PFBlockerng WAN Firewall Rules
-
PFSense noob here (but LOVING it after moving from Unifi), and I have PFBlockerng running and successfully blocking DNS blacklists. But I have a quick question - I have a port forward open, and judging from what I've seen from others' setup, there seems to typically be a block rule setup on the WAN to capture things like Geo IP blocks, etc. However, the wizard did not set up any type of WAN blocking rule for PFBlockerng. Am I missing something that is supposed to be set up on the WAN firewall rule for PFBlcokerng to work?
-
@captaindarth Are tou using the floating rules way of pfblockerng or the per interface approach?
-
@netblues I'm using the per interface approach.
-
@captaindarth You also said dns blacklists.
Dns blacklist essentially dont need firewall rules by design.
Ip blocking does. There is an option on the ip tab on which interfaces rules should be generated and applied. -
@netblues here is a screenshot of the IP tab:
As I understand it (which can be corrected if I am wrong), this tab above is the rule that is doing the DNS blacklisting. And because I only have one entry here to deny outbound, this is why I don't see any PFBlockerng firewall rules on the WAN interface, correct? Here is what I see on the WAN and LAN firewall rules:
-
@captaindarth Yes you are right.
Denying outbound what is blocked by dns is an extra level of protection.
If you were using eg pihole, then you would hope the client does what pihole instructs (and doesn't try any hardcoded ip's directly)My ip tab looks like this
and a test scenario blocking inbound would be like this
And I m not using the automatic rule generation, which puts rules first, which isn't what is required most of the times.