PfBlocker with Nested Aliases
-
Good afternoon,
I have been using pfBlocker for some time with several blocklists, set to "Deny Both" quite happily for some time. After cleaning up some rules I tried setting most of the lists to "Alias Only" and then nesting aliases for firewall rules. Now the traffic does not appear to be getting blocked, I was hoping for some help and clarification:
The pfBlocker blocklists appear under Aliases as URL types - but I can only add the alias if I save it as a Network type. Otherwise I get the following errors (Hosts and Ports errors are expected, but included to show the difference between the URL types)
Hosts - …cannot be nested because they are not of the same type
Ports - ...cannot be nested because they are not of the same type
URL - ...is not valid
URL Table - ...You must provide a valid URLWhat I was hoping to achieve was something like this:
Add pfBlocker's "Threat_Blocklist_1", "Threat_Blocklist_2" etc to "Alias_Threat_Blocklists"
Add pfBlocker's "Spam_Blocklist_1", "Spam_Blocklist_2" etc to "Alias_Spam_Blocklists"Add pfblocker's "Advertisers_Blocklist_1", "Advertisers_Blocklist_2" etc to "Alias_Advertisers_Blocklists"
Add "Alias_Threat_Blocklists" to "Rule_Always_Block"
Add "Alias_Spam_Blocklists" to "Rule_Always_Block"Add "Alias_Advertisers_Blocklists" to "Rule_Mostly_Block"
Add firewall rule BLOCK any traffic TO "Rule_Always_Block" as order 1
Add firewall rule ALLOW any traffic FROM "Bypass_Advertisers_Blocklist_PCs" as order 2 (assume I have created this)
Add firewall rule BLOCK any traffic TO "Rule_Mostly_Block" as order 3
Is this possible? ----In fact as I type this I seem to be having more issues with these nested rules blocking all traffic if enabled, but I have learned today to allow time for changes to "settle" once applied, some of these lists are large and testing immediately after applying a change proves nothing. I will run more tests, but in the meantime if anyone could confirm if the theory of the above is possible I would be most grateful.
Kind regards.
-
jonesr - Did you ever figure this out? I too want to nest URL aliases under a single WAN side blocking rule ALIAS, in order to clean up my FW rules. I know its almost 12 months later, but thought I would check. Thx
Ash, -
I dont think I ever got nested alias to work, so at the time, I just setup an internal webserver which serves the pages/files the firewall wants. Works ok as a workaround/one way to skin the cat.
-
I'm very sorry I haven't responded, I didn't get alerted to the thread being updated.
I am embarrassed to be reminded of this as I did realise I was being less than observant when I first looked in to it, pfBlocker itself can use multiple lists per alias. To achieve what I described I now do the following - please note I am describing this from memory and I have just started using pfblockerNG instead so please don't…. assume I am correct (!)
In pfBlocker:
Create a new item "Alias_Always_Block"
Add the IP blocklists as required to this - I had missed the fact I could simply click "+" to add multiple lists.
Set as an Alias rather than a permit/deny.–My "Always Block" contains only a Pe**phile list.
Create a new item "Alias_Mostly_Block"
Add the IP blocklists as required to this.
Set as an Alias rather than a permit/deny.--My "Mostly Block" contains for example malware and ad lists.
In the pfSense Aliases (Firewall > Aliases> URLs) create an Alias "URLs_pfBlocker_Override" and add the URLs you wish to whitelist.
Now create your firewall rules using aliases in this order, relative to your other rules (I use floating rules).
-
Block "Alias_Always_Block"
-
Allow "URLs_pfBlocker_Override"
-
Block "Alias_Mostly_Block"
Whenever something breaks, add "www.example.com" to the "URLs_pfBlocker_Override" Alias - remember to refresh your rules and wait.
You should now find you never see traffic to Pe**philes, and you may find certain websites get blocked because they are hosted by providers whose entire range has been added to a malware or ad list for some bad apples spoiling the bunch. Manually add them to your override URLs to allow for this.
The above is overly simplified as my actual rules block everything, the URLs override rule only allows HTTP/HTTPS ports, and other allow rules I haven't described get the rest of my legitimate traffic working. I highly recommend reading this thread, I am only half way through it myself but it will explain in detail what I have glossed over here - https://forum.pfsense.org/index.php?topic=78062.0
-