Traffic to FQDN is blocked by pfbNG even if its on a pass rule



  • Hey

    I have a problem with pfblockerNG.  It is blocking communication to & from domains that are on a pass rule before the floating pfblocker's rules.  An example:

    Under pfbNG's alerts tab, I see that traffic to & from "luX.api.mega.nz" is being blocked because it belongs to country LU.  Fine, I intended to block traffic from that country.

    In the system wide aliases, I have an alias of "Hosts" type that I created and added "api.mega.nz"  in it.  I have not used "luX.api.mega.nz" because it constantly changes like so:

    lu2.api.mega.nz
    lu4.api.mega.nz
    lu6.api.mega.nz
    etc…

    I would expect pfsense's filter to resolve the FQDN to a bunch of sub addresses or IP's.  Thats why I omitted the "luX" from the alias entry.

    Then I have created a floating "PASS" rule ABOVE pfblockerNG's floating rules. I would normally expect this behavior to happen:

    Traffic to & from a specific domain, IP or FQDN hits the firewall's floating rules
    Traffic is redirected according to the first rule it matches from the top to bottom

    In my case, the Allow rule is at the very top, and refers to the alias I created.

    Why is "luX.api.mega.nz" always being blocked by pfbNG?

    In pfbNG's options, the rules order is set to : pfsense Pass/match - pfB pass/match - pfB block/reject - pfsense block/reject


  • Moderator

    api.mega.nz has no A Record:

    host -t A api.mega.nz
    api.mega.nz has no A record
    
    

    Pinging those sub-domains  [  [b]luX.api.mega.nz  ]  Seems to ping to  [ [b]31.216.147.X ]  addresses… So you might want to whitelist 31.216.147.0/24

    or use the ASN [ [b]24611 ], but that will add quite a few IPs to the whitelist… ASN can be used in the IPv4 Tab.. click the blue infoblock icons for further details.

    [Querying v4.whois.cymru.com]
    [v4.whois.cymru.com]
    AS      | IP               | AS Name
    24611   | 31.216.147.135   | DCLUX-AS 2, rue L?on Laval, LU
    

    mwhois -h whois.radb.net !gAS24611 | tail -n +2 | tr -d '\nC' | tr ' ' '\n'

    80.92.64.0/19
    194.42.98.0/23
    195.206.104.0/22
    80.92.64.0/19
    194.42.98.0/23
    31.216.144.0/21
    89.37.200.0/21
    89.41.248.0/21
    94.177.88.0/21
    


  • Anthony,

    I have an issue with the IPV4 function.  I want to white-list some hosts by hand after they have been blocked by IPV4 because they are on some lists I use.

    I created an alias in IPV4, selected "Permit Both" for the List Action, set the update freq to weekly, and added my IP's to whitelist in the "IPv4 Custom list" in the following format:

    38.229.36.110  # asn.cymru.com
    64.62.136.54    # forums.freenas.org
    205.189.10.44  # weatheroffice.ec.gc.ca
    38.229.36.206  # team-cymru.org

    I ran an update, then a force reload.  These IP's are still blocked by IPv4.  I rbooted pfsense, to no avail.

    What am I doing wrong?


  • Moderator

    Typically best to use "Permit Outbound", so that it only allows access to those IPs when the LAN makes the request…

    Also ensure that the Permit rule is above the Block rules on the LAN interface. If you're using "Auto type" rules, you might need to select the correct "Rule Order" option in the General Tab.



  • @BBcan177:

    Typically best to use "Permit Outbound", so that it only allows access to those IPs when the LAN makes the request…

    Also ensure that the Permit rule is above the Block rules on the LAN interface. If you're using "Auto type" rules, you might need to select the correct "Rule Order" option in the General Tab.

    Thanks for you reply.  I think the rules order was the problem.  I completely forgot to change it from defaults after I had reinstalled the package and did not click the checkbox to retain the settings..

    Thanks Anthony!


  • Moderator

    @lpallard:

    @BBcan177:

    Typically best to use "Permit Outbound", so that it only allows access to those IPs when the LAN makes the request…

    Also ensure that the Permit rule is above the Block rules on the LAN interface. If you're using "Auto type" rules, you might need to select the correct "Rule Order" option in the General Tab.

    Thanks for you reply.  I think the rules order was the problem.  I completely forgot to change it from defaults after I had reinstalled the package and did not click the checkbox to retain the settings..

    Thanks Anthony!

    Anytime my friend :)


Log in to reply