Deny Outbound for IPv4, DNSBL and GeoIP?



  • I am trying to refine my pfBlockerNG package…love it! But was hoping for some best practices regarding "List Action". I currently run pfBlockerNG on my LAN and VLAN only(Not WAN or VPN)

    GeoIP
    I recently changed my "List Action" to "Deny Outbound" as I was getting alerts from blocked country to my WAN. My understanding is the pfSense "Default Block" is already blocking these every day scans. My understanding is that I am preventing my network/clients from going to any sites in these countries.

    Is this optimal to "Deny Outbound" only?

    DNSBL
    In DNSBL I also have this "List Action" to "Deny Outbound". This one seems more fuzzy to me because when I go to Yahoo or AOL, I see the "Alerts" in my pfBlockerNG, I DO NOT see ads:)...great! But I don't understand why "Deny Outbound" is best...

    Can advertisers or Yahoo/AOL still track this? Why is just "Deny Outbound" used?

    IPV4
    With my IPv4 lists I have "List Action" to "Deny Both". My logic here is "Both" is better then just one direction for malicious IPs. Maybe I'll catch a compromised client calling home to a nasty IP...

    Why would I just choose "Deny Outbound" or "Deny Inbound" only for a public list?

    Thanks in advance...

    V
    ![Deny Outbound.png](/public/imported_attachments/1/Deny Outbound.png)
    ![Deny Outbound.png_thumb](/public/imported_attachments/1/Deny Outbound.png_thumb)


  • Moderator

    Yes pfSense is a stateful firewall and the WAN is default deny….  When a device on the LAN makes a request outbound, it creates a firewall state, and this state allows the IP to come back thru the WAN to your LAN (IPv4)....

    So protect the Outbound... and if you open specific ports on the WAN, then you can add rules for those open ports only...

    If you add Deny Both or Deny Inbound, and there are no open ports, then all your doing is logging all the traffic that is hitting your WAN interface but it already being blocked by the default WAN Block rule... So all your doing is filling your widget and firewall/alerts logs with entries.... Best to actually review what is getting blocked without all the noise...

    The DNSBL IP is used when DNSBL Feeds contain IPs... It collects them and puts them into a firewall rule, as Unbound cannot block on an IP, it blocks via a domain name.

    So follow the same philosophy as above for this also.


Log in to reply