How to make rules order persistent?
chudak last edited by
It seems when rules change (pfBlockerNG updates maybe?) the rule order changes as well and it messes up everything.
Is there a way to make rules stay in a specific order?
don't let pfblockerNG edit your rules would be my suggestion ;) Just use its aliases in rules you create.
Did you see the "Rule Order" option in the General Tab? If one of those options do not work for your needs, you can choose "Alias" type action settings for the Aliases and then manually create the rules as required. Click on the blue infoblock icons for further details.
Solution - (worked for me, anyway, needs to be adapted for your situation)
I recently had and solved the same problem. I had false positives on a block list. The iblocklist blocked akami as a hijacked site. Hulu was stopped out for me as a result. pfBlockerNG sorted out my alias pass list in the wrong place by only using the drop box with the sort orders.
After going back and forth on the forum, I devised my own solution which appears to work well. I put it in another posting in this area, but here's a cut and paste of the relevant part.
The key is to move pfBlockerNG into the floating rules section. This causes the LAN and WAN rules to be ignored when pfBlockerNG sorts them out according to the drop box. The only sorting occurs in the floating rules section.
Anyway it works for me. You may need to adapt the following a little to match your own situation.
- Put false positive IP addresses in an alias list
- Add alias to floating rules as a pass, choose proper interface and direction, check apply immediate box
- Tell pfBlockerNG to apply all rules as floating rules by checking the box on the general tab
- Use the dropdown box to tell pfBlockerNG to sort rules with pfsense pass rules first.
- Reload your rules just to see if they sort out correctly on ALL rule tabs
Apparently, since pfBlockerNG is told to put everything on floating rules, the rules reordering ignores the LAN and WAN rules. According to pfSense documentation, floating rules execute first.
Edit: Removed many iblocklists from pfBlockerNG. No Bluetack lists are updated any longer and hijacked sites was one of them.
FireHOL offers several lists. It appears to be a list aggregator. They seem to take pride in staying current. I added a few fireHOL lists.
fireHOL also blocks some LAN multicast / broadcast addresses. I used the above technique to put them on a false positive list. I prefer it over pfBlockerNG custom lists because they are immediate. No forced updates required.
So - in summary - the hijacked sites list was bad because it was outdated. The problem it created forced me to develop a technique to block false positives. It also, indirectly, prompted me to find better block lists. This technique can be adapted to probably any need for persistent lists to bypass pfBlockerNG reordering that may cause firewall problems.