Network Configuration with snort VLANs…..and PfBlocker?
-
I can confirm pfBlocker is bugged regarding allow access rule.
Have similar environment (multi VLAN). When accessing some blocked domain (eg: http://100pour.com/ ) I get browser timeout instead of 1x1px image.
Firewall log:
Action Time Interface Source Destination Protocol Sep 18 18:34:48 VLAN10 10.10.10.1:80 192.168.10.108:50216 TCP:SA
Firewall log when accesing HTTPS blocked domains:
Action Time Interface Source Destination Protocol Sep 18 18:39:38 VLAN10 10.10.10.1:443 192.168.10.108:49394 TCP:SA
Auto NAT rules VLAN10:
rdr on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = http -> 127.0.0.1 port 8081 rdr on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = https -> 127.0.0.1 port 8443
So, if manually edit Auto NAT rules option Filter rule association from None to Pass, IT WORKS! NAT rules now look like this:
rdr pass on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = http -> 127.0.0.1 port 8081 rdr pass on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = https -> 127.0.0.1 port 8443
But after reloading pfBlocker configuration, it reverts back to buggy NAT rule. Can you please check this behavior??
-
In the DNSBL tab, there is a "Permit Firewall" rule option.
Enable that and select the VLANS. Force Update.
That will create a Floating Permit rule to allow those VLANS to hit the DNSBL VIP address.
-
Already done that.
pfb rule is created first as expected, and it gets matching traffic
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions IPv4 * * * 10.10.10.1 * * none pfB_DNSBL_Allow_access_to_VIP
But as stated before, it does not set the Pass rule on the auto NAT port redirection rules, so it fails. Manually setting Pass in NAT rules makes it work.
I'm happy to provide any pfctl output if it helps to fix this bug.
Regards,
Víctor -
I haven't seen anyone else complain about this issue before….
But you can edit the following file:
/usr/local/pkg/pfblockerng/pfblockerng.inc
and change Line #793
From: 'associated-rule-id' => '',
To: 'associated-rule-id' => 'pass',Reference link to code:
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L793If others chime in to approve the change, I will make it official in the next release of the package…
-
Cheers for that, will try it.
Maybe Velcro can confirm if editing NAT port forwarding rules fix it too.
-
I think my situation is the same, I too saw the same firewall logs. I would be happy to test and see if “…editing NAT port forwarding rules fix it too...”. If you don’t mind walking me thru the specific steps I will try...I have never adjusted the Port Forward rules in NAT before(I assume you are referencing the “Port Forward” rules that are added for the DNSBL Listening interface in Firewall→NAT→Port Forward tab?).
BBcan177, definitely not complaining...you rock! I am in no position to complain about the work you do and the difference you make with pfBlocker.
I managed to get my VLANs capable of accessing the 10.10.10.1 pixel page by adding a rule onto my VLAN interfaces(see screen shot for example). I created this rule by adding and then modifying an “easy rule” based on what was being blocked in my firewall log.
My rules are fairly restrictive and made sure this “custom DNSBL rule” was placed below my “Allow DNS Access” and above my “Block access to firewall” rule.
Additional notes:
- I tried the “DNSBL Firewall Rule” again and removed my 'Custom DNSBL rule” but was unable to access the 10.10.10.1 pixel page.
- I no longer use OpenDNS (Using DNS resolver on pfSense)
- Using PIA as my VPN provider(no longer VyperVPN…)
I am still not sure my “custom rule” is the best solution or as you suggest, modifying a NAT rule is best...definitely willing to test. Thanks for asking...
-
Hi Velcro,
Navigate tru Firewall->NAT-> and edit both pfB auto rules.
Now you have to change last option: Filter rule association from None to Pass (see first attachment).
When done, u should see like a Play icon next to each rule (see 2nd attach).I that works for you too, I can guide u on how to edit source to make it permanent as BBcan explained. Otherwise, each time u reload pfBlocker, rules will revert back to None
-
Awesome! Yes that allowed me to remove my "custom rule" - Thank you!!
vpreatoni if I could ask for your help to make this permanent, I would really appreciate it.
BBcan177 this corrected my issue…I vote for the change, but are there downsides to changing for all?
_Note added later:
Just restarted my pfsense and returned to default._
-
I thought I would jump in and try to change the code, here is what I did:
Diagnostics→ Edit File→ Browse(I didn't try but you might just be able to enter the path where it says: "Path to file to be edited")
→follow this path from BBcan: /usr/local/pkg/pfblockerng/pfblockerng.inc
and change Line #793(enter this line on the top right of the GUI where its says "Go To Line#")
From: 'associated-rule-id' => '',
To: 'associated-rule-id' => 'pass'Make sure to hit the "Save" icon.
Survived a reboot and all is working! Thank you both for your help…
My only questions are:
-
I do not have the "DNSBL Firewall Rule" checked, yet everything appears to be working. My select VLANs, that I have pfBlocker running on are showing alerts. Is this just a "tweek" that is needed to get VLANs functioning?
-
BBcan you asked: "...If others chime in to approve the change, I will make it official in the next release of the package...". Does allowing a "Pass rule on the auto NAT port redirection rules" create any more exposure on pfSense?
Again thank you both...
Sean
-
-
Here is the PR to fix this bug… Thanks!
https://github.com/pfsense/FreeBSD-ports/pull/424/files