@SteveITS I use pfBlocker only for generate geoip lists. So, I use this lists for allow/block rules on wan interfaces.

@SteveITS You are correct I did not see that. but either way it would not have worked as I was having a driver issue with RealTek NIC's switched to Intel's and most if not all errors in the log(s) are gone. Beside because of the NIC error GEOIP never got install correctly. it never downloaded the file(s) or database so either way I would have gotten a 401 or 404

One other rabbit I had to chase was Firewall Maximum Table Entries issue had to increase it from 40000 to 4000000 to stop the allocation error messages, got that resolve. from the log I was at 798000 with all the GEOIP and other stuff selected. Once I learn what I need and what is just my insanity I change it.

I believe I am up and running have no ideal of how protected I am. Still learning how to interpret the logs. I see allot of blocks, and allot of pass but the pass are from loopback and DNS (53) and a few others but the passes are only out going. from what I can tell all inbound are blocked and blocked even on the open ports I specified to be open ( special rule ) to allow only a specific range of IP's to pass to those ports, same as the Zywall USG20-VPN but as the Zywall GUI was easier, but limited. pFsense is more granular, but seem more effect. Kinda of like the Cisco PIX, it just understanding the syntax (pFsense) and the flow. I think I am getting there.

This forum is great, getting support for the Zywall (well I'll be nice) is like pulling your teeth out with pliers. The cost kept going up but the option kept going down. I have been paying for 1 GB for almost 2 years but because of the Zywall I was like getting 300 MBPS. Bought the USG60 to only find out it was not any better in throughput and the only way for ! GB was the buy business class, and the the VPN clients and the the Content Filter and then the Anti-Spam, but those are yearly cost and not one time license. Most of the License(s) on my Zywall were expired, just to expensive to maintain. I got the Zywall because of work, needed to be secure,

Well anyway sorry for rambling on, but this forum rocks. Easy to get answers and very informative.

I thank you
Dark Knight out.

@ericafterdark I'm actually one of the authors of ctrld. If you're into fancy DNS routing, you may dig this article on how to use ctrld with pfSense, and what you can accomplish with it, especially if you use Control D as an upstream. https://github.com/Control-D-Inc/ctrld/wiki/pfSense-and-OPNsense-Operations-Guide

@steveits said in Geoblocking the world except for home:

@nogbadthebad Since you showed "alias permit" just be aware that reportedly de-dupes across other permit or deny lists. There was a thread last year sometime where someone pointed out IPs were being removed. Alias Native will leave the lists unchanged.

Cheers I've changed them :)

@yquirion I was surprised as well and was hoping it did not change my configuration which it did not. I was not aware about querying the database so I learned a very nice thing from you as well.

@johnpoz
Actually when some other agency or corporation gets MinMind customer database plus the ISP databases that nowadays you can bet are automatically available... yes then someone could have a complete picture... it amazes me how people don't care about privacy and don't seem to understand that no privacy means no democracy... Do we still value democracy over money or convenience?
You don't know what actually MinMind is... so I suggest updating pfblockerng to use another geolocation database and prepare it to accept more easily other options. There's always the possibility of a fork.