Deny all except a country
-
@johnpoz may have the "devel" version of pfBlockerNG? Mine looks different. Anyway, I found the country lists are all stored on disk so you can just reference them using the correct country code:
So just create an alias for that country code on the pfBlockerNG IPv4 page. -
why would you not be running the devel version? ;)
-
Probably because he wants something stable. Most people expect -devel to mean it's under active ongoing development with bugs and other unforeseen, unwanted behaviour to be expected from new software. They don't realize that in the wold of FreeBSD/pfSense/Unix, -devel means it's been tested for the past n+ years, has no outstanding bugs, but the maintainer doesn't want to be yelled at if you find some weird corner case. In other words, don't trust it until it's well-trusted
-
@johnpoz tks John for your help, sorry my english... i speak portuguese and the way to create and understand phrases and texts are diferent Lol.. I will try and feedback.. tks . Ps: i use last devel version.
-
@johnpoz Hi, unfortunately doesnt work.. i create an ipv4 entry with brazil inside but in source firewall doenst appers.. only continents
-
Not sure what your attempting to do there - your not creating an alias.. So no its not going to show up when you try and create a firewall rule - outside of pfblocker
-
@johnpoz
I'm totally confused -
Create the alias in pfblocker
Run an update - you will see it create the alias
===[ IPv4 Process ]================================================= [ US_v4 ] Downloading update .. completed .. ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload Updating: pfB_US_v4 1 table created.74833 addresses added. UPDATE PROCESS ENDED [ 08/26/19 19:42:59 ]
You will then see it normal pfsense aliases, be able to view what it in it.. And then use it rules
-
@johnpoz Thank you sou much!!! is clear now!!! have a nice week..
-
It is a very powerful tool that is for sure.. And I love what he has done with the ability to create such aliases - I'm just not a big fan of auto firewall rules of any sort.. So when I have used it, I stick with what I believe is its strongest feature - and that is how easy it is to manipulate the geoip lists into very easy to use aliases..
Have fun!
-
@johnpoz said in Deny all except a country:
It is a very powerful tool that is for sure.. And I love what he has done with the ability to create such aliases - I'm just not a big fan of auto firewall rules of any sort.. So when I have used it, I stick with what I believe is its strongest feature - and that is how easy it is to manipulate the geoip lists into very easy to use aliases..
Have fun!It's true, my contact is recent with the tool .. I already loved pfesense, now even more ... thanks once again
-
Keep in mind these lists of IPs are not going to be 100% accurate.. For one IP ranges move from country to country - more often then you would think.. And with the shortage of new IPv4 space - movement happens more often then back in the early days.
We just transferred some of our public space to the EU for example.. The blocks of addresses moved from arin to ripe.
-
@johnpoz Hi,
Thank you for the above help with creating the alias for certain countries in pfblockerNG.
Just 2 questions;
To complete the setup. I then go to my pfsense firewall rules and go to WAN. There I edit the open ports I have and under source I just choose alias and chose this list created in pfblocker.
Then no more blockrules is needed under the WAN port right? It just allows from the selected countries in the alias and to the specified port of the open service, then blocks the rest automatically if I got it right?I also wanna block some outbound trafic so I just go to the geoblock lists in pfblocker and select all countries I wanna block then hit "deny outbound" ?
This will create bunch of entries in my firewall rules each on a single line obv. Is there a way toc reate like a "block outbound to these countries" alias here as well?Last question; what does the "rep" mean after some countrylists?
Thanks!
-
I personally do not let pfblocker create any rules... I just use the aliases created, but you can do whatever makes you feel secure. Im just not an auto create rules sort of guy ;)
Post up the rules you did on both wan and lan and be happy to validate/discuss how they will do what you want or not, etc.
-
@incognito You can make an alias that covers multiple countries per my post above. Just keep adding lines and country codes.
re: "rep" I have been assuming "reputation" but don't recall how I got to that.
-
@teamits
rep == represented
https://dev.maxmind.com/geoip/geoip2/whats-new-in-geoip2/ -
@johnpoz said in Deny all except a country:
will then see it normal pfse
Thanks you very much, it is very clear and there are not post that explain it as well