Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic IP blocking rule

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      helwoe
      last edited by

      Hi all,

      I thought I understood firewalls until now. I've been doing alot of reading and not quite sure what to do.

      I understand there is an implict rule to block all,  hence the "Default LAN -> any" rule that is created upon installation to allow all out of the LAN:

      Default LAN rule
      –-------------

      Allow Proto  Source  Port  Dest Port  GW  Sched  Desc

      *      LAN net   *      *      *      *   Default LAN -> any

      I've tried to make a rule to block a specific IP from accessing the internet, but none work. I'm thinking that if I want to block a specific IP, I need to create a rule that allows all the IP's I want (alias) excluding the IP I want blocked and then delete the Default LAN -> any rule. Is this correct?

      Allowed IP rule

      Allow Proto  Source             Port  Dest Port  GW  Sched  Desc

      *       Alias'(on LAN)      *      *      *      *       Allowed IP's(LAN) -> any

      I'd like to use a schedule to specifically allow this IP like so if I'm on the right track..

      Blocked IP LAN rule

      Allow Proto  Source      Port  Dest Port  GW  Sched        Desc

      *       IP              *      *      *      *   IP sched     Blocked IP(LAN) -> any

      Seems like adding a rule to the default rule would/should work but I just cant get that to work, even after rebooting and or resetting states.. appreciate some help, thanks

      ===============

      PFSense version  1.2.1

      Network:

      Internet <-> Cable Router <-> PFSense/DHCP/TrafficShaper <-> LAN (192.168.1.2-192.168.1.80)

      1 Reply Last reply Reply Quote 0
      • M Offline
        mikeisfly
        last edited by

        You have the right thinking just remember that rules are executed in the order that they appear so the first rule that matches the condition will be executed. So if you want to block a specific IP from accessing the internet or what ever just make sure that it is above the rule that allows all traffic on that interface out.

        Good Luck.

        1 Reply Last reply Reply Quote 0
        • H Offline
          helwoe
          last edited by

          Thanks for the reply.
          I got it to work for a few days then had some other unrelated problems that warranted a reinstall.. Glad I undertand the concept though..  ;)

          Cheers..

          1 Reply Last reply Reply Quote 0
          • Z Offline
            zer0 0
            last edited by

            hello,
            I'm also trying to restrict internet access to certain IPs, i dont think i'm creating the rule properly, i'm attaching a screenshot of my rule to block certain IPs.

            Any help will be appreciated

            PS: this rule is listed before the default rule that allows all of LAN to internet

            ![pfsense rule.JPG](/public/imported_attachments/1/pfsense rule.JPG)
            ![pfsense rule.JPG_thumb](/public/imported_attachments/1/pfsense rule.JPG_thumb)

            1 Reply Last reply Reply Quote 0
            • Z Offline
              zer0 0
              last edited by

              got it… apparently it had to be TC/UDP not just TCP.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.