Inbound on WAN to specific ports, allow specific country only

werkkrew

I apologize if this has been answered, but I am having trouble finding the solution.  I have a couple of NAT port forwards with corresponding ports open on the WAN interface.

I am trying to only allow incoming on WAN to specific ports from a specific country.  Following the guidance I have seen, I am not blocking the world, but rather only permitting the country I want to allow.

I created an alias including a list of all of the forwarded/opened ports for pfBlocker.  In the GeoIP tab, under the "North America" tab, I select "United States" and I chose "Permit Inbound", under advanced inbound rules, I add my alias of ports to the incoming ports list.

This creates two rules on my floating rules tab allowing only incoming from those countries.

Two things are happening which I do not expect:

1. It is not actually blocking incoming connections from outside of the country.
2. It is logging an alert for every single connection to the country (inbound or outbound) in the permit section of the alerts tab (which is tens of thousands per minute)

I tested it again creating only an alias for the country block and added that alias to the source address of my NAT rules, and that works as expected.  Although it doesn't log any sort of alert that a connection was permitted since the rule is not related to pfb.

So I can get it to work using manual rules from the pfb aliases, but I am wondering why the auto-rules are not working as expected.

Can anyone shed some light on this?

BBcan177

Did you set the protocol in the Adv. Inbound settings?

werkkrew

@BBcan177:

Did you set the protocol in the Adv. Inbound settings?

Yes, TCP/UDP

pfBlockerNG > GeoIP > North America
  - US and US_rep selected for both IPv4 and IPv6
  - Action: Permit Inbound

Advanced Inbound:
  - Custom DST Ports (checked) - Alias name filled in
  - Custom Proto - TCP/UDP

Advanced Outbound: Defaults

When I look at the auto-created rules (which are floating), the "Direction" field is "any" - if I manually change it to "in" - it still does not work as expected.

Seems it is likely due to the NAT port forward rules being processed before the floating rules.  Is there anything special I need to do to get the tool to deal with this outside of manually adding the aliases to the NAT source?

BBcan177

You can add an existing pfBlockerNG alias to the NAT rules…. No need to create another alias.... The widget and logging only work when you use the pfB Aliases...

werkkrew

Yes, I wound up changing the rule generation for GeoIP in PFBNG to create aliases only and not rules, and I used those aliases in my existing NAT and inbound WAN rules.

Easy enough, just wasn't obvious why creating the rule directly from PFBNG didn't do what I expected.

lex99

If it can help, you need to select the List action "Alias Permit" to prevent auto rule creation - I had the same issue as above.