Block IP from WAN



  • Hi!

    I would like to block specific IPs from WAN.
    What would be the best solution for this?

    And can i create some list that i just can add IPs in the future and not one rule for each IP?



  • Create an alias, call it 'blocked-IPs' other somesuch. Add your IPs to the alias list. Create a block rule on your WAN and set the source to the 'blocked-IPs' alias you created earlier. If you need to add another IP, add it to the alias and save the change.



  • Ah ok thanks!



  • PS: Make sure you keep an eye on the order of your block/allow rules. Rules are applied from the top down, so your block rule will need to be positioned before a more permissive rule (if it exists). This is entirely dependent, of course, on what inbound rules you may already have and how permissive or restrictive they are.



  • What "type" should i use?, host,network?

    We are talking about alias under the firewall drop down?



  • @Danne84:

    What "type" should i use?, host,network?

    Whichever works for you. If you want to block a range of IPs, then use network. Otherwise if it's individual IP addresses you want, then choose host.
    @Danne84:

    We are talking about alias under the firewall drop down?

    Yes, that's the one. You just add the alias when you create the block rule in the Source section, choosing 'single host or alias' from the drop-down list and typing in the name of the alias in the 'address' field.



  • Hum ok..

    I have created the Alias and added the network. i See that i can also use FQDN.

    And after that i only have to create a block rule in the firewall rules?

    I'm running 2.3.1 btw.


  • LAYER 8 Global Moderator

    You do understand that all unsolicited traffic to your wan IP is blocked by default.  The only reason to block specific IPs on your wan would be if you don't want them using ports you have forwarded.  So you need to make sure that block rule is above your forward allow rule.  A block rule on the wan that says blocks 4.5.6.7 from talking to your wan does not stop a box on your lan from starting a conversation with 4.5.6.7.. Pfsense would allow the return traffic because it is in answer to a state one of your clients created and that was allowed per the lan rules.

    What exactly are you trying to accomplish from happening, IPs on the internet from access say your port forward to your webserver or ssh server, or your clients behind pfsense from going somewhere?



  • For example i'm going to run a webserver on this site but i would like to block specific IPs if there should be some strange traffic to it from an IP.
    And i have seen serveral times that all firewalls does not block all the "wierd" traffic.



  • @Danne84:

    For example i'm going to run a webserver on this site but i would like to block specific IPs if there should be some strange traffic to it from an IP.
    And i have seen serveral times that all firewalls does not block all the "wierd" traffic.

    Belive me, pfSense does block all "weird traffic". If it doesn't you have a serious misconfiguration.

    Everything so far in your problem description is just incredibly vague, why not give us a concrete example of what you're trying to do?



  • Block IPs manually becuase i just want to be able to do it. Simple as that.


  • LAYER 8 Global Moderator

    So as I understand your statement is you have traffic forwarded to your webserver..  And if you see something in your logs like IP 1.2.3.4 was doing odd queries to your webserver you want to then create a rule that says 1.2.3.4 can not talk to your webserver.

    Sure that is very easy to do, just make sure your rule that blocks 1.2.3.4 is above the rule on your firewall that allows the traffic to your webserver.

    Vs blocking after the fact, you could use something like pfblocker package to block based up country and bad spammers like china, russia, etc.. Unless you have visitors to your site from those countries..

    Here is what I would advise - secure your webserver is your best line of defense.  Your open to the public internet, your going to see all kinds of odd traffic to webserver.  If your go in after the fact and block those IPs that are prob just going to be different tmrw, or the next hour, etc.  Your going to be doing nothing but updating this list.

    If you want to not allow known bad IPs to talk to your webserver that is fine, where are you getting this list of known bad IP ranges.. Cuz its going to be HUGE ;)  pfblocker comes in handy for this sort of thing..

    So for example you see my wan rules. I block and log any IP in the pfblocker top 20 list and log that, I also block them from talking to my ntp server via udp but do not log this - too much noise..  They are not in the US and shouldn't be using my ntp server anyway ;)




  • ^Agree with this.

    If you spend you days blocking IPs that just send random traffic your way, you'll be playing IP-Whack-a-Mole forever and a day. You'd be better off consulting your web server logs from time to time to check for external hosts running scans on your system (directory traversal checks, PUT methods, etc) and just blocking those hosts which are actively scanning your system for vulnerabilities. There's a lot of backscatter traffic on the web so you're bound to see quite a bit of noise on your WAN side anyway.



  • I'm not sure there is even a point to manually blocking them at all.  Spend your time hardening your web configuration instead.  Botnets made up of thousands or tens of thousands of compromised systems scan the Internet all day long, and like muswell said, you will be playing Whack-A-Mole entering IP addresses every day.


Log in to reply