New PFSense user needs PFBlockerNG advice
-
I'm a new PFSense user, coming from DD-WRT. I got OpenVPN working well and some port forwarding for a few media devices. Now it's time for the advanced firewall stuff.
Just installed PFBlockerNG. I set all countries except US to deny inbound both IPv4 and IPv6. I found 8 lists (links) on this site to put in IPv4 blocking. They were from a post from the amazing person who wrote PFBlockerNG. They're supposed to be malicious sites. I set to deny inbound and outbound.
This level of firewall is new to me.
Did I do the right stuff to get started? Was it overkill or should I do more? Is there a repository of lists I should look at? Are there more lists I should add? Should I load and configure snort in addition, or is this enough?
My PC is newly build. It uses a fanless supermicro MB with a J1900 processor, twin intel internet ports, 8GB RAM, 120GB SSD in a mini-itx M350 case. This is for reference in case power considerations are a factor. Internet is 25/5 but will go to 50/10 or a little more later. GB speeds not likely. It's a home router with light demands. My old router is now a wireless access point.
Thanks.
-
@jim1000:
Just installed PFBlockerNG. I set all countries except US to deny inbound both IPv4 and IPv6.
Why? There is default block rule. You're doing it completely wrong.
-
@jim1000:
Just installed PFBlockerNG. I set all countries except US to deny inbound both IPv4 and IPv6.
Why? There is default block rule. You're doing it completely wrong.
OK, how do I do it right? I followed some instructions I found and a YouTube video. Then guessed at the rest.
-
Whitelist the US if you are running some servers on LAN and have allow from any rules on WAN. Otherwise, blocking inbound is totally pointless.
-
Whitelist the US if you are running some servers on LAN and have allow from any rules on WAN. Otherwise, blocking inbound is totally pointless.
I have no idea what you just said. I have a home router. Except for a couple of slingboxes and a OpenVPN so I can surf on public wifi safely, I have no servers on LAN and need to protect myself from outsiders beyond NAT and SPI.
-
All inbound traffic on WAN is blocked by default. Without seeing your NAT/WAN rules, further debate is just pointless.
-
All inbound traffic on WAN is blocked by default. Without seeing your NAT/WAN rules, further debate is just pointless.
Not trying to start a war here. I followed the PFBlockerNG instructions, or believe I did. A YouTube video blocked all inbound for every country except US for the same reasons as me, I don't have any need to connect inbound from anywhere except the US. The PFBlockerNG config pages state that the block makes me invisible. The same documentation recommends the site lists I used, plus I added a few more from a comment here posted by the guy who wrote PFBlockerNG.
-
Yeah, the unknown YT video produced by god knows who is just stupid when it suggests to use a huge blacklist instead of tiny whitelist.
-
Yeah, the unknown YT video produced by god knows who is just stupid when it suggests to use a huge blacklist instead of tiny whitelist.
So where are instructions on how to use PFBlockerNG that state what you said? I used the documentation offered by the PFSense site. Plus please point to an explanation of why a whitelist is better than the elaborate configuration made possible in the PFBlockerNG interface?
A whitelist implies I can only get to a few sites and all others are blocked. That kind of defeats the purpose of a home internet connection. Or it makes it real hard to connect via OpenVPN from public wifi halfway across the country.
Edit: I just found I-Blocklist. I suspect some or all of the lists I use came from there or are also posted there. Is there a limit to the number of lists before it is too many?
-
@jim1000:
So where are instructions on how to use PFBlockerNG that state what you said?
I already asked you for the NAT/WAN rules so that we are able to provide relevant advise…
@jim1000:
I used the documentation offered by the PFSense site.
No, you used some nonsensical YT video, apparently.
@jim1000:
why a whitelist is better than the elaborate configuration made possible in the PFBlockerNG interface?
$ wc -l /usr/pbi/pfblockerng-amd64/share/GeoIP/* | grep total
388144 total$ wc -l /usr/pbi/pfblockerng-amd64/share/GeoIP/US_v4.txt
36270 /usr/pbi/pfblockerng-amd64/share/GeoIP/US_v4.txtHope that it'd be clear now why whitelisting 36K subnets is better than blacklisting 350K subnets.
@jim1000:
A whitelist implies I can only get to a few sites and all others are blocked. That kind of defeats the purpose of a home internet connection.
So why are you setting pfBNG to "deny inbound and outbound"?! Regardless, it won't make any difference, you've already denied the entire world except the US by your badly designed rules. The only difference the whitelist makes here is not wasting loads of system resources for nothing.
-
inbound and outbound …
First, that was a new user question. Not a master plan to start a flame war. Look at the original post again for more info. To me, these seemed like a reasonable and rather polite request for feedback for a newbie to PFSense.
Second, my assumption was that these lists are for bad sites that nobody should visit. If I somehow link there, the list will prevent a connection. This would prevent a poisoned DNS server from being effective. Plus the edu lists from I-blocklists will keep OUT University of Michigan scanners and others who play with internet scanning software.
third, the country blocking comes from elaborate configuration pages within PFBlockerNG. If they aren't meant to be used, why put them there? THis will keep out the Chinese by seemingly making me look invisible, as opposed to inaccessible due to NAT. Plus, I have a few ports open. If someone finds them and knows of a hack to get through, the country blocks will assist in keeping them out.
-
1/ So, I take it we just won't see the damned screenshot of the rules. Despite requested 3 times by now. I won't keep begging for them. RTFM and help yourself.
2,3/ I figure you have no clue what's inbound and outbound and what's default deny. -
1/ So, I take it we just won't see the damned screenshot of the rules. Despite requested 3 times by now. I won't keep begging for them. RTFM and help yourself.
2,3/ I figure you have no clue what's inbound and outbound and what's default deny.Your post here makes it look like you're confusing NAT rules with PFBlockerNG operations. The lists include the Spamhaus DROP and EDROP, and others. There's nothing to screen print. The country blocking is from pre-configured pages within the package.
The questions involve the proper use of PFBlockerNG, as I am still a new user.
-
Your posts and total lack of basic undestanding of firewalls waste mine - and everyone else's - time. I was willing to provide screenshots of exact settings required to allow whatever WAN access you need inbound to your LAN. That is impossible without seeing the damned NAT/WAN rules, since I lack a crystal ball. Noone asked you to provide any screenshots of pfBNG country lists or any similar nonsense.
Stop posting useless shit and provide requested information. Otherwise, GTFO, frankly.
-
Your posts and total lack of basic undestanding of firewalls waste mine - and everyone else's - time. I was willing to provide screenshots of exact settings required to allow whatever WAN access you need inbound to your LAN. That is impossible without seeing the damned NAT/WAN rules, since I lack a crystal ball. Noone asked you to provide any screenshots of pfBNG country lists or any similar nonsense.
Stop posting useless shit and provide requested information. Otherwise, GTFO, frankly.
Reported to moderator. Your reply was uncalled for and completely mystifying.
-
@jim1000:
Reported to moderator. Your reply was uncalled for and completely mystifying.
Yeah, feel free. Now, just piss off and help yourself. Incredible. What a waste of time.
-
@jim1000:
Reported to moderator. Your reply was uncalled for and completely mystifying.
Yeah, feel free. Now, just piss off and help yourself. Incredible. What a waste of time.
Same to you. Looked at NAT rules. Still nothing to screen print. PFBlockerNG makes no entries there. For 3500+ posts, you sure don't seem to know very much.
Edit: looked at firewall rules. PFBlockerNG made a few entries there, but they seemed to be related to the package, not thousands of individual rules. Only a few that looked pretty standard relative to the package.
So, back to the original question at entry #1 about the proper configuration of PFBlockerNG from someone who knows what they are talking about this time.
-
Indeed, I'm just a stupid beta tester of this damned package. Welcome to my ignore list.
-
Indeed, I'm just a stupid beta tester of this damned package. Welcome to my ignore list.
Watch me cry – Not.
-
Hi, Jim
Before doing anything to set up your first pfSense, you need to understand what 'inbound' and 'outbound' are. Make it simple, 'Inbound' is the ones from outside world to your WAN, 'outbound' is the ones from your LAN to outside world. By default pfSense blocks all the 'inbound' ones, so your 'Deny inbound' is useless, basically you just need to 'Deny outbound'. Thats what doktornotor told you. The only thing that you need to 'Deny inbound/both' is that you have setup NAT port forwarding or something like that, thats why doktornotor ask you to give some your NAT screenshots.
BTW, instead of denying all except US, why don't you just allow US only, thats simplify your firewall NAT rules, thats also doktornotor suggested to you.
I recommended that you really need to understand the basic firewall thing first before setting up pfSense and all the add on packages.