Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlocker white list bypasses all other rules

    Scheduled Pinned Locked Moved pfBlockerNG
    6 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • valnarV
      valnar
      last edited by

      So I found a major security issue in pfBlocker, or pfSense in general.  If this has been discussed before I apologize.

      I implemented pfBlocker with GeoIP "allowing" and once a packet hits one of those rules (ie. I allow North America), it simply is forwarded without checking any other rules.  This is a major design flaw IMO since Geo-IP blocking is implemented as a regular firewall rule.  Because it matches that rule first, I cannot apply further scrutiny other than it's from North America.  My downstream rule to only allow certain IP's access for HTTPS or SSH inbound to my network is completely bypassed.

      Geo blocking should be at a different level than a standard firewall policy.  Further rules should be processed once it meets your Geo blocking requirement.  Is there a way to make this happen?

      1 Reply Last reply Reply Quote 0
      • GrimsonG
        Grimson Banned
        last edited by

        That's why you can change the rule order or use alias rules. This is a layer 8 problem.

        1 Reply Last reply Reply Quote 0
        • valnarV
          valnar
          last edited by

          I don't understand how alias's would fix this issue, and my complaint most certainly is about the way pfBlocker automatically inserts its rules.  If they needed to be massaged afterwards, shouldn't that be in the script that creates them?

          Anyway, tell me how I can have a rule match two filters.  If match rule 1, then if match rule 2, you are permitted.  Right now anything that matches the pfB_NAmerica_v4 rule and a NAT further downstream is allowed in, making my hit counters on any further rules zero.

          1 Reply Last reply Reply Quote 0
          • valnarV
            valnar
            last edited by

            In this case, I have a specific rule that only allows me to manage my firewall only from work.  Let's say IP 22.22.22.22.  Because of Geo-IP blocking, I can now get to it from anywhere.  Even if I move the rule above of the pfBlocker rules, it would still hit the North America rule later because there is no DENY.  (Ignore the Block_List rule.  That was created by me with a single network)

            This is because I followed the recommendation of whitelisting the countries I want access.  I assume it would work fine with a blacklist, but that's a lot of countries.

            By following the white-list instructions here, I don't see how I'm blocking any other countries at all.  All it did was make my firewall less secure overall.  Perhaps if pfBlocker's GeoIP script created an inverse match afterwards to deny all other countries that might be better (and I need to do that), but that still allows anything in from North America bypassing my requirement to only allow 22.22.22.22

            rules.jpg
            rules.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • GrimsonG
              Grimson Banned
              last edited by

              @valnar:

              In this case, I have a specific rule that only allows me to manage my firewall only from work.  Let's say IP 22.22.22.22.  Because of Geo-IP blocking, I can now get to it from anywhere.  Even if I move the rule above of the pfBlocker rules, it would still hit the North America rule later because there is no DENY.  (Ignore the Block_List rule.  That was created by me with a single network)

              Then change it to a rule that blocks everything except your work IP. Also do some RTFM and research a topic before complaining or pronouncing a major security issue: https://forum.pfsense.org/index.php?topic=142225.0

              Edit: You really need to learn and understand how firewalls work.

              1 Reply Last reply Reply Quote 0
              • valnarV
                valnar
                last edited by

                I work with firewalls all day long and every other major brand out there (CheckPoint, Fortinet, Palo Alto) implements geo-blocking as a separate process outside of firewall rules, otherwise you get the things I complained about.

                But with pfSense, I guess I'll have to re-order and manipulate things to get what I want.  Obviously it works fine with blacklisting, but with whitelisting, allowing North America does nothing to block Russia.

                Then change it to a rule that blocks everything except your work IP.

                I didn't need to do that before I implemented GeoIP blocking.  It was already assumed by my original rule.  Now I need to add a bunch more.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.