Deny all except a country
-
Hi, i have nat redirect port to a local server and the source is any.
I use bfblockerng to block the world except one country (deny inbound) and its ok but logs are so much larges.. (all countrys blocked register)I want to use a rule like "permite only this country" and not block the world.. but i cant understand how to do it in pfblockerng.
anyone can help me to a effective and logic way to do this?
tks
-
Try reject instead.
-
This post is deleted! -
@mullcom the default policy firewall is deny. The source nat is any (the chooses are any or some network or ip adress).
Pfblockerng warnings " is not necessary block the world ...." but i cant understand how to allow input from a country and dont select deny from all others world countrys
-
You will most likely want to just use the aliases that pfblocker creates in you rules that allow your forwards/service access.
So you could use your country alias (lists all the ips in that country) in as the source in your port forward. Vs using the pfblocker creation of rules..
BTW, you almost never want to use reject on a public facing rule (ie wan).. Since this sends traffic back to the sender saying hey that is blocked.. Which you really never want to do.. Lan sure that helps your clients know they can not do xyz, vs having them keep sending retrans on time outs of something not working.
-
@johnpoz tks for reply.
I try to do that but in firewall source alias theres only pf_continent option. The country alias source doesnt exist.
-
Pretty sure you can create your own in pfblocker.. Have to take a look, I don't personally use it... I only fire it up when need to help someone out with something. Give me a few minutes and take a look see.
edit: Yeah you can create your own using the geoip info.
Or you could take one of the built in lists, and edit it to only have the country or countries you desire.. Just pick the continent one that has the country you want, and only put in there the country or countries you want.
-
@johnpoz may have the "devel" version of pfBlockerNG? Mine looks different. Anyway, I found the country lists are all stored on disk so you can just reference them using the correct country code:
So just create an alias for that country code on the pfBlockerNG IPv4 page. -
why would you not be running the devel version? ;)
-
Probably because he wants something stable. Most people expect -devel to mean it's under active ongoing development with bugs and other unforeseen, unwanted behaviour to be expected from new software. They don't realize that in the wold of FreeBSD/pfSense/Unix, -devel means it's been tested for the past n+ years, has no outstanding bugs, but the maintainer doesn't want to be yelled at if you find some weird corner case. In other words, don't trust it until it's well-trusted
-
@johnpoz tks John for your help, sorry my english... i speak portuguese and the way to create and understand phrases and texts are diferent Lol.. I will try and feedback.. tks . Ps: i use last devel version.
-
@johnpoz Hi, unfortunately doesnt work.. i create an ipv4 entry with brazil inside but in source firewall doenst appers.. only continents
-
Not sure what your attempting to do there - your not creating an alias.. So no its not going to show up when you try and create a firewall rule - outside of pfblocker
-
@johnpoz
I'm totally confused -
Create the alias in pfblocker
Run an update - you will see it create the alias
===[ IPv4 Process ]================================================= [ US_v4 ] Downloading update .. completed .. ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload Updating: pfB_US_v4 1 table created.74833 addresses added. UPDATE PROCESS ENDED [ 08/26/19 19:42:59 ]You will then see it normal pfsense aliases, be able to view what it in it.. And then use it rules
-
@johnpoz Thank you sou much!!! is clear now!!! have a nice week..
-
It is a very powerful tool that is for sure.. And I love what he has done with the ability to create such aliases - I'm just not a big fan of auto firewall rules of any sort.. So when I have used it, I stick with what I believe is its strongest feature - and that is how easy it is to manipulate the geoip lists into very easy to use aliases..
Have fun!
-
@johnpoz said in Deny all except a country:
It is a very powerful tool that is for sure.. And I love what he has done with the ability to create such aliases - I'm just not a big fan of auto firewall rules of any sort.. So when I have used it, I stick with what I believe is its strongest feature - and that is how easy it is to manipulate the geoip lists into very easy to use aliases..
Have fun!It's true, my contact is recent with the tool .. I already loved pfesense, now even more ... thanks once again
-
Keep in mind these lists of IPs are not going to be 100% accurate.. For one IP ranges move from country to country - more often then you would think.. And with the shortage of new IPv4 space - movement happens more often then back in the early days.
We just transferred some of our public space to the EU for example.. The blocks of addresses moved from arin to ripe.
-
@johnpoz Hi,
Thank you for the above help with creating the alias for certain countries in pfblockerNG.
Just 2 questions;
To complete the setup. I then go to my pfsense firewall rules and go to WAN. There I edit the open ports I have and under source I just choose alias and chose this list created in pfblocker.
Then no more blockrules is needed under the WAN port right? It just allows from the selected countries in the alias and to the specified port of the open service, then blocks the rest automatically if I got it right?I also wanna block some outbound trafic so I just go to the geoblock lists in pfblocker and select all countries I wanna block then hit "deny outbound" ?
This will create bunch of entries in my firewall rules each on a single line obv. Is there a way toc reate like a "block outbound to these countries" alias here as well?Last question; what does the "rep" mean after some countrylists?
Thanks!
