New PFSense user needs PFBlockerNG advice
-
inbound and outbound …
First, that was a new user question. Not a master plan to start a flame war. Look at the original post again for more info. To me, these seemed like a reasonable and rather polite request for feedback for a newbie to PFSense.
Second, my assumption was that these lists are for bad sites that nobody should visit. If I somehow link there, the list will prevent a connection. This would prevent a poisoned DNS server from being effective. Plus the edu lists from I-blocklists will keep OUT University of Michigan scanners and others who play with internet scanning software.
third, the country blocking comes from elaborate configuration pages within PFBlockerNG. If they aren't meant to be used, why put them there? THis will keep out the Chinese by seemingly making me look invisible, as opposed to inaccessible due to NAT. Plus, I have a few ports open. If someone finds them and knows of a hack to get through, the country blocks will assist in keeping them out.
-
1/ So, I take it we just won't see the damned screenshot of the rules. Despite requested 3 times by now. I won't keep begging for them. RTFM and help yourself.
2,3/ I figure you have no clue what's inbound and outbound and what's default deny. -
1/ So, I take it we just won't see the damned screenshot of the rules. Despite requested 3 times by now. I won't keep begging for them. RTFM and help yourself.
2,3/ I figure you have no clue what's inbound and outbound and what's default deny.Your post here makes it look like you're confusing NAT rules with PFBlockerNG operations. The lists include the Spamhaus DROP and EDROP, and others. There's nothing to screen print. The country blocking is from pre-configured pages within the package.
The questions involve the proper use of PFBlockerNG, as I am still a new user.
-
Your posts and total lack of basic undestanding of firewalls waste mine - and everyone else's - time. I was willing to provide screenshots of exact settings required to allow whatever WAN access you need inbound to your LAN. That is impossible without seeing the damned NAT/WAN rules, since I lack a crystal ball. Noone asked you to provide any screenshots of pfBNG country lists or any similar nonsense.
Stop posting useless shit and provide requested information. Otherwise, GTFO, frankly.
-
Your posts and total lack of basic undestanding of firewalls waste mine - and everyone else's - time. I was willing to provide screenshots of exact settings required to allow whatever WAN access you need inbound to your LAN. That is impossible without seeing the damned NAT/WAN rules, since I lack a crystal ball. Noone asked you to provide any screenshots of pfBNG country lists or any similar nonsense.
Stop posting useless shit and provide requested information. Otherwise, GTFO, frankly.
Reported to moderator. Your reply was uncalled for and completely mystifying.
-
@jim1000:
Reported to moderator. Your reply was uncalled for and completely mystifying.
Yeah, feel free. Now, just piss off and help yourself. Incredible. What a waste of time.
-
@jim1000:
Reported to moderator. Your reply was uncalled for and completely mystifying.
Yeah, feel free. Now, just piss off and help yourself. Incredible. What a waste of time.
Same to you. Looked at NAT rules. Still nothing to screen print. PFBlockerNG makes no entries there. For 3500+ posts, you sure don't seem to know very much.
Edit: looked at firewall rules. PFBlockerNG made a few entries there, but they seemed to be related to the package, not thousands of individual rules. Only a few that looked pretty standard relative to the package.
So, back to the original question at entry #1 about the proper configuration of PFBlockerNG from someone who knows what they are talking about this time.
-
Indeed, I'm just a stupid beta tester of this damned package. Welcome to my ignore list.
-
Indeed, I'm just a stupid beta tester of this damned package. Welcome to my ignore list.
Watch me cry – Not.
-
Hi, Jim
Before doing anything to set up your first pfSense, you need to understand what 'inbound' and 'outbound' are. Make it simple, 'Inbound' is the ones from outside world to your WAN, 'outbound' is the ones from your LAN to outside world. By default pfSense blocks all the 'inbound' ones, so your 'Deny inbound' is useless, basically you just need to 'Deny outbound'. Thats what doktornotor told you. The only thing that you need to 'Deny inbound/both' is that you have setup NAT port forwarding or something like that, thats why doktornotor ask you to give some your NAT screenshots.
BTW, instead of denying all except US, why don't you just allow US only, thats simplify your firewall NAT rules, thats also doktornotor suggested to you.
I recommended that you really need to understand the basic firewall thing first before setting up pfSense and all the add on packages.
-
Hi, Jim
Before doing anything to set up your first pfSense, you need to understand what 'inbound' and 'outbound' are. Make it simple, 'Inbound' is the ones from outside world to your WAN, 'outbound' is the ones from your LAN to outside world. By default pfSense blocks all the 'inbound' ones, so your 'Deny inbound' is useless, basically you just need to 'Deny outbound'. Thats what doktornotor told you. The only thing that you need to 'Deny inbound/both' is that you have setup NAT port forwarding or something like that, thats why doktornotor ask you to give some your NAT screenshots.
BTW, instead of denying all except US, why don't you just allow US only, thats simplify your firewall NAT rules, thats also doktornotor suggested to you.
I recommended that you really need to understand the basic firewall thing first before setting up pfSense and all the add on packages.
I completely understand the difference between outbound and inbound. Countries are denied inbound. SPI allows me to still get out and communicate with them if I initiate the contact. All malicious site lists and the like are denied outbound and inbound.
As I have recently discovered, everyone on earth is scanning the internet all the time and searching for open vulnerabilities. Zmap can scan the entire internet in minutes if you have a large enough pipe. Not everyone has noble educational purposes in mind.
Your answers raise the question about why this firewall feature is even required if NAT and SPI are all you need, which is your answer by implication. Ditto with snort, by implication.
Please explain why PFSense does more than a $20 router and is preferable, as you imply the $20 router with NAT and SPI are all anyone needs.
I don't want to whitelist a few sites and be incapable of accessing a few I forgot. I want to blacklist a lot of bad ones. That's why I mentioned the new router specs as I understand more power is needed if you ask for more services and the speed of your connection matters as well.
-
Be nice please, doktornotor.
Jim - do you have any port forwards on WAN? If so, then specifying an alias with US IPs as the source is best to accomplish what you want. No need to process through millions of table entries on block rules when ~36K or so entries as a whitelist would accomplish the same end result. If you have no port forwards or allow rules on WAN, then what you're doing is pointless as everything inbound on WAN will be blocked.
-
@cmb:
Be nice please, doktornotor.
Jim - do you have any port forwards on WAN? If so, then specifying an alias with US IPs as the source is best to accomplish what you want. No need to process through millions of table entries on block rules when ~36K or so entries as a whitelist would accomplish the same end result. If you have no port forwards or allow rules on WAN, then what you're doing is pointless as everything inbound on WAN will be blocked.
Same question as before. Why offer these packages if they are essentially worthless, as appears to be implied by your answer? Also, please look at my Zmap reference above for additional depth about my concerns.
-
@jim1000:
Same question as before. Why offer these packages if they are essentially worthless, as appears to be implied by your answer? Also, please look at my Zmap reference above for additional depth about my concerns.
They're worthless only if you don't have anything open. Lots of people have to forward ports for mail servers, web servers, etc. and their use is a big plus there for many. If you don't have anything open on WAN, you're just adding a bunch of block stuff to process when ultimately that traffic's just going to hit the one default deny block rule and get blocked anyway.
Any kind of port scanner is going to come back with nothing/"stealth" if you have no ports open/no pass rules on WAN. Adding more block rules on WAN when you're already blocking that traffic doesn't accomplish anything but using CPU unnecessarily.
-
@cmb:
@jim1000:
Same question as before. Why offer these packages if they are essentially worthless, as appears to be implied by your answer? Also, please look at my Zmap reference above for additional depth about my concerns.
They're worthless only if you don't have anything open. Lots of people have to forward ports for mail servers, web servers, etc. and their use is a big plus there for many. If you don't have anything open on WAN, you're just adding a bunch of block stuff to process when ultimately that traffic's just going to hit the one default deny block rule and get blocked anyway.
Any kind of port scanner is going to come back with nothing/"stealth" if you have no ports open/no pass rules on WAN. Adding more block rules on WAN when you're already blocking that traffic doesn't accomplish anything but using CPU unnecessarily.
Thank you. This would have been a great answer for post #2.
What is your opinion about malicious lists vs virus checkers? PFBlockerNG makes their use available and easy. I use sandboxie religiously so my risks are low. I'm just asking in general.
also, how does snort figure into this?
Also, thinking abstractly, your best guess … with zmap being so powerful and available, what about unknown risks that might become real someday. Same answer as above?
Also, I am forwarding WAN, 3 ports tcp and udp, to a couple of slingboxes and a sling player. also OpenVPN on port 443 tcp with OpenVPN handling forwarding as needed. Same answer?
-
I did a little research and read that aliases will provide better protection and PFBlockerNG is unclear with respect to being needed. What are aliases and how do you use them?
There's a lot of conflicting info and it's all unclear info for the new user.
I have 3 ports plus OpenVPN 443 tcp open, according to port scan sites.
The open ports are for slingboxes, and along with OpenVPN, may be used at any time by me from an IP address that can not be known beforehand. This, however, is immaterial since any open ports for any purpose from anyone are analogous.
Where is info that answers these questions? I installed PFSense for additional protections that are apparently unneeded? That seems a little unlikely.
How do i use PFBlockerNG for additional protection? It appears following the pfsense html page and other commonly available references will start a flame war if referenced.
Edit: Based on the comments I've received so far, I have decided to disable, not remove, PFBlockerNG as it appears to be a solution in need of a problem. Please correct me if I am wrong.
-
@jim1000:
Also, I am forwarding WAN, 3 ports tcp and udp, to a couple of slingboxes and a sling player. also OpenVPN on port 443 tcp with OpenVPN handling forwarding as needed. Same answer?
I thought you'd mentioned earlier in the thread that you had nothing open on WAN. That changes things. Block all that if you want, but better off creating a US alias then using that as the source in all your WAN rules.
-
@cmb:
@jim1000:
Also, I am forwarding WAN, 3 ports tcp and udp, to a couple of slingboxes and a sling player. also OpenVPN on port 443 tcp with OpenVPN handling forwarding as needed. Same answer?
I thought you'd mentioned earlier in the thread that you had nothing open on WAN. That changes things. Block all that if you want, but better off creating a US alias then using that as the source in all your WAN rules.
No I stated open ports but didn't stress it, hoping it would elicit simple conversation. The initial post mentioned port forwarding in the first sentences.
What are aliases and how do you use them? I also asked that question … but it will undoubtedly fan the flames by asking it again.
-
@jim1000:
What are aliases and how do you use them? I also asked that question … but it will undoubtedly fan the flames by asking it again.
I can answer your Aliases question. Aliases are really nothing more than containers for IP addresses. Think of them as substitution variables. You can create an Alias called "my_addresses". Then you use that alias name in firewall rules as either the source or destination IP address. You can also use aliases when specifying ports. You literally have the text "my_addresses" in the rule.
Then, on the Firewall > Aliases tab, you can put actual IP addresses in your Alias. During runtime the firewall will automatically substitute the list of IP addresses you provided into all the places in the rules where you used the "my_addresses" alias name. The same idea works for ports. You can even use special aliases that are fully qualified domain names (FQDN). For FQDN aliases, you provide a valid hostname as the value. During runtime, the firewall will resolve that host name to an IP and use the IP in rules where the FQDN alias name was provided. The caveat is that the lookup of FQDN hostname to IP only happens every 5 minutes, so it has some limitations.
The beauty of Aliases is you can change the IP addresses they represent anytime you want to in just one place, and the updated list of IP addresses is used everywhere automatically in the firewall rules that reference that Alias. You don't have to go manually touch every single rule to update the IP address.
Now with all that said, pfBlockerNG has some special aliases it creates and uses. The guy that created the package, user BBcan177, can hopefully come along and explain that better than me.
Bill
-
@jim1000:
What are aliases and how do you use them? I also asked that question … but it will undoubtedly fan the flames by asking it again.
I can answer your Aliases question. Aliases are really nothing more than containers for IP addresses. Think of them as substitution variables. You can create an Alias called "my_addresses". Then you use that alias name in firewall rules as either the source or destination IP address. You can also use aliases when specifying ports. You literally have the text "my_addresses" in the rule.
Then, on the Firewall > Aliases tab, you can put actual IP addresses in your Alias. During runtime the firewall will automatically substitute the list of IP addresses you provided into all the places in the rules where you used the "my_addresses" alias name. The same idea works for ports. You can even use special aliases that are fully qualified domain names (FQDN). For FQDN aliases, you provide a valid hostname as the value. During runtime, the firewall will resolve that host name to an IP and use the IP in rules where the FQDN alias name was provided. The caveat is that the lookup of FQDN hostname to IP only happens every 5 minutes, so it has some limitations.
The beauty of Aliases is you can change the IP addresses they represent anytime you want to in just one place, and the updated list of IP addresses is used everywhere automatically in the firewall rules that reference that Alias. You don't have to go manually touch every single rule to update the IP address.
Now with all that said, pfBlockerNG has some special aliases it creates and uses. The guy that created the package, user BBcan177, can hopefully come along and explain that better than me.
Bill
Thank you for your reply. I will study it and play around with it as the understanding evolves.
However, the context of the replies to my initial question involves me using aliases and whitelists with respect to port forwarding for my slingboxes and, possibly, my OpenVPN config. This is particularly unclear, especially with respect to PFBlockerNG in general.
I would almost prefer if the original question could be answered without regard to the flotsam that has followed previous to your answer.
