Protecting Open Ports with pfBlocker



  • Hi All!

    I am brand new to pfsense and pfBlocker and have a question (might be a multi-parter, though).  I want to protect some open ports I have and am in search of the best way to do that.  So far it seems that using pfBlocker to block access to those ports from everywhere but the US is a good (but maybe not best?) way to go.

    When I first attempted to configure PFB to do this I did the following:

    1)  Create alias containing the open ports
    2)  Selected both US items in the "North America" tab of PFB
    3)  Set to Permit Inbound (which I thought would work well in conjunction with the default deny rule…)
    4)  Set Advanced Inbound to the open ports alias on Custom DST Port

    What happened was I was seeing a lot of firewall rules allowing traffic to the internal ip the ports forward to from external US IP's, but I was still able to access the services from Canada, Germany, etc. when I tested using a VPN.

    I have since switched items 3 & 4 above to be "Deny Inbound" and "Invert Source" added to Advanced.  Now I am seeing blocked non-US IP log entries, and I am no longer able to access the services from other countries when testing using my VPN.  So....it appears to be working correctly.

    My main questions now are:  1)  Aren't I kind of taking the "block the world" approach, which I've seen everywhere as not recommended, by denying the inverse?  2)  Is this the best way to accomplish my goal (both using pfBlocker and just in general to protect those open WAN ports)?

    Many thanks and forgive the newbness :)

    Scott


  • Moderator

    You should go back to the first method and recheck your steps… The permit option is the best.



  • Thank you for the reply!

    I went back in and switched back to Permit Inbound and unchecked the Inverse option.  I confirmed the package is enabled, did a force update, and verified the rule it created shows in the FW rules list.  The Custom DST Port is still set to the Alias containing my open ports (2 single ports and 1 range).

    I am back to seeing log entries of permitted traffic from the US, but I am again ABLE to access the services belonging to those ports from outside the US (I tried Canada and Germany from my VPN and on a separate network entirely).

    I'm not sure why Inverse Deny works and this way does not.  It seems to me they should accomplish the same goal with the same resources as they both utilize the smaller list of only US IP's (i.e. "Is this IP on the list?  Allow" and "Is this IP not on the list?  Deny", but then again, I am decidedly not a programmer!  :)  Now that I think about it, the permit option won't search the ENTIRE list EVERY time to determine the IP isn't on it before denying, whereas the Permit will stop as soon as a match is found.  So I'll adjust my understanding to say that it still seems they should both achieve the same goal, but the Permit option should be somewhat (even though maybe not a LOT) less resource intensive.

    Thanks again for the reply, any further help / suggestions would be appreciated as I'd prefer to utilize the less resource intensive approach with my SG-1000 Micro Firewall.

    Scott



  • Another thought / question:  Doesn't opening a port negate the "default deny" rule for that port, essentially applying a "default permit" rule to the open port as the whole purpose of the open port is to allow all incoming traffic unless told otherwise?

    If I understand that correctly, then the Inverse Deny working while the Permit not working makes sense as an open port already permits everything.

    Scott



  • It depends on your WAN FW rules.
    By default everything is blocked by the default Block rule.

    So adding single Permit rule from the "Selected GeoIPs" to the "Selected WAN Port(s)" to the "Selected Destination" should only allow those IPs to hit the open ports.


Log in to reply