PfBlocker white list bypasses all other rules
-
So I found a major security issue in pfBlocker, or pfSense in general. If this has been discussed before I apologize.
I implemented pfBlocker with GeoIP "allowing" and once a packet hits one of those rules (ie. I allow North America), it simply is forwarded without checking any other rules. This is a major design flaw IMO since Geo-IP blocking is implemented as a regular firewall rule. Because it matches that rule first, I cannot apply further scrutiny other than it's from North America. My downstream rule to only allow certain IP's access for HTTPS or SSH inbound to my network is completely bypassed.
Geo blocking should be at a different level than a standard firewall policy. Further rules should be processed once it meets your Geo blocking requirement. Is there a way to make this happen?
-
That's why you can change the rule order or use alias rules. This is a layer 8 problem.
-
I don't understand how alias's would fix this issue, and my complaint most certainly is about the way pfBlocker automatically inserts its rules. If they needed to be massaged afterwards, shouldn't that be in the script that creates them?
Anyway, tell me how I can have a rule match two filters. If match rule 1, then if match rule 2, you are permitted. Right now anything that matches the pfB_NAmerica_v4 rule and a NAT further downstream is allowed in, making my hit counters on any further rules zero.
-
In this case, I have a specific rule that only allows me to manage my firewall only from work. Let's say IP 22.22.22.22. Because of Geo-IP blocking, I can now get to it from anywhere. Even if I move the rule above of the pfBlocker rules, it would still hit the North America rule later because there is no DENY. (Ignore the Block_List rule. That was created by me with a single network)
This is because I followed the recommendation of whitelisting the countries I want access. I assume it would work fine with a blacklist, but that's a lot of countries.
By following the white-list instructions here, I don't see how I'm blocking any other countries at all. All it did was make my firewall less secure overall. Perhaps if pfBlocker's GeoIP script created an inverse match afterwards to deny all other countries that might be better (and I need to do that), but that still allows anything in from North America bypassing my requirement to only allow 22.22.22.22
-
In this case, I have a specific rule that only allows me to manage my firewall only from work. Let's say IP 22.22.22.22. Because of Geo-IP blocking, I can now get to it from anywhere. Even if I move the rule above of the pfBlocker rules, it would still hit the North America rule later because there is no DENY. (Ignore the Block_List rule. That was created by me with a single network)
Then change it to a rule that blocks everything except your work IP. Also do some RTFM and research a topic before complaining or pronouncing a major security issue: https://forum.pfsense.org/index.php?topic=142225.0
Edit: You really need to learn and understand how firewalls work.
-
I work with firewalls all day long and every other major brand out there (CheckPoint, Fortinet, Palo Alto) implements geo-blocking as a separate process outside of firewall rules, otherwise you get the things I complained about.
But with pfSense, I guess I'll have to re-order and manipulate things to get what I want. Obviously it works fine with blacklisting, but with whitelisting, allowing North America does nothing to block Russia.
Then change it to a rule that blocks everything except your work IP.
I didn't need to do that before I implemented GeoIP blocking. It was already assumed by my original rule. Now I need to add a bunch more.
