Floating rules not working

empbilly · Oct 13, 2016, 11:29 PM

Hello,

After installing pfblockerng and enable it, we note that some queries to our dns server were being blocked. I tried to change the order to | pfSense Pass/Match|pfB_Pass/Match|pfB_Block/Reject|, but still blocking.

Uncheck the floating rule option and the queries worked again.

pfsense Version: 2.2.5-RELEASE (amd64)
pfBlockerNG Version: 2.0.6

Some know bug?

RonpfS · Oct 12, 2016, 10:12 PM

You didn't provide much information.

What does the Alerts tab show as being blocked?

What lists the block comes from?

Do you have suppression enabled ? Enabling suppression will remove ip such as 127.0.0.1, 0.0.0.0 etc.

empbilly · Oct 13, 2016, 1:50 PM

@RonpfS:

You didn't provide much information.

What does the Alerts tab show as being blocked?

What lists the block comes from?

Do you have suppression enabled ? Enabling suppression will remove ip such as 127.0.0.1, 0.0.0.0 etc.

I noticed these blockages because the registro.br (http://www.nic.br/pagina/nicbr-atividades-registro-br/159) makes periodic tests verifying that the published dns by them is still operational. And it was from that point that I began testing of why our dns was not solving some "queries". Taking away this issue, the pfblockerng is helping me a lot.

I have enabled the suppression because we use public IPs.

Eg:
With the rules of pfblockerng being set in floating rules.

# nslookup
server <ip_of_my_dns_server>set q=AAAA
www.poa.ifrs.edu.br</ip_of_my_dns_server>

Always show the message of connections timeout.

The same example as above, but with the rules of pfblockerng being configured in each vlan and the |pfSense Pass/Match|pfB_Pass/Match|pfB_Block/Reject| checked, always show the correct information with the nslookup command.

I believe that is good information and can also have a bug in this release about the floating rules.

BBcan177 · Oct 15, 2016, 6:39 PM

This is not a bug with the package…

If you use the GeoIP rules and depending on what Countries you add, you can block access to the Root DNS Servers. So its up to how you configure the rules and the blocklists... Anything being blocked will show in the Alerts Tab.

Here is an IP list of the Root DNS Servers, which should not be blocked...
https://www.internic.net/domain/named.root

btw - I am not actively maintaining pfBlockerNG in pfSense 2.2.x... Best to move to pfSense 2.3.x asap...