PfBlockerNG rules is going downwards in the firewall rule everyday
-
The issue was that a rule was created at Floating rule tab, and moved to the top, but once pfBlockerNG updates the rules. all the non-pfBlockerNG rules should be on the top were moved to the bottom, while all the pfBlockerNG rules were on the top, which shouldn't be. Thats the major issue using pfBlockerNG.
Dude. That is NOT how it works with what the OP configured. OMG… Select the proper option there. Not the one that puts pfBNG rules on the top by design. Really.
-
Hi ,
We are still in the same state of problem after following your advise. It would be very kind of yours if you can suggest any thing else to fix this.
Thank you in advance.
-
Yeah, you are in state of problem because you have selected the WRONG ORDER. Looks at the OTHER options there. Pick one that fits your needs. The one shown on your screenshots is NOT the one you want. Possibly you want this one instead:
-
Yeah, you are in state of problem because you have selected the WRONG ORDER. Looks at the OTHER options there. Pick one that fits your needs. The one shown on your screenshots is NOT the one you want. Possibly you want this one instead:
Don't know whether you have tested it or not before helping others. I had exactly the same rule order setting as you mentioned, BUT after pfBlockerNG updates its rules. the rules order at Floating rule tab were not right. All the non-pfBlockerNG rules supposedly on the top were moved to the bottom, all the pfBlockerNG rules were placed on the top.
-
The current setting is the default. Doesn't that option mean to keep the BLOCK/REJECT rules at the TOP? It is not doing that. It is MOVING THEM DOWN AUTOMATICALLY.
-
The current setting is the default. Doesn't that option mean to keep the BLOCK/REJECT rules at the TOP? It is not doing that. It is MOVING THEM DOWN AUTOMATICALLY.
Hopeless. Explained ~10 times by now.
@pfcode: Need a translator, perhaps? Getting absolutely ridiculous. With what the OP configured, yes, it will ALWAYS get moved. Because he configured that this way. PEBKAC. OSI Layer 8 error. ::)
-
Hi, BB
Got your file. It worked like a charm. Thanks much for the fix, well done.
-
The current setting is the default. Doesn't that option mean to keep the BLOCK/REJECT rules at the TOP? It is not doing that. It is MOVING THEM DOWN AUTOMATICALLY.
Hopeless. Explained ~10 times by now.
@pfcode: Need a translator, perhaps? Getting absolutely ridiculous. With what the OP configured, yes, it will ALWAYS get moved. Because he configured that this way. PEBKAC. OSI Layer 8 error. ::)
I don't think you've explained anything at all here. The option selected is supposed to ensure that BLOCK/REJECT rules are at the TOP. It does not do that. The BLOCK/REJCET RULE IS BEING MOVED DOWN!!!! What exactly do you think you have explained?
-
OMG. No, the option will put whatever pfBNG rules to the top. There clearly is a whole lot of people who should never use this package, because it's way over they head and they have no clue what they are doing. Those "I've blocked the entire world minus my country" guys are another example.
P.S. Need a replacement keyboard? Seems like you have a key stuck.
-
The block/reject rule to which I am referring is a pfBNG rule, is it not? It is named pFB_Block_IPs. According to your statement and to the wording of the actual automatic ordering option, it should be placed at the top of the firewall rule stack. The ordering rule looks like this:
pfB_Block/Reject | All other rules | Original format
Does that not mean that the pfB_Block rule would be first?
-
I made a few changes to the rule ordering code… When using the first order format, it will put the pfB Block/Reject before the pfB Permit rules... also a couple other improvements...
You can fetch the changed files from my gist:
First copy the existing file as backup:
cp /usr/local/pkg/pfblockerng/pfblockerng.inc /usr/local/pkg/pfblockerng/pfblockerng.inc.bkFetch the new file and execute a 'Force Update' cmd:
fetch -o /usr/local/pkg/pfblockerng/pfblockerng.inc "https://gist.githubusercontent.com/BBcan177/cf6af30af46fedd37d07/raw" -
that seems to be working on our server that had the issue
did you do any other changes to the package, other then the ordering issue ?
should i be aware of any other issues ?
finally, id love if you can add support for FQDN in a list, and have a "resolver" resolve the FQDN every x amount of time, and the resolved IP should be whitelisted or blacklisted, based on the rules of the list
?
-
that seems to be working on our server that had the issue
did you do any other changes to the package, other then the ordering issue ?
should i be aware of any other issues ?
finally, id love if you can add support for FQDN in a list, and have a "resolver" resolve the FQDN every x amount of time, and the resolved IP should be whitelisted or blacklisted, based on the rules of the list
?
Thanks for the feedback… This fix will be in v2.0 which is just around the corner... v2.0 will have DNSBL domain name blocking via Unbound Resolver. It also allows conversion of an AS number into its respective IP Addresses.
Could always add another beta tester should you be interested to test it out? Send me a PM....
Thanks!
-
BBcan177,
We have been testing the patch on one instance of pfsense in our environment. igoldstein added a new BLOCK rule to the access list on that instance. For some reason, now that rule gets moved down during 'update'. We think it might be because it's not a pfB rule, so pfB allow rules get ordered in front of it. See screenshot. The second rule, blocking access to port 22 is the one that we now have to move up nightly.
Is there an ordering option that will keep all block rules at the top even if they are not pfB rules? Perhaps we are doing something wrong here. Please advise. Thank you.
-
dsmithson,
Create that other Block rule in pfBNG, and you can set those required settings in Adv. Inbound Options…
-
BBcan177,
the problem is, the SAME list is also used to ALLOW traffic, its a WHITELIST
but i also use the same list in my rule to block for port 22, but there im saying if it does NOT match the IP's from this list, then it should block it
here take a look at the screen shot of the rule
-
the problem is, the SAME list is also used to ALLOW traffic, its a WHITELIST
but i also use the same list in my rule to block for port 22, but there im saying if it does NOT match the IP's from this list, then it should block it
Not enough information in this one screenshot to help you :)
-
I had this problem of rule being moved down. Just uncheck "Floating Rules" in pfBlockerNG's main settings page. In other words, don't use floating rules. I hope it works for you, as it did for me.
For me, everytime cron or reload happens, my custom pfBNG rule would move from somewhere on top where I saved it, to the very bottom, in the floating rules tab. To narrow it down, it only happens to custom deny/reject pfBNG rules, and not custom pass/match pfBNG rules. My rule order is default setting.
I'm sure BBcan177 will have a workaround in a future version.
-
Hi pf3000… igoldstein's setup is too complicated to auto sort the rules in pfBNG. I recommended that he use "Alias type rules" for his setup as that will allow for a more fine-grain configuration.
I did however, test the following change with another user... Would you be able to fetch this file and see if that resolves your Floating Rule issue?
Thanks!
cp /usr/local/pkg/pfblockerng/pfblockerng.inc /usr/local/pkg/pfblockerng/pfblockerng.inc.bkFetch the new file and execute a 'Force Update' cmd:
fetch -o /usr/local/pkg/pfblockerng/pfblockerng.inc "https://gist.githubusercontent.com/BBcan177/cf6af30af46fedd37d07/raw/ab64d4682b28dd5fdf3f84877b28fe1feeef14f5/pfblockerng.inc"Anyone else able to test that would also help…
-
Hello
I have been dealing with this issue for some time now.
Two firewalls with default install and settings with different behavior.I have some simply allow rules above the pfBNG rules to allow my remote travelers working from random countries around the world to be able to hit the exchange OWA https site on 443.
I would like to have those rules on top permanently and not re-sort the order every time CRON runs.
Please see attached file "Rules order before Cron" I would like all the rules to stay static in that order and not resort.I am not sure but I am assuming by reading all of the above posts that I need to manage this "options" please see attached image properly to get that desired affect.
However I have a second firewall that DOES NOT behave like this with the same settings so I am confused please help before I go mad.My desired affect would be this.
Have a list of rules that are static and do not move and I manually manage them, and the pfBNG does its auto update thing.Thank you in advance I have been waiting for some one to have the same symptoms as I do.
