[SOLVED] Floating Rules/Rule Order
-
I am looking for direction as there is a specific ruleset order I am attempted to accomplish. The default Rule Order's did now allow my setup without making a mess of the order I already had in place and so I set floating rules. I am running into an issue where I need the "Quick" option disabled as I would like to manage the list as an Alias in my WAN Rules. I looked for a few obvious fixes but it does not look like you can use pfBlocker in this way? Unless there is another way I am looking to edit the following file to disable quick by default but it does does not seem to be working. At this time I only need the lists to update without editing the rules that are in place. Please advise.
-
Hi zilla,
In the General Tab, there are several different "Rule Order" options, did you try those?
You are not forced to use "Auto type" rules…. You can easily opt to use "Alias type" ( ie: Alias_Deny ) and manually create your own rules as you wish.... The pfBlockerNG package will collect the IPs and put them into alias tables, and these alias tables can be easily referenced in any manually created firewall rules...
Please review the blue infoblock icon in the IPv4 Tab / List Action, for more details on this approach…
I would think that with a "Floating" type rule, that you would want the "quick" option to be selected, since in the Floating Tab, the last rule that matches "wins".... so the quick option halts that process when the rule is matched.
-
In the General Tab, there are several different "Rule Order" options, did you try those?
-None of these options will allow all rules to work successfully as it will reorder improperly.
You are not forced to use "Auto type" rules…. You can easily opt to use "Alias type" ( ie: Alias_Deny ) and manually create your own rules as you wish.... The pfBlockerNG package will collect the IPs and put them into alias tables, and these alias tables can be easily referenced in any manually created firewall rules...
Please review the blue infoblock icon in the IPv4 Tab / List Action, for more details on this approach…
-How can I full advantage of GeoIP block lists and disable Floating Rules/Rule Order to incorporate IPv4 Alias Rules?
I would think that with a "Floating" type rule, that you would want the "quick" option to be selected, since in the Floating Tab, the last rule that matches "wins"…. so the quick option halts that process when the rule is matched.
-This will allow some of the county lists to supersede specific allow rules or allow blanket allows to trump country denies.
-
I already provided your solution above.
Select the "Alias type" options in the "List Action" settings. (IPv4/6/GeoIP etc). Then you can manually create the rules as you require and reference the applicable alias table that the package creates.
Click the blue infoblock icons for additional details.
-
I already provided your solution above.
Select the "Alias type" options in the "List Action" settings. (IPv4/6/GeoIP etc). Then you can manually create the rules as you require and reference the applicable alias table that the package creates.
Click the blue infoblock icons for additional details.
Extremely sorry and I do not mean to be a novice but how would I also allow my rule order to work? I would need a way to not allow the default rules to be added to Floating/WAN rules and still update. Are you saying settle with a rule order of pfBlocker rules on bottom and re-reference my rules, duplicating the rules, allowed in the middle?
-
When you click on the
infoblock for List Action in the IPv4/IPv6/GeoIP tabs, it opens to this:
If you select the Deny_Inbound, Deny_Outbound or Deny_Both type options, it will AUTO create the Firewall Rules for you, using the Rule Order setting that you configured in the General Tab… These are typical-use scenario Auto-Rule ordering options…
These Auto Rules, might not fit with your network requirements, so instead you can select the Alias Type options which are highlighted above in the red boxes. These Alias Type options WILL NOT create any Firewall rules…
With Alias Type settings, you will need to manually create all of the Firewall Rules, so that it fits with your network requirements… Review one of the Auto-Created rules as an example of how to manually create these Firewall Rules…
Also, ensure that you read the last NOTE above, and prefix these pfBlockerNG manually created rules with pfb_ ( lowercase )… This is required so that the Widget knows which rules are for pfBlockerNG.
Hope that helps!
-
Everything is starting to come together. This makes perfect sense! Exactly what I was looking for. At first I had no idea what you were saying but it was that I never fully read to understand these settings on these pages. Sorry to waste your time and thank you!
