How to make it stop auto-reordering my firewall rules?

RonpfS

Firewall/pfBlockerNG/General Firewall 'Auto' Rule Order

elementalwindx

Normally I would agree with that, except if I want it setup like this:

Rule 1 I created
Rule 2 I created
PFBlocker country rules
PFBlocker country rules
PFBlocker country rules
PFBlocker country rules
Rule 3 I created
Rule 4 I created

Then that method you mentioned won't work, as there is nothing in the list like that. At least that I am aware of.

RonpfS

You have 5 choices of rules ordering that could probably fit your need depending on your rules.

However you can still create your own rules using Alias Type in pfBlockerNG
Click the Infoblocks icon.

elementalwindx

@RonpfS:

You have 5 choices of rules ordering that could probably fit your need depending on your rules.

However you can still create your own rules using Alias Type in pfBlockerNG
Click the Infoblocks icon.

Sorry I'm not following you.

Those 5 choices of rules don't fit my need unfortunately.

Some of the devices on my network I want to only allow america to connect, others I want the whole world to be able to connect.

doktornotor

As said above, you need to use Alias type lists and do your own rules if nothing in ordering fits your needs. pfBNG lacks paranormal skills.

elementalwindx

@doktornotor:

As said above, you need to use Alias type lists and do your own rules if nothing in ordering fits your needs. pfBNG lacks paranormal skills.

Is there a how-to on that? That's probably one of the few features I've never used.

elementalwindx

Still not quite figuring out what you're trying to say. Sounds like you're saying copy the country rules I'm using, and just remove the pfblocker package?

doktornotor

You use them as any other alias in your rules.

pinoyboy

I have the same need and can't seem to identify the proper method.  I created an ALIAS for certain sites I wish to have no restriction on OUTBOUND.  I place this ALIAS at the top, but after reboot, the ALIAS moves down my list.  I want this ALIAS exactly where I place it.  Those 5 options on ordering do not help at all.

BBcan177

Create your Whitelist inside of pfBlockerNG… And use "Permit Outbound".... then add the IPs to the customlist at the bottom of the new Whitelist Alias....  Then select the Rule order option in the General Tab, that places the permit rules above the Block rules...

There are 5 options available to sort the rules... If they do not fit with your needs, then you can use "Alias Type" settings.... See the IPv4 Tab, blue Infoblock Icons for further details on how to do that...

Also not recommended to Block the World... Best to use Permit rules instead for the few Countries that you want to allow....

rusty99

I know this is an old topic, but this was also something I've been working through since needing to tighten outbound traffic.

Not sure if this is possible, but I have a suggestion I'll throw out.

If the firewall has separators, couldn't autorule order be designed to pin the auto rules to a defined separator section(s)?  That would allow someone to put the auto-rules wherever they wanted.  Looks like the separators are in the backup XML but I don't see them looking at the config with pfctl -vvsr so not sure if they are stored with the firewall config file.

Hopefully they are someplace where they can be used for more than just cosmetic purposes.

Guest

Specify "Floating Rules" under general setup