Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Protect open ports with PFBlockerNG

    pfBlockerNG
    2
    3
    863
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NasKar
      last edited by

      I've read other posts on this topic but still need further clarification. I want to prevent other countries other than the US from accessing my open WAN ports. It's been stated over and over again not to block the world. I've create an advanced inbound and outbound rule to allow my alias of open_ports only from the US ipv4 and ipv6. See attachments.

      If someone from china tries to access an open port on my WAN they won't hit a block till after the port forward rules are accessed. Won't they still get thru? If I move the block rules to just below the pfblocker rules will that prevent the port forwarding rules from working?

      WAN
      0_1547225547797_WAN Rules.jpg

      1_1547225547797_WAN Rules2.jpg

      On the LAN side the allow rule will work as everything is blocked by default except what is explicitly allowed?

      Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
      2 CPUs: 1 package(s) x 2 core(s)
      AES-NI CPU Crypto: No
      2 Gigs Ram
      SSD with ver 2.4.0
      IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        @naskar said in Protect open ports with PFBlockerNG:

        It's been stated over and over again not to block the world

        Says who? In a perfect setup you would only allow access to your forwards by their IP..

        Rule are evaluated top down, first rule to trigger wins. Not other rules are evaluated. If you want your port forward to only be reachable via NA address then just use that in your port forward rule to whatever IP and port your sending it too.

        If you want to specifically block country X, then put that alias above your allow rule with block.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • N
          NasKar
          last edited by

          So I should edit my port forward rules in NAT to add the a network alias for pfBlocker_NA IPv4 and IPv6.
          Like this

          Alias
          0_1547228457662_fpBlocker Network Alias.jpg

          Port Forward rule
          0_1547228503649_ForwardRule.jpg

          Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
          2 CPUs: 1 package(s) x 2 core(s)
          AES-NI CPU Crypto: No
          2 Gigs Ram
          SSD with ver 2.4.0
          IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.