Rule reordering needs better customization - possibly solved - see reply #8



  • problem: The pfBlocker rule order dropdown box does not allow sufficient options.

    pfBlocker reorders my LAN rules without allowing customization.

    I need to insert a custom PASS list, the normal pfBlocker rules as added during update, then the rest of the rules.

    The specific problem: my Hijacked sites list includes akamai sites which are fine. Blocking them blocks Hulu. I created a pass list for these sites and placed it above the generated lists on the LAN rules. The normal 'pass everything else' lists on the bottom are fine right there and should NOT be moved.

    My only other option is to disable the Hijacked sites list.

    The problem in a broader sense: Some imported lists contain false positives among the addresses that need to be blocked. The pfSense exception selection is not available for a /19 address. pfBlocker rearranges the rules without allowing fixed in place rules to remain where needed.

    Is there any work around? The automatic pfBlocker firewall rule reorder is the problem. I need to selectively bypass it for a few addresses -or- add a custom list of my own as a pass list and have pfBlocker manage it in the firewall and use the 'pfB pass first' dropdown  selection.  I am unaware of instructions of how to add custom pass lists to pfBlocker that it manages. No instructions appears obvious or available.


  • Moderator

    Are these FP's with IBlock feeds? If so, I don't really recommend those feeds as they don't seem to be maintained very well.

    The package has a suppression option to remove IPs that are FP but only for /32 or /24 CIDRs. To overcome a FP in a large CIDR, you can create a new Permit Outbound alias and add the FP IP to the custom list at the bottom of the page. Then set the Rule Order to put the permit rules above the block rules. Otherwise, should the Rule order options not suit your network needs, you can use "alias type" settings and manually create your rules as required. Click on the blue infoblock icons in the package for further details.



  • most are from iblocklist but a few are from here or there. The info about bulk of the sites I use came from an intro page dealing with pfBlockerNG in the forum. It told me about these sites and may have even been recommended by experienced users.

    If there are good or better list sites available now as compared to a couple of years ago, please advise.



  • @BBcan177:

    Are these FP's with IBlock feeds? If so, I don't really recommend those feeds as they don't seem to be maintained very well.

    The package has a suppression option to remove IPs that are FP but only for /32 or /24 CIDRs. To overcome a FP in a large CIDR, you can create a new Permit Outbound alias and add the FP IP to the custom list at the bottom of the page. Then set the Rule Order to put the permit rules above the block rules. Otherwise, should the Rule order options not suit your network needs, you can use "alias type" settings and manually create your rules as required. Click on the blue infoblock icons in the package for further details.

    I have clicked on lots of blue buttons and tried to add the pass list in several other ways. It didn't work. I've spent a couple of hours on it, probably more.

    Is there a clear and easy to understand page somewhere that details how to bypass false positives that occur using pfBlockerNG lists?

    Based on my reading of the forum, this appears to be a common problem. Is there an easy to use and understand set of instructions on how to bypass the false positive issue and retain firewall rule ordering - or use pfBlocker so that you end up in that way as if you could retain a custom order?

    I am using a custom alias filled with various akamai  ip addresses. It stays fine at the bottom, where it never gets hit because the blocking above is seen first.

    The reorder firewall drop box is not selective enough. If I tell it to put the specific alias at the top, it also moves the built in pass everything else rules that pfSense puts in to the LAN outbound firewall. This means none of the blocklist items will even be seen.

    I need a selective rule order feature or a means to enter custom lists into pfBlockerNG that it will automatically put at the top.


  • Moderator

    The Rule Order setting is in the main General tab.

    The appropriate blue infoblock that describes the "Format" setting is the the IPv4/6 tab. Clicking it will show the differences between auto and alias type rules.

    The next release of the package will have an integrated Feeds management tab to help manage the feed selection process.



  • @BBcan177:

    The Rule Order setting is in the main General tab.

    The appropriate blue infoblock that describes the "Format" setting is the the IPv4/6 tab. Clicking it will show the differences between auto and alias type rules.

    The next release of the package will have an integrated Feeds management tab to help manage the feed selection process.

    Yes, and that box is the problem. The 'All or nothing' approach is the problem. All of one type at the top or bottom is the problem. I need the pass list for the false positives at the top and the normal pfSense generated 'pass everything else' entries at the bottom.

    The blue button area says nothing about alias entries. See below.

    "Default Order: | pfB_Block/Reject | All other Rules | (original format)
    Select the 'Order' of the Rules
     Selecting 'original format', sets pfBlockerNG rules at the top of the Firewall TAB.
     Selecting any other 'Order' will re-order all the rules to the format indicated!"


  • Moderator

    @coffeecup25:

    "Default Order: | pfB_Block/Reject | All other Rules | (original format)
    Select the 'Order' of the Rules
     Selecting 'original format', sets pfBlockerNG rules at the top of the Firewall TAB.
     Selecting any other 'Order' will re-order all the rules to the format indicated!"

    The Rule Order option is a dropdown selection, it lists several typical ordering schemes. The one you show is the default setting. Which other Rule order settings have you tried?

    Putting Permit rules above Block rules is not an overly complicated task with the correct "Rule Order" option. If you want to interleave Permit/Deny type rules, then you will have to use "Alias Type" settings… You would change the "Action" settings from "Deny Both" to say "Alias Deny". The package will create the aliastable of the IPs and you can manage the firewall rules as you wish.

    Sorry I meant to say "Action" setting instead of "Format" in the IPv4 tab.



  • @BBcan177:

    @coffeecup25:

    "Default Order: | pfB_Block/Reject | All other Rules | (original format)
    Select the 'Order' of the Rules
     Selecting 'original format', sets pfBlockerNG rules at the top of the Firewall TAB.
     Selecting any other 'Order' will re-order all the rules to the format indicated!"

    The Rule Order option is a dropdown selection, it lists several typical ordering schemes. The one you show is the default setting. Which other Rule order settings have you tried?

    Putting Permit rules above Block rules is not an overly complicated task with the correct "Rule Order" option. If you want to interleave Permit/Deny type rules, then you will have to use "Alias Type" settings… You would change the "Action" settings from "Deny Both" to say "Alias Deny". The package will create the aliastable of the IPs and you can manage the firewall rules as you wish.

    Sorry I meant to say "Action" setting instead of "Format" in the IPv4 tab.

    Yes, I understand the dropdown box. As I Wrote - it's an all or nothing approach and it's not selective enough. I played around with it extensively. Default works fine with the hijacked sites list disabled for now. Every pfBlockerNG updates reorders the firewall rules to whatever the dropdown box says. If I put the passlist at the top, it's wherever the update process decides it should be afterward. All custom entries are top or bottom, not where I left them.

    I'll play around with the other method you mentioned an see if I can make it work.

    Edit: alias deny creates an alias for insertion into the firewall, according to the blue button. I did not see a new alias for this after update of lists. If it can be found and if it supports de-duplication using entries from the standard pfBlockersuppress list, then it would work. Where is the list visible from? I couldn't find it.



  • I think I solved the rule ordering problem if false positives are detected in a list.

    1. Put false positive IP addresses in an alias list, as described above
    2. Add alias to floating rules as a pass, choose proper interface and direction, check apply immediate box
    3. Tell pfBlockerNG to apply all rules as floating rules by checking the box on the general tab
    4. Use the dropdown box to tell pfBlockerNG to sort rules with pfsense pass rules first.
    5. Reload your rules just to see if they sort out correctly on ALL rule tabs
    6. Test

    Apparently, since pfBlockerNG is told to put everything on floating rules, the rules reordering ignores the LAN and WAN rules. According to pfSense documentation, floating rules execute first.

    Worked for me but I will keep an eye on it for a while. Since pfBlockerNG rule reordering can put a pass everything order ahead of everything else, you must make sure the rules are being ordered correctly by updating pfBlocker rule re-load.

    Assuming this technique works as intended, it can be used to create custom block lists by making small changes on the floating rule and pfBlockerNG rule sort order selection.



  • I'll chime in here.  For me & what I do is:

    1 - Have all my BL's on a web server
    2 - Make a "whitelist.txt" BL
    3 - Add all my IP's and networks to it I want to whitelist.txt
    4 - Add the URL and allow it in the ipv4 tab + get it once per hour + move it to the top of the list although I don't think moving it to the top does anything :P
    5 - Cront reload

    Done…now I just manage the single whitelist.txt file and sometime within an hour it gets updated.  I have a substantial list of networks and IP's in that white list now.

    I believe this even overrules any geo IP / country block in place...it allows it out.