Deny all except a country
-
Create the alias in pfblocker
Run an update - you will see it create the alias
===[ IPv4 Process ]================================================= [ US_v4 ] Downloading update .. completed .. ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload Updating: pfB_US_v4 1 table created.74833 addresses added. UPDATE PROCESS ENDED [ 08/26/19 19:42:59 ]You will then see it normal pfsense aliases, be able to view what it in it.. And then use it rules
-
@johnpoz Thank you sou much!!! is clear now!!! have a nice week..
-
It is a very powerful tool that is for sure.. And I love what he has done with the ability to create such aliases - I'm just not a big fan of auto firewall rules of any sort.. So when I have used it, I stick with what I believe is its strongest feature - and that is how easy it is to manipulate the geoip lists into very easy to use aliases..
Have fun!
-
@johnpoz said in Deny all except a country:
It is a very powerful tool that is for sure.. And I love what he has done with the ability to create such aliases - I'm just not a big fan of auto firewall rules of any sort.. So when I have used it, I stick with what I believe is its strongest feature - and that is how easy it is to manipulate the geoip lists into very easy to use aliases..
Have fun!It's true, my contact is recent with the tool .. I already loved pfesense, now even more ... thanks once again
-
Keep in mind these lists of IPs are not going to be 100% accurate.. For one IP ranges move from country to country - more often then you would think.. And with the shortage of new IPv4 space - movement happens more often then back in the early days.
We just transferred some of our public space to the EU for example.. The blocks of addresses moved from arin to ripe.
-
@johnpoz Hi,
Thank you for the above help with creating the alias for certain countries in pfblockerNG.
Just 2 questions;
To complete the setup. I then go to my pfsense firewall rules and go to WAN. There I edit the open ports I have and under source I just choose alias and chose this list created in pfblocker.
Then no more blockrules is needed under the WAN port right? It just allows from the selected countries in the alias and to the specified port of the open service, then blocks the rest automatically if I got it right?I also wanna block some outbound trafic so I just go to the geoblock lists in pfblocker and select all countries I wanna block then hit "deny outbound" ?
This will create bunch of entries in my firewall rules each on a single line obv. Is there a way toc reate like a "block outbound to these countries" alias here as well?Last question; what does the "rep" mean after some countrylists?
Thanks!
-
I personally do not let pfblocker create any rules... I just use the aliases created, but you can do whatever makes you feel secure. Im just not an auto create rules sort of guy ;)
Post up the rules you did on both wan and lan and be happy to validate/discuss how they will do what you want or not, etc.
-
@incognito You can make an alias that covers multiple countries per my post above. Just keep adding lines and country codes.
re: "rep" I have been assuming "reputation" but don't recall how I got to that.
-
@teamits
rep == represented
https://dev.maxmind.com/geoip/geoip2/whats-new-in-geoip2/ -
@johnpoz said in Deny all except a country:
will then see it normal pfse
Thanks you very much, it is very clear and there are not post that explain it as well
