Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nested alias or single alias for pfblocker rules?

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 5 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      totalimpact
      last edited by

      I have set several options in pfblocker, and each one creates a separate firewall rule, many times an upper rule is overriding others, if I could combine several in to one rule for in, and another for out, this would work better.

      Mainly I want to list 5-6 countries, and invert the match to block all others, but in pfblocker, this makes a separate rule for each continent, so it matches the first rule and blocks all others. I know I could use pass rules instead, and a final block rule at the bottom, but this appeared to be a cleaner approach assuming nested alias.

      I have read others having difficulty using nested aliases and that unbound does not honor them, what is the best way to do this?

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        The final block all others rule is implicit. Not really sure what you are trying to do there, why'd you invert the match instead of using the allow rules for those?

        1 Reply Last reply Reply Quote 0
        • T
          totalimpact
          last edited by

          That would be nice, but that does not work. Is that implicit block supposed to be a function of pfblocker, or just the normal implicit block in pfsense? My goal is to block both directions to all but 6 countries, creating pass rules does not work.

          I am using floating rules, and have multiple gateways, so I have other rules on the LAN interface that force certain traffic out a certain gateway, so the floating rules are designed to work with those as it use the * gateway option. But the method you mention gets by-passed by the normal allow any rules on the LAN side.

          Since I use load balancing + failover, by default I have 3 rules routing traffic out the LAN.

          My definitions in pfblocker generate 6-8 more rules, so I would have to create 8x3 rules to keep the load balancing working, and then disable the original any/any rules on the LAN. This just sounds like a mess, when I could block a single rule inverted, then pass to the default balance+failover rules below it. I tried changing the rule order in pfblocker, or floating on/off. Am I missing something else?

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            @totalimpact:

            My goal is to block both directions to all but 6 countries, creating pass rules does not work.

            Both directions? Have fun with ruining your internet connectivity.

            1 Reply Last reply Reply Quote 0
            • I
              isolatedvirus
              last edited by

              @totalimpact:

              I have set several options in pfblocker, and each one creates a separate firewall rule, many times an upper rule is overriding others, if I could combine several in to one rule for in, and another for out, this would work better.

              Mainly I want to list 5-6 countries, and invert the match to block all others, but in pfblocker, this makes a separate rule for each continent, so it matches the first rule and blocks all others. I know I could use pass rules instead, and a final block rule at the bottom, but this appeared to be a cleaner approach assuming nested alias.

              I have read others having difficulty using nested aliases and that unbound does not honor them, what is the best way to do this?

              if you cant inverse match, then match normally. with a deny rule at the end.

              1 Reply Last reply Reply Quote 0
              • T
                totalimpact
                last edited by

                It is a non-profit kids camp, if they are on the internet at all, it should be limited for sure. Public wifi is offered in select areas to reduce the typical "smart phone in the face all day". 2G cell towers helps that ;).

                At the moment our Untangle filter is down, hoping this will stand in for a little while. They dont need to be seeing anything outside the US, admin staff access a couple of offshore services.

                To make it worse, they are running on a 17/2mb DSL + 1 T1. T1 is getting phased out for a 2nd DSL, waiting on new VOIP PBX to junk the old T1…. at which point it gets even tighter on bandwidth, so less browsing = better.

                So far I have it setup to restrict to US only, and general internet is looking good, wish I could add a couple countries without a ton of new rules.

                1 Reply Last reply Reply Quote 0
                • I
                  isolatedvirus
                  last edited by

                  @totalimpact:

                  It is a non-profit kids camp, if they are on the internet at all, it should be limited for sure. Public wifi is offered in select areas to reduce the typical "smart phone in the face all day". 2G cell towers helps that ;).

                  At the moment our Untangle filter is down, hoping this will stand in for a little while. They dont need to be seeing anything outside the US, admin staff access a couple of offshore services.

                  To make it worse, they are running on a 17/2mb DSL + 1 T1. T1 is getting phased out for a 2nd DSL, waiting on new VOIP PBX to junk the old T1…. at which point it gets even tighter on bandwidth, so less browsing = better.

                  So far I have it setup to restrict to US only, and general internet is looking good, wish I could add a couple countries without a ton of new rules.

                  if you want access to the US only, just set a single PF Blocker rule for Country-US.

                  You can match or inverse match against it. personally i only use pfblocker's US list for inbound from WAN, because theres no reason someone outside of the US should be accessing my services: deny source=(!pfb_NAmerica_v4).

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    @totalimpact:

                    I have set several options in pfblocker, and each one creates a separate firewall rule, many times an upper rule is overriding others, if I could combine several in to one rule for in, and another for out, this would work better.

                    You can goto the IPv4/6 tab and create your own mix of GeoIP isos. Click on the blue infoblock icons for further details.

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • calebhC
                      calebh
                      last edited by

                      @totalimpact:

                      Mainly I want to list 5-6 countries, and invert the match to block all others

                      On our firewall, I've setup "Alias Permit" lists in pfBlocker for the desired continents, and then created a custom IPv4 Alias_Permit list (also in pfBlocker) referencing the locations of the files on the hard drive for those continents. See the attached picture for an example of the custom IPv4 list in pfBlocker. I've then created firewall rules like @isolatedvirus mentioned:

                      @isolatedvirus:

                      deny source=(!pfb_NAmerica_v4)

                      If you want to block outgoing in addition to incoming, you could create one or more floating rules with similar settings. Floating rules are discussed many different places on the web, so I won't elaborate on them here.

                      This has been implemented successfully for a couple months at this point. We're currently running pfSense 2.3.3-RELEASE-p1 with the pfBlockerNG package (version 2.1.1_8).

                      Hope this helps!

                      pfBlockerCustomAlias.png
                      pfBlockerCustomAlias.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.