Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do I drop black listed incoming traffic without rebooting the entire unit?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 589 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      paul2019
      last edited by paul2019

      When I block an offending ip address via "pfBlockerNG -> IP -> IPv4 -> IPv4 Custom_List" the IP will keep getting through the firewall even after doing "Status -> Filter Reload" or by doing "pfBlockerNG -> Update -> Force", I have to reboot the unit in order to stop the ip from bypassing the firewall.

      What's the correct way of dropping the IP from firewall after updating my IPv4 black list without having to restart the entire unit?

      Thanks!

      T 1 Reply Last reply Reply Quote 0
      • T Offline
        Tzvia @paul2019
        last edited by

        @paul2019 Ok, so some internal client is attempting to go to some offending IP address that you want to block. The firewall allows it by default as it is return data (unsolicited data is blocked by default by firewall so I assume this is reply traffic). So you have an IP block custom list. How do you know it is 'getting through'. Is the IP a website that you are still able to reach? If I was in this situation and this was a list I made as opposed to a feed in PFBLOCKER, I would have an outgoing firewall rule on the LAN to block an IP alias. Probably would do a reject, interface: Lan (or whatever vlan) ipv4/6, protocol: tcp/udp (or any?), source: any, destination: single host or alias, 'your block list', destination port range: any or whatever you need there. Check LOG if you need to log. Done. Just edit the alias when you need to make changes.

        If it is a PFB Feed, just curious, have you tried to disable/reenable PFBLOCKER on the general tab instead of rebooting? Without knowing more it is hard to say, maybe a rule order thing.... PFB does order rules, see the IP tab near the bottom. Still, for my own IP lists I prefer to put them in the firewall on the appropriate interface and adjust the rule order as needed.

        Tzvia

        Current build:
        Hunsn/CWWK Pentium Gold 8505, 6x i226v 'micro firewall'
        16 gigs ram
        500gig WD Blue nvme
        Using modded BIOS (enabled CSTATES)
        PFSense 2.72-RELEASE
        Enabled Intel SpeedShift
        Snort
        PFBlockerNG
        LAN and 5 VLANS

        P 1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          pfBlocker just adds firewall rules and aliases. If a firewall state already exists it won't remove it.

          So you can search the state table for the open states and remove them or clear the state table entirely. Both are better than rebooting.

          Steve

          P 1 Reply Last reply Reply Quote 0
          • P Offline
            paul2019 @Tzvia
            last edited by

            @tzvia said in How do I drop black listed incoming traffic without rebooting the entire unit?:

            @paul2019 Ok, so some internal client is attempting to go to some offending IP address that you want to block. The firewall allows it by default as it is return data (unsolicited data is blocked by default by firewall so I assume this is reply traffic). So you have an IP block custom list. How do you know it is 'getting through'. Is the IP a website that you are still able to reach? If I was in this situation and this was a list I made as opposed to a feed in PFBLOCKER, I would have an outgoing firewall rule on the LAN to block an IP alias. Probably would do a reject, interface: Lan (or whatever vlan) ipv4/6, protocol: tcp/udp (or any?), source: any, destination: single host or alias, 'your block list', destination port range: any or whatever you need there. Check LOG if you need to log. Done. Just edit the alias when you need to make changes.

            If it is a PFB Feed, just curious, have you tried to disable/reenable PFBLOCKER on the general tab instead of rebooting? Without knowing more it is hard to say, maybe a rule order thing.... PFB does order rules, see the IP tab near the bottom. Still, for my own IP lists I prefer to put them in the firewall on the appropriate interface and adjust the rule order as needed.

            I can see it goes through since my VOIP system logs the unauthorized auth attempts. I haven't tried disabling and enabling pfblocker yet, the reject rule does work pretty good, black listing before any order incoming open port rules, it's just the issue that once an ip hooks up then I have to reboot the unit to get it out of the wagon.

            1 Reply Last reply Reply Quote 0
            • P Offline
              paul2019 @stephenw10
              last edited by

              @stephenw10 said in How do I drop black listed incoming traffic without rebooting the entire unit?:

              pfBlocker just adds firewall rules and aliases. If a firewall state already exists it won't remove it.

              So you can search the state table for the open states and remove them or clear the state table entirely. Both are better than rebooting.

              Steve

              Alright, that must be it then, once it hooks up I've seen that ip on the open state of the firewall but forgot how to get there, will have a look and try dropping it manually next time another offending address jumps in.

              thank you

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.