Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Only allow certain countries

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fireix
      last edited by

      pfBlockerNG is supposed to do this, but I still haven't figured it out: How can I apply different restrictions per IPs (alias)?

      From what I can understand, pfBlockerNG can only have one rule. So if you want to allow traffic from the US for some IPs and some others from the UK, that is not possible. Or am I missing something here?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        pretty sure you can create whatever aliases you want in pfblocker and then use those aliases in rules.  I have not used it in while, I personally have no need for it.  But could reinstall to validate what I believe to be true.

        But you might be right you might only be able to create 1 country blocking alias - brb going to install it.

        edit:  Ok out of the box it only has specific aliases you can edit, top20, asia, north america, europe, etc..  but you can create your own aliases using the country listings located in the

        /usr/local/share/GeoIP/cc/US_v4.txt  (Change 'US' to required code)

        So you could create your own lists picking the files that contain the IP ranges of those countries your wanting to block.  and then use those aliases in your rules.

        got to Firewall pfBlockerNG Edit IPv4 for example, create an alias, the click that little i next list setting and it will show you form to use to use the local geoip text files to create your own aliases.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • F
          fireix
          last edited by

          This is so annoying to do for every alias I want with countries - why couldn't pfSense do like many other firewalls and just have a simple way to allow traffic to/from selected country/countries?

          I see I was earlier able to get an Europe alias (URL) in my firewall, but I have no idea how I created that - the manual says it should be an "alias only" choice some place, but I do not see it in my new interface.

          1 Reply Last reply Reply Quote 0
          • F
            fireix
            last edited by

            This image below is from the manual and shows a "Alias only" option in dropdown. It would have solved my problem and I think it is how I created my original URL alias (https://127.0.0.1:443/pfblockerng/pfblockerng.php?pfb=pfB_Europe_v4).

            But I don't have this dropdown or anything similar to it in my newer v2.3.2 version of pfSense.

            https://www.derman.com/blogs/Setting-Up-Country-Blocking

            https://www.derman.com/Resources/Blogs/pfBlockerExampleWorldAreaConfig.png

            1 Reply Last reply Reply Quote 0
            • B
              bbrendon
              last edited by

              I just ran into a few issues with this. If you're just doing this for countries on one continent then the built in pfblocker features work okay. You just select the country you want and select the inverse.

              If you're doing this for countries that spread across multiple continents then it seems doing your own alias works best. Create an "Alias Native" and then add a rule that says "if not in alias, then block".

              I attached a picture of the configuration in pfBlockerNg. I didn't include the rule. Also, this is on pfsense 2.3.2

              country.png
              country.png_thumb

              1 Reply Last reply Reply Quote 0
              • RonpfSR
                RonpfS
                last edited by

                You can also use the GeoIP tab  ;)

                2.4.5-RELEASE-p1 (amd64)
                Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                1 Reply Last reply Reply Quote 0
                • B
                  bbrendon
                  last edited by

                  Well maybe. But I doubt it will solve the problem i described.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.