Network Configuration with snort VLANs…..and PfBlocker?

Velcro

Thanks maverik1…

I checked the "permit firewall" on the DNSBL tab and it added a floating rule for my interfaces. To answer your question I need the custom rule just below my dns/port53 and above my "block this firewall" rule in order to get connectivity to the "10.10.10.1 - pixel" page? If not I can't navigate to the 10.10.10.1-pixel page, I get a block to 127.0.0.1 in my firewall log and I don't get DNSBL alerts.

Questions:

A) I have strict rules in place...is this custom rule needed for pfblockerng based on my rule set?

B) DNSBL  appears to be working(incl. some custom lists) but trying to understand why the extra rule is needed on each interface/VLAN? And if this has security implications?

C) I am getting DNSBL alerts in pfblockerng, however I am still seeing ads? Are the ads just prevented from calling home? Is DNSBL working?

Note: pretty slick but I was able to verify OpenDNS is working after enabling the forwarding mode on the dns resolver tab(thx!)

Thanks again for the help!

maverik1

The only firewall rule I need to access the 10.10.10.1 pixel page, is the floating rule that is created by DNSBL.  You must have some other setting in place that is requiring you to have an additional rule.

Depending on how strict you have configured DNSBL will depend on what ads you see if any. I still see an occasional ad with DNSBL enabled.

Velcro

Thanks maverik1 and bbcan…

Any thoughts on how I might trouble shoot my current settings/rule set? Is adding the custom pass rule to 127.0.0.1 a best practice? It seems like I might be missing something more fundamental...

maverik1

I honestly do not think you need that rule. I am not sure what kind of setup you currently have and or what your configuration is.  Are you able to provide some information about your current setup?  Vlan info, rules, are you running squid proxy?

Velcro

My basic set up is as follows:

-The rules for one of my VLANs are posted above, the other VLANs are similar
-My default LAN is used for admin of pfsense only, no internet access
3 VLANs - guest, IOT devices and personal with the parent interface of opt1(opt1 interface is what my Unifi AP is connected to
-Default LAN = web GUI access
-Opt2 is for Apple TV
-I have a sg2440 netgate/pfsense box and a Unifi AP
-I run snort on my Interfaces
-I am running PfBlocker on my VLANs (deny both)
-Viper vpn on my network
-Unbound dns resolver utilizing OpenDNS IPs

I have my setup pretty tight with aliases for devices and ports…any suggestions would be appreciated.

Thanks :)

Velcro

Does any body have any insight to this? If not I was thinking of starting a new post in the firewalling or general section of the forum as this likely has something to do with my dns settings or dns configuration.

My specific question is why do I need the custom allow rule to the 127.0.0.1 IP (I modified an "easy rule")to get PfBlocker to work? Is this rule safe and a best practice or is there a different adjustment I need to make?

PS I have using pfblockerng with some custom lists and love it!

vpreatoni

I can confirm pfBlocker is bugged regarding allow access rule.

Have similar environment (multi VLAN). When accessing some blocked domain (eg: http://100pour.com/ ) I get browser timeout instead of 1x1px image.

Firewall log:

Action	Time	Interface	Source	           Destination	           Protocol
Sep 18 18:34:48	VLAN10	10.10.10.1:80	192.168.10.108:50216	TCP:SA

Firewall log when accesing HTTPS blocked domains:

Action	Time	Interface	Source	Destination	Protocol
Sep 18 18:39:38	VLAN10	10.10.10.1:443	192.168.10.108:49394	TCP:SA

Auto NAT rules VLAN10:

rdr on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = http -> 127.0.0.1 port 8081
rdr on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = https -> 127.0.0.1 port 8443

So, if manually edit Auto NAT rules option Filter rule association from None to Pass, IT WORKS! NAT rules now look like this:

rdr pass on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = http -> 127.0.0.1 port 8081
rdr pass on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = https -> 127.0.0.1 port 8443

But after reloading pfBlocker configuration, it reverts back to buggy NAT rule. Can you please check this behavior??

BBcan177

In the DNSBL tab, there is a "Permit Firewall" rule option.

Enable that and select the VLANS. Force Update.

That will create a Floating Permit rule to allow those VLANS to hit the DNSBL VIP address.

vpreatoni

Already done that.

pfb rule is created first as expected, and it gets matching traffic

States	Protocol	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	Actions
IPv4 *	*	*	10.10.10.1	*	*	none	 	pfB_DNSBL_Allow_access_to_VIP

But as stated before, it does not set the Pass rule on the auto NAT port redirection rules, so it fails. Manually setting Pass in NAT rules makes it work.

I'm happy to provide any pfctl output if it helps to fix this bug.

Regards,
Víctor

BBcan177

I haven't seen anyone else complain about this issue before….

But you can edit the following file:

/usr/local/pkg/pfblockerng/pfblockerng.inc

and change Line #793

From:  'associated-rule-id' => '',
  To:      'associated-rule-id' => 'pass',

Reference link to code:
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L793

If others chime in to approve the change, I will make it official in the next release of the package…

vpreatoni

Cheers for that, will try it.

Maybe Velcro can confirm if editing NAT port forwarding rules fix it too.

Velcro

I think my situation is the same, I too saw the same firewall logs. I would be happy to test and see if “…editing NAT port forwarding rules fix it too...”. If you don’t mind walking me thru the specific steps I will try...I have never adjusted the Port Forward rules in NAT before(I assume you are referencing the “Port Forward” rules that are added for the DNSBL Listening interface in Firewall→NAT→Port Forward tab?).

BBcan177, definitely not complaining...you rock! I am in no position to complain about the work you do and the difference you make with pfBlocker.

I managed to get my VLANs capable of accessing the 10.10.10.1 pixel page by adding a rule onto my VLAN interfaces(see screen shot for example). I created this rule by adding and then modifying an “easy rule” based on what was being blocked in my firewall log.

My rules are fairly restrictive and made sure this “custom DNSBL rule” was placed below my “Allow DNS Access” and above my “Block access to firewall” rule.

Additional notes:

• I tried the “DNSBL Firewall Rule” again and removed my 'Custom DNSBL rule” but was unable to access the 10.10.10.1 pixel page.
• I no longer use OpenDNS (Using DNS resolver on pfSense)
• Using PIA as my VPN provider(no longer VyperVPN…)

I am still not sure my “custom rule” is the best solution or as you suggest, modifying a NAT rule is best...definitely willing to test. Thanks for asking...

vpreatoni

Hi Velcro,

Navigate tru Firewall->NAT-> and edit both pfB auto rules.

Now you have to change last option: Filter rule association from None to Pass (see first attachment).
When done, u should see like a Play icon next to each rule (see 2nd attach).

I that works for you too, I can guide u on how to edit source to make it permanent as BBcan explained. Otherwise, each time u reload pfBlocker, rules will revert back to None

Velcro

Awesome! Yes that allowed me to remove my "custom rule" -  Thank you!!

vpreatoni if I could ask for your help to make this permanent, I would really appreciate it.

BBcan177 this corrected my issue…I vote for the change, but are there downsides to changing for all?

_Note added later:

Just restarted my pfsense and returned to default._

Velcro

I thought I would jump in and try to change the code, here is what I did:

Diagnostics→ Edit File→ Browse(I didn't try but you might just be able to enter the path where it says: "Path to file to be edited")

→follow this path from BBcan:  /usr/local/pkg/pfblockerng/pfblockerng.inc

and change Line #793(enter this line on the top right of the GUI where its says "Go To Line#")

From:  'associated-rule-id'  => '',
  To:      'associated-rule-id'  => 'pass'

Make sure to hit the "Save" icon.

Survived a reboot and all is working! Thank you both for your help…

My only questions are:

1. I do not have the  "DNSBL Firewall Rule" checked, yet everything appears to be working. My select VLANs, that I have pfBlocker running on are showing alerts. Is this just a "tweek" that is needed to get VLANs functioning?

2. BBcan you asked: "...If others chime in to approve the change, I will make it official in the next release of the package...". Does allowing a "Pass rule on the auto NAT port redirection rules" create any more exposure on pfSense?

Again thank you both...

Sean

BBcan177

Here is the PR to fix this bug… Thanks!

https://github.com/pfsense/FreeBSD-ports/pull/424/files