• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to make rules order persistent?

Scheduled Pinned Locked Moved pfBlockerNG
4 Posts 4 Posters 2.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    chudak
    last edited by Jul 10, 2017, 4:45 PM

    It seems when rules change (pfBlockerNG updates maybe?) the rule order changes as well and it messes up everything.

    Is there a way to make rules stay in a specific order?

    Thx

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Jul 10, 2017, 5:24 PM

      don't let pfblockerNG edit your rules would be my suggestion ;)  Just use its aliases in rules you create.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • B
        BBcan177 Moderator
        last edited by Jul 11, 2017, 4:50 AM

        Did you see the "Rule Order" option in the General Tab? If one of those options do not work for your needs, you can choose "Alias" type action settings for the Aliases and then manually create the rules as required. Click on the blue infoblock icons for further details.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • C
          coffeecup25
          last edited by Jul 22, 2017, 1:35 PM Jul 18, 2017, 1:35 PM

          Solution - (worked for me, anyway, needs to be adapted for your situation)

          I recently had and solved the same problem. I had false positives on a block list. The iblocklist blocked akami as a hijacked site. Hulu was stopped out for me as a result. pfBlockerNG sorted out my alias pass list in the wrong place by only using the drop box with the sort orders.

          After going back and forth on the forum, I devised my own solution which appears to work well. I put it in another posting in this area, but here's a cut and paste of the relevant part.

          The key is to move pfBlockerNG into the floating rules section. This causes the LAN and WAN rules to be ignored when pfBlockerNG sorts them out according to the drop box. The only sorting occurs in the floating rules section.

          Anyway it works for me. You may need to adapt the following a little to match your own situation.


          1. Put false positive IP addresses in an alias list
          2. Add alias to floating rules as a pass, choose proper interface and direction, check apply immediate box
          3. Tell pfBlockerNG to apply all rules as floating rules by checking the box on the general tab
          4. Use the dropdown box to tell pfBlockerNG to sort rules with pfsense pass rules first.
          5. Reload your rules just to see if they sort out correctly on ALL rule tabs
          6. Test

          Apparently, since pfBlockerNG is told to put everything on floating rules, the rules reordering ignores the LAN and WAN rules. According to pfSense documentation, floating rules execute first.

          Edit: Removed many iblocklists from pfBlockerNG. No Bluetack lists are updated any longer and hijacked sites was one of them.

          FireHOL offers several lists. It appears to be a list aggregator. They seem to take pride in staying current. I added a few fireHOL lists.

          fireHOL also blocks some LAN multicast / broadcast addresses. I used the above technique to put them on a false positive list. I prefer it over pfBlockerNG custom lists because they are immediate. No forced updates required.

          So - in summary - the hijacked sites list was bad because it was outdated. The problem it created forced me to develop a technique to block false positives. It also, indirectly, prompted me to find better block lists. This technique can be adapted to probably any need for persistent lists to bypass pfBlockerNG reordering that may cause firewall problems.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received