How do I whitelist a few countries only?
-
I'm currently using a blacklist approach to deny inbound from the world, except 4 countries, and my unit is running out of memory
I would like to change that to whitelist the inbound from those 4 countries and block inbound from all others.
I went on to permit inbound on the geo ip lists and check only the countries that I need, but it warned about the advanced inbound being set to deny and how I would have to set it to allow all inbound before doing a geo ip permit rule.
I went on the advanced settings and didn't find any option to set the inbound WAN to be allowed by default, I only found block and reject..
What's the correct way of doing this, whitelist inbound from a couple countries only?
Thanks
-
Use pfBlocker to create an Alias permit and use it on an inbound firewall rule:-
I use the above rule to allow sftp inbound from the UK.
By default everything is blocked by the default WAN rule.
-
@NogBadTheBad said in How do I whitelist a few countries only?:
Use pfBlocker to create an Alias permit and use it on an inbound firewall rule:-
I use the above rule to allow sftp inbound from the UK.
By default everything is blocked by the default WAN rule.
Hi Andy, so I've created an alias and added the geo ips that I require to it, then went on firewall rules and added the alias just like you did, to pass.
How do I get rid of those pfsense geo block lists I have there? I set them to Disabled but the rule still stays there in the firewall rules (eg: pfB_Topv4, etc). Do they remain there when we set it to Disabled? Just wanted to make sure the memory won't be allocated to process that list anymore since there is now a single rule with the allowed alias doing the trick and everything else should be blocked.
-
-
Disable them in the actions pull down.
-
@NogBadTheBad said in How do I whitelist a few countries only?:
Disable them in the actions pull down.
Correct, that's what I did, they still remain list in the firewall rules though, is that normal?
-
Do an update Firewall -> pfBlockerNG -> Update
Also no need to hide RFC1918 IP addresses, they aren't routable on the internet.
The ALLOWED_INCOMMING needs to be added to the rules at the bottom, don't allow ALLOWED_INCOMMING to any.
-
@NogBadTheBad said in How do I whitelist a few countries only?:
Do an update Firewall -> pfBlockerNG -> Update
Also no need to hide RFC1918 IP addresses, they aren't routable on the internet.
The ALLOWED_INCOMMING needs to be added to the rules at the bottom, don't allow ALLOWED_INCOMMING to any.
You mean the protocol here has to be set like this? (I require UDP as well for SIP). I have many ports to open, from sip to rdp, cameras, etc, so setting up a rule to permit each port can be done and I have to agree that is definitely safer;
Is this the correct place for the new rule to show up?
btw, pfB_IPv4_DENY_v4 is a custom list of US ip addresses that show up every now and then and I need to manually block by adding them to that list.
-
@NogBadTheBad Now get it, since I already have those ports open there, of all kinds, I just duplicate them and assign the source to the country permit alias. I have to duplicate cause when editing the source fields are read only for some reason.
-
This post is deleted! -
-
-
@nogbadthebad said in How do I whitelist a few countries only?:
Use pfBlocker to create an Alias permit and use it on an inbound firewall rule:-
I use the above rule to allow sftp inbound from the UK.
By default everything is blocked by the default WAN rule.
Question, I'm trying to recreate this setup again but after creating this Alias Permit list and force reloading pfblocker the alias doesn't get created and I can't assign it to the source field like I did back in the day when you helped me out here, what could I be doing wrong this time?
-
@paul2019 I do this for my plex access, just create a native alias in pfblocker adding the countries you want to allow. Then just use that alias in your port forward.
I have family in Morocco temporarily, all others are just in the US. And I also allow status cake IPs to monitor if my plex is up, and then the IPs that plex uses to validate if your remote access is available.
-
@johnpoz Just changed it to native alias, saved, went to update, did force update and force reload and it still sees only the default ipv4 list and not the new one I created, what could it be...
Alias table IP Counts ----------------------------- 17630 /var/db/aliastables/pfB_PRI1_v4.txt
-
@paul2019 well you have them all off
-
@johnpoz said in How do I whitelist a few countries only?:
@paul2019 well you have them all off
Damn, that was it! These are OFF by default and went completely unnoticed until you mentioned it, thanks a lot.
