bottom...
