New PFSense user needs PFBlockerNG advice
-
Whitelist the US if you are running some servers on LAN and have allow from any rules on WAN. Otherwise, blocking inbound is totally pointless.
I have no idea what you just said. I have a home router. Except for a couple of slingboxes and a OpenVPN so I can surf on public wifi safely, I have no servers on LAN and need to protect myself from outsiders beyond NAT and SPI.
-
All inbound traffic on WAN is blocked by default. Without seeing your NAT/WAN rules, further debate is just pointless.
-
All inbound traffic on WAN is blocked by default. Without seeing your NAT/WAN rules, further debate is just pointless.
Not trying to start a war here. I followed the PFBlockerNG instructions, or believe I did. A YouTube video blocked all inbound for every country except US for the same reasons as me, I don't have any need to connect inbound from anywhere except the US. The PFBlockerNG config pages state that the block makes me invisible. The same documentation recommends the site lists I used, plus I added a few more from a comment here posted by the guy who wrote PFBlockerNG.
-
Yeah, the unknown YT video produced by god knows who is just stupid when it suggests to use a huge blacklist instead of tiny whitelist.
-
Yeah, the unknown YT video produced by god knows who is just stupid when it suggests to use a huge blacklist instead of tiny whitelist.
So where are instructions on how to use PFBlockerNG that state what you said? I used the documentation offered by the PFSense site. Plus please point to an explanation of why a whitelist is better than the elaborate configuration made possible in the PFBlockerNG interface?
A whitelist implies I can only get to a few sites and all others are blocked. That kind of defeats the purpose of a home internet connection. Or it makes it real hard to connect via OpenVPN from public wifi halfway across the country.
Edit: I just found I-Blocklist. I suspect some or all of the lists I use came from there or are also posted there. Is there a limit to the number of lists before it is too many?
-
@jim1000:
So where are instructions on how to use PFBlockerNG that state what you said?
I already asked you for the NAT/WAN rules so that we are able to provide relevant advise…
@jim1000:
I used the documentation offered by the PFSense site.
No, you used some nonsensical YT video, apparently.
@jim1000:
why a whitelist is better than the elaborate configuration made possible in the PFBlockerNG interface?
$ wc -l /usr/pbi/pfblockerng-amd64/share/GeoIP/* | grep total
388144 total$ wc -l /usr/pbi/pfblockerng-amd64/share/GeoIP/US_v4.txt
36270 /usr/pbi/pfblockerng-amd64/share/GeoIP/US_v4.txtHope that it'd be clear now why whitelisting 36K subnets is better than blacklisting 350K subnets.
@jim1000:
A whitelist implies I can only get to a few sites and all others are blocked. That kind of defeats the purpose of a home internet connection.
So why are you setting pfBNG to "deny inbound and outbound"?! Regardless, it won't make any difference, you've already denied the entire world except the US by your badly designed rules. The only difference the whitelist makes here is not wasting loads of system resources for nothing.
-
inbound and outbound …
First, that was a new user question. Not a master plan to start a flame war. Look at the original post again for more info. To me, these seemed like a reasonable and rather polite request for feedback for a newbie to PFSense.
Second, my assumption was that these lists are for bad sites that nobody should visit. If I somehow link there, the list will prevent a connection. This would prevent a poisoned DNS server from being effective. Plus the edu lists from I-blocklists will keep OUT University of Michigan scanners and others who play with internet scanning software.
third, the country blocking comes from elaborate configuration pages within PFBlockerNG. If they aren't meant to be used, why put them there? THis will keep out the Chinese by seemingly making me look invisible, as opposed to inaccessible due to NAT. Plus, I have a few ports open. If someone finds them and knows of a hack to get through, the country blocks will assist in keeping them out.
-
1/ So, I take it we just won't see the damned screenshot of the rules. Despite requested 3 times by now. I won't keep begging for them. RTFM and help yourself.
2,3/ I figure you have no clue what's inbound and outbound and what's default deny. -
1/ So, I take it we just won't see the damned screenshot of the rules. Despite requested 3 times by now. I won't keep begging for them. RTFM and help yourself.
2,3/ I figure you have no clue what's inbound and outbound and what's default deny.Your post here makes it look like you're confusing NAT rules with PFBlockerNG operations. The lists include the Spamhaus DROP and EDROP, and others. There's nothing to screen print. The country blocking is from pre-configured pages within the package.
The questions involve the proper use of PFBlockerNG, as I am still a new user.
-
Your posts and total lack of basic undestanding of firewalls waste mine - and everyone else's - time. I was willing to provide screenshots of exact settings required to allow whatever WAN access you need inbound to your LAN. That is impossible without seeing the damned NAT/WAN rules, since I lack a crystal ball. Noone asked you to provide any screenshots of pfBNG country lists or any similar nonsense.
Stop posting useless shit and provide requested information. Otherwise, GTFO, frankly.
-
Your posts and total lack of basic undestanding of firewalls waste mine - and everyone else's - time. I was willing to provide screenshots of exact settings required to allow whatever WAN access you need inbound to your LAN. That is impossible without seeing the damned NAT/WAN rules, since I lack a crystal ball. Noone asked you to provide any screenshots of pfBNG country lists or any similar nonsense.
Stop posting useless shit and provide requested information. Otherwise, GTFO, frankly.
Reported to moderator. Your reply was uncalled for and completely mystifying.
-
@jim1000:
Reported to moderator. Your reply was uncalled for and completely mystifying.
Yeah, feel free. Now, just piss off and help yourself. Incredible. What a waste of time.
-
@jim1000:
Reported to moderator. Your reply was uncalled for and completely mystifying.
Yeah, feel free. Now, just piss off and help yourself. Incredible. What a waste of time.
Same to you. Looked at NAT rules. Still nothing to screen print. PFBlockerNG makes no entries there. For 3500+ posts, you sure don't seem to know very much.
Edit: looked at firewall rules. PFBlockerNG made a few entries there, but they seemed to be related to the package, not thousands of individual rules. Only a few that looked pretty standard relative to the package.
So, back to the original question at entry #1 about the proper configuration of PFBlockerNG from someone who knows what they are talking about this time.
-
Indeed, I'm just a stupid beta tester of this damned package. Welcome to my ignore list.
-
Indeed, I'm just a stupid beta tester of this damned package. Welcome to my ignore list.
Watch me cry – Not.
-
Hi, Jim
Before doing anything to set up your first pfSense, you need to understand what 'inbound' and 'outbound' are. Make it simple, 'Inbound' is the ones from outside world to your WAN, 'outbound' is the ones from your LAN to outside world. By default pfSense blocks all the 'inbound' ones, so your 'Deny inbound' is useless, basically you just need to 'Deny outbound'. Thats what doktornotor told you. The only thing that you need to 'Deny inbound/both' is that you have setup NAT port forwarding or something like that, thats why doktornotor ask you to give some your NAT screenshots.
BTW, instead of denying all except US, why don't you just allow US only, thats simplify your firewall NAT rules, thats also doktornotor suggested to you.
I recommended that you really need to understand the basic firewall thing first before setting up pfSense and all the add on packages.
-
Hi, Jim
Before doing anything to set up your first pfSense, you need to understand what 'inbound' and 'outbound' are. Make it simple, 'Inbound' is the ones from outside world to your WAN, 'outbound' is the ones from your LAN to outside world. By default pfSense blocks all the 'inbound' ones, so your 'Deny inbound' is useless, basically you just need to 'Deny outbound'. Thats what doktornotor told you. The only thing that you need to 'Deny inbound/both' is that you have setup NAT port forwarding or something like that, thats why doktornotor ask you to give some your NAT screenshots.
BTW, instead of denying all except US, why don't you just allow US only, thats simplify your firewall NAT rules, thats also doktornotor suggested to you.
I recommended that you really need to understand the basic firewall thing first before setting up pfSense and all the add on packages.
I completely understand the difference between outbound and inbound. Countries are denied inbound. SPI allows me to still get out and communicate with them if I initiate the contact. All malicious site lists and the like are denied outbound and inbound.
As I have recently discovered, everyone on earth is scanning the internet all the time and searching for open vulnerabilities. Zmap can scan the entire internet in minutes if you have a large enough pipe. Not everyone has noble educational purposes in mind.
Your answers raise the question about why this firewall feature is even required if NAT and SPI are all you need, which is your answer by implication. Ditto with snort, by implication.
Please explain why PFSense does more than a $20 router and is preferable, as you imply the $20 router with NAT and SPI are all anyone needs.
I don't want to whitelist a few sites and be incapable of accessing a few I forgot. I want to blacklist a lot of bad ones. That's why I mentioned the new router specs as I understand more power is needed if you ask for more services and the speed of your connection matters as well.
-
Be nice please, doktornotor.
Jim - do you have any port forwards on WAN? If so, then specifying an alias with US IPs as the source is best to accomplish what you want. No need to process through millions of table entries on block rules when ~36K or so entries as a whitelist would accomplish the same end result. If you have no port forwards or allow rules on WAN, then what you're doing is pointless as everything inbound on WAN will be blocked.
-
@cmb:
Be nice please, doktornotor.
Jim - do you have any port forwards on WAN? If so, then specifying an alias with US IPs as the source is best to accomplish what you want. No need to process through millions of table entries on block rules when ~36K or so entries as a whitelist would accomplish the same end result. If you have no port forwards or allow rules on WAN, then what you're doing is pointless as everything inbound on WAN will be blocked.
Same question as before. Why offer these packages if they are essentially worthless, as appears to be implied by your answer? Also, please look at my Zmap reference above for additional depth about my concerns.
-
@jim1000:
Same question as before. Why offer these packages if they are essentially worthless, as appears to be implied by your answer? Also, please look at my Zmap reference above for additional depth about my concerns.
They're worthless only if you don't have anything open. Lots of people have to forward ports for mail servers, web servers, etc. and their use is a big plus there for many. If you don't have anything open on WAN, you're just adding a bunch of block stuff to process when ultimately that traffic's just going to hit the one default deny block rule and get blocked anyway.
Any kind of port scanner is going to come back with nothing/"stealth" if you have no ports open/no pass rules on WAN. Adding more block rules on WAN when you're already blocking that traffic doesn't accomplish anything but using CPU unnecessarily.