Nested alias or single alias for pfblocker rules?
-
I have set several options in pfblocker, and each one creates a separate firewall rule, many times an upper rule is overriding others, if I could combine several in to one rule for in, and another for out, this would work better.
Mainly I want to list 5-6 countries, and invert the match to block all others, but in pfblocker, this makes a separate rule for each continent, so it matches the first rule and blocks all others. I know I could use pass rules instead, and a final block rule at the bottom, but this appeared to be a cleaner approach assuming nested alias.
I have read others having difficulty using nested aliases and that unbound does not honor them, what is the best way to do this?
-
The final block all others rule is implicit. Not really sure what you are trying to do there, why'd you invert the match instead of using the allow rules for those?
-
That would be nice, but that does not work. Is that implicit block supposed to be a function of pfblocker, or just the normal implicit block in pfsense? My goal is to block both directions to all but 6 countries, creating pass rules does not work.
I am using floating rules, and have multiple gateways, so I have other rules on the LAN interface that force certain traffic out a certain gateway, so the floating rules are designed to work with those as it use the * gateway option. But the method you mention gets by-passed by the normal allow any rules on the LAN side.
Since I use load balancing + failover, by default I have 3 rules routing traffic out the LAN.
My definitions in pfblocker generate 6-8 more rules, so I would have to create 8x3 rules to keep the load balancing working, and then disable the original any/any rules on the LAN. This just sounds like a mess, when I could block a single rule inverted, then pass to the default balance+failover rules below it. I tried changing the rule order in pfblocker, or floating on/off. Am I missing something else?
-
My goal is to block both directions to all but 6 countries, creating pass rules does not work.
Both directions? Have fun with ruining your internet connectivity.
-
I have set several options in pfblocker, and each one creates a separate firewall rule, many times an upper rule is overriding others, if I could combine several in to one rule for in, and another for out, this would work better.
Mainly I want to list 5-6 countries, and invert the match to block all others, but in pfblocker, this makes a separate rule for each continent, so it matches the first rule and blocks all others. I know I could use pass rules instead, and a final block rule at the bottom, but this appeared to be a cleaner approach assuming nested alias.
I have read others having difficulty using nested aliases and that unbound does not honor them, what is the best way to do this?
if you cant inverse match, then match normally. with a deny rule at the end.
-
It is a non-profit kids camp, if they are on the internet at all, it should be limited for sure. Public wifi is offered in select areas to reduce the typical "smart phone in the face all day". 2G cell towers helps that ;).
At the moment our Untangle filter is down, hoping this will stand in for a little while. They dont need to be seeing anything outside the US, admin staff access a couple of offshore services.
To make it worse, they are running on a 17/2mb DSL + 1 T1. T1 is getting phased out for a 2nd DSL, waiting on new VOIP PBX to junk the old T1…. at which point it gets even tighter on bandwidth, so less browsing = better.
So far I have it setup to restrict to US only, and general internet is looking good, wish I could add a couple countries without a ton of new rules.
-
It is a non-profit kids camp, if they are on the internet at all, it should be limited for sure. Public wifi is offered in select areas to reduce the typical "smart phone in the face all day". 2G cell towers helps that ;).
At the moment our Untangle filter is down, hoping this will stand in for a little while. They dont need to be seeing anything outside the US, admin staff access a couple of offshore services.
To make it worse, they are running on a 17/2mb DSL + 1 T1. T1 is getting phased out for a 2nd DSL, waiting on new VOIP PBX to junk the old T1…. at which point it gets even tighter on bandwidth, so less browsing = better.
So far I have it setup to restrict to US only, and general internet is looking good, wish I could add a couple countries without a ton of new rules.
if you want access to the US only, just set a single PF Blocker rule for Country-US.
You can match or inverse match against it. personally i only use pfblocker's US list for inbound from WAN, because theres no reason someone outside of the US should be accessing my services: deny source=(!pfb_NAmerica_v4).
-
I have set several options in pfblocker, and each one creates a separate firewall rule, many times an upper rule is overriding others, if I could combine several in to one rule for in, and another for out, this would work better.
You can goto the IPv4/6 tab and create your own mix of GeoIP isos. Click on the blue infoblock icons for further details.
-
Mainly I want to list 5-6 countries, and invert the match to block all others
On our firewall, I've setup "Alias Permit" lists in pfBlocker for the desired continents, and then created a custom IPv4 Alias_Permit list (also in pfBlocker) referencing the locations of the files on the hard drive for those continents. See the attached picture for an example of the custom IPv4 list in pfBlocker. I've then created firewall rules like @isolatedvirus mentioned:
deny source=(!pfb_NAmerica_v4)
If you want to block outgoing in addition to incoming, you could create one or more floating rules with similar settings. Floating rules are discussed many different places on the web, so I won't elaborate on them here.
This has been implemented successfully for a couple months at this point. We're currently running pfSense 2.3.3-RELEASE-p1 with the pfBlockerNG package (version 2.1.1_8).
Hope this helps!
