Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to make rules order persistent?

    Scheduled Pinned Locked Moved pfBlockerNG
    4 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC
      chudak
      last edited by

      It seems when rules change (pfBlockerNG updates maybe?) the rule order changes as well and it messes up everything.

      Is there a way to make rules stay in a specific order?

      Thx

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        don't let pfblockerNG edit your rules would be my suggestion ;)  Just use its aliases in rules you create.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          Did you see the "Rule Order" option in the General Tab? If one of those options do not work for your needs, you can choose "Alias" type action settings for the Aliases and then manually create the rules as required. Click on the blue infoblock icons for further details.

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • C
            coffeecup25
            last edited by

            Solution - (worked for me, anyway, needs to be adapted for your situation)

            I recently had and solved the same problem. I had false positives on a block list. The iblocklist blocked akami as a hijacked site. Hulu was stopped out for me as a result. pfBlockerNG sorted out my alias pass list in the wrong place by only using the drop box with the sort orders.

            After going back and forth on the forum, I devised my own solution which appears to work well. I put it in another posting in this area, but here's a cut and paste of the relevant part.

            The key is to move pfBlockerNG into the floating rules section. This causes the LAN and WAN rules to be ignored when pfBlockerNG sorts them out according to the drop box. The only sorting occurs in the floating rules section.

            Anyway it works for me. You may need to adapt the following a little to match your own situation.

            1. Put false positive IP addresses in an alias list
            2. Add alias to floating rules as a pass, choose proper interface and direction, check apply immediate box
            3. Tell pfBlockerNG to apply all rules as floating rules by checking the box on the general tab
            4. Use the dropdown box to tell pfBlockerNG to sort rules with pfsense pass rules first.
            5. Reload your rules just to see if they sort out correctly on ALL rule tabs
            6. Test

            Apparently, since pfBlockerNG is told to put everything on floating rules, the rules reordering ignores the LAN and WAN rules. According to pfSense documentation, floating rules execute first.

            Edit: Removed many iblocklists from pfBlockerNG. No Bluetack lists are updated any longer and hijacked sites was one of them.

            FireHOL offers several lists. It appears to be a list aggregator. They seem to take pride in staying current. I added a few fireHOL lists.

            fireHOL also blocks some LAN multicast / broadcast addresses. I used the above technique to put them on a false positive list. I prefer it over pfBlockerNG custom lists because they are immediate. No forced updates required.

            So - in summary - the hijacked sites list was bad because it was outdated. The problem it created forced me to develop a technique to block false positives. It also, indirectly, prompted me to find better block lists. This technique can be adapted to probably any need for persistent lists to bypass pfBlockerNG reordering that may cause firewall problems.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.