Private Block lists …
-
I want to manage a private block list which I am taking from various log files in my network. I have set up a simple web server to which there is no outside access so I can easily manage the text files directly, but I am clearly doing some thing wrong/stupid.
I have created two files - one is a list of IPv4 addresses - one to a line, the other a list of Domains (eg expert-essays.com which has been identified by Malwarebytes as an indicator of a particular malware attack just so no-one goes to try the site).
I have added the ip4 text file to the IP4 tab entries and done similar to the URL file via the DNSBL tab. The files appear to be read ok as they report the correct number of additions (only single digits so far, so easy to check) but …
after updating pfblockerNG and trying to ping one of the ip4 addresses which should now be blocked I get a really good response which is somewhat worrying.
Settings used in the IP4 section is Deny Both. I have also checked, the blocklist appears in the WAN interface source and destination columns and has the ip address I tested in the list.
What am I doing wrong?
-
put the rules on your LAN
-
Thx, I will try that.
I am in no way questioning your advise, but I would be grateful if you could explain as I thought that given the rules are for both inbound and outbound that the WAN rule would catch it. I clearly have a misunderstanding of how the firewall works, so I am worried I may have some holes I thought I blocked.
-
You LAN & OPTx interfaces evaluate rules for traffic coming to or from the respective subnets.
So lets say your LAN is 192.168.1.1/24 and your WAN IP was 123.123.123.123
You are trying to filter traffic on your LAN, so the IP traffic looks something like this:
Source IP: 192.168.1.10 > 8.8.8.8
But since your rules are on your WAN they are looking for 123.123.123.123 as the source IP, and the rule doesn't match so it's ignored. Really it's just that the rule is on the wrong interface and isn't even being considered, but you get the point.
Generally speaking, you probably don't need to mess with your WAN rules unless you are trying to allow something not on your network access to something on your network. Examples of this would be VPN, you host a server of some kind, etc.
-
Thanks. that is how I understood it. The thing that is confusing me is that pfblockerNG has also set up a second set of rules in Destination column, so shouldn't anything outbound be blocked by that?
To use your example of Source IP: 192.168.1.10 > 8.8.8.8
If my source IP is going out to 8.8.8.8 will the Destination rule on the WAN side not block it? If not, when does the Destination rule come into play?
Again, not questioning your expertise, just trying to clarify my broader related misunderstanding. I really appreciate your help here.
-
Haha question me all you want, I'm not an IT guy. Just use this for my home system. So my input is very fallible.
My extensive experience is based on my home system up and running with pfbng and all rules are applied on their respective interfaces haha.
-
Well, extensive experience beats about three days :-)
I really would like to know about the In and Out blocking though … anyone able to give an idea?
-
https://forum.pfsense.org/index.php?topic=133609.0
I had a similar problem recently and this topic describes it and a possible solution. I'm still testing the fix but it seems to work.
The fix for your problem is a simple adaptation of my solution. Good luck.