Allow select countries vs. blocking the world



  • Hello,

    Are the directions available on how to allow just a few countries instead of blocking the entire world? I've created GEO rules to allow just the few countries in North America I want to allow. I just don't understand how to tell it to block the rest of the world…

    Thank in advance for your help!

    Gary


  • Moderator

    pfSense by default is block all on the WAN, so if you don't open any ports then there is no need to block what is already being blocked. However, if you open ports, those ports can be protected as required.  To add permit GeoIP rules to open WAN ports, you can use the Adv Inbound Firewall rule settings to customize the rule settings.

    For the LAN outbound it's set as default allow.  So it's user preference on what you want to block. Remember that pfSense is a stateful firewall and outbound traffic will create a state entry to allow packets back into your network. Firewall rules are processed top to bottom.

    Hope that helps.



  • @BBcan177:

    However, if you open ports, those ports can be protected as required.

    I have ports 80 and 443 open in my firewall can you give me an example of how you can protect them?  They 80 and 443 are forwarded to my nextcloud server and 443 UDP to my openVPN server.  I currently have all countries except US blocked with pfBlockerNG.  If I read the dashboard correctly it is blocking a lot of packets.



  • Moderator



  • @BBcan177:

    Here is some light reading to help you :)

    https://www.reddit.com/r/PFSENSE/comments/39253d/the_amount_of_hostile_traffic_on_my_home_network/
    https://forum.pfsense.org/index.php?topic=86212.msg548324#msg548324
    https://forum.pfsense.org/index.php?topic=86212.msg553921#msg553921
    https://forum.pfsense.org/index.php?topic=102071.0

    Thanks for the links I'm not sure if I've got this correct, I hope you can confirm what I did.

    1. Deselect all the GeoIPs I previously selected
    2. Select the 2 US in the North America tab IPv4
    3. List Action =Alias Permit
    4. Adv Inbound Firewall Rule Settings check Custom DST Port and enter my alias for Open_Ports (alias for 80 and 443), custom protocol any and default custom gateway.

  • Moderator

    You need to set the protocol setting. I'd recommend "tcp/udp". You should also define the DST IP so that your only permitting the inbound to specific IPs.

    However since you used "Alias Permit" it's not going to create any firewall rules. Alias type setting will just create the aliastable of IPs and you have to manually create your own rules. This is OK but if you want the package to auto-create rules, then you should choose "Permit Inbound".

    If your using other IPv4 blocklists. Make sure that those block rules are above this permit rule, so that it will drop any bad US IPs before this permit rule.



  • @BBcan177:

    You need to set the protocol setting. I'd recommend "tcp/udp". You should also define the DST IP so that your only permitting the inbound to specific IPs.

    if you want the package to auto-create rules, then you should choose "Permit Inbound".

    How would I know all the destination IPs on my system?  What if someone got a DHCP assignment on my wifi and I didn't permit that IP they wouldn't be allowed to surf the web?
    Should I specify all my possible ports that I might use in the alias not just the ones open in my firewall?
    After changing to Permit Inbound I didn't see a new rule under the WAN interface.  Here a pic of my current pfBlockerNG GeoIP settings.



  • Moderator

    They 80 and 443 are forwarded to my nextcloud server and 443 UDP to my openVPN server.

    For this Permit Inbound you should define a new alias with the two destination IPs of those two servers. I would assume that they are static since you have port forwards in place? If you wanted to control the outbound that is defined in the permit outbound firewall rule settings, so it can be defined as required.

    Did you run a Force update after the changes? Did you enable floating rules? Is so, it would be placed in the floating rule tab.



  • @BBcan177:

    They 80 and 443 are forwarded to my nextcloud server and 443 UDP to my openVPN server.

    For this Permit Inbound you should define a new alias with the two destination IPs of those two servers. I would assume that they are static since you have port forwards in place? If you wanted to control the outbound that is defined in the permit outbound firewall rule settings, so it can be defined as required.

    Did you run a Force update after the changes? Did you enable floating rules? Is so, it would be placed in the floating rule tab.

    I didn't enable floating rules but didn't realized I need to run a Forced update.  After the update the rule was there. So I have now prevented anyone outside the US from gaining access to my nextcloud and openVPN servers as this rule is above my default WAN: block IPv4 and IPv6 rules.  Thanks for your help, and patience.



Log in to reply