IOS app blocked due to custom rule, forgot why I needed the rule?



  • Kind of embarrassing, but the memory isn't what it used to be. At some point soon after taking the pfSense training, I created a rule in pfSense for pfBlockerNG, or it was auto-created. This caused an app I use to evidently not be able to 'phone home,' but breaks functionality for the app entirely. I won't post the name of the app because I'm not familiar with what the rules are, but let's just say it's to use a company's mobile app to make an appointment rather than having to call them. I'm all for less phone calls and everything was working great. At some point, I created the new rule or setup a feature which auto-created the new rule.

    The new rule is tied to a NAT/port forward:
    Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description
    LAN TCP * * 192.168.113.2 443 (HTTPS) 127.0.0.1 8443 pfB DNSBL - DO NOT EDIT

    For now, let's say 192.168.113.2 is the DNSBL Virtual IP in the DNSBL configuration page (and 8443 is the listenign port).

    which has this (LAN) rule which (looks to me) related:
    States Protocol Source Port Destination Port Gateway Queue Schedule Description
    0/384 B IPv4 TCP * * * 8443 * none PFBlockerNG - invalid domain certificate - I added

    The "I added" portion is a reminder to myself (lot of good that did) to let me know I created the rule. What I can't recall is why I added this rule; whether I was trying to fix another issue or if it was necessary for better security or ad blocking.

    If I disable this rule, the iOS app works just fine. The 'company' associated with the app has no issues with my desktop or laptop reaching them - it's just the iOS app that has issues. Now, I'm sure this company uses lots of advertising (it's a service industry…I can generically say "haircut app" to make appointments).

    What kind of issue did I create for myself here with this rule if I truly added it myself? I think I've read that it the rule would be created to block sites w/o actual valid certificates, but hey the memory isn't nearly as good as it was a decade or so ago. :)

    Any insight would be appreciated and I sure hope I don't sound too much like an idiot here.





  • https://en.wikipedia.org/wiki/Early-onset_Alzheimer's_disease

    Upside is, reruns are more interesting.  You can binge watch the same series every week on netflix and never get bored.



  • @frankvh:

    Looks a lot like this:

    https://forum.pfsense.org/index.php?topic=124945.0

    Reviewing that thread, it definitely seems like I input it for that reason. I modified the rule to specifically have destination 127.0.0.1 and my app works again. That seemed less harsh than modifying the code. Plus, I created the code modification (w/o updating destination in the rule) and it wouldn't let the app function.

    However, it seems to be working fine now, thanks again!


Log in to reply