Country Blocking vs Unsolicitated Requests on WAN

  • I am new to setting up firewall.. having spent 1 week+ so far playing with it. Have a number of questions/observations.. but first one is regarding pfBlocker and how it relates to the router rules. I only enabled the top20 GeoIP blocking so far.. but as I read discussions on country blocking, it is my understanding that it is not really needed on the WAN side, as the WAN should be blocking ALL unsolicited access by default.

    I haven't changed any WAN rules and it has the ones created by pfS based on my settings for blocking RFC1918 and Bogon Networks.

    I DO have my LAN Interface to open with * *, but I do not believe it supersedes the locked-down WAN. My other interfaces are more locked down for guest/iot (which is where I am currently spending my time to get set up correctly).

    I also moved my pfBlockerNG rules to Floating, so I didn't have to create them in every interface

    So, my question.. or concern is, why am I seeing a lot of Deny hits on the WAN for Country(s) that are on the GeoIP/Country Top4 (have IP6 turned off) block list? I would think these should not show at all if it is already blocking unsolicitated traffic.

    My two thoughts are... either I opened up something I shouldn't have and my open port on my LAN or Guest interface is letting things thru. Or perhaps, it is just due to the execution order of things with the Floating Rules (and hence Country Block) coming before my WAN deny everything rule. Perhaps this is a case for not having these as Floating Rules and creating them in each necessary Lan1/Lan2/Lan3 interface?

  • I'm not sure what you're expecting. If your rules say block traffic from these address ranges, then they will be blocked and logged.

    Geoblocking is completely pointless if you do not have any forwarded services, like a web server or something, since all unsolicited access to WAN is blocked by default anyway.

  • LAYER 8 Global Moderator

    The only reason t have specific geoip blocks on your wan if do not forward any traffic would be if you wanted to log what regions the hits were coming from vs just the normal logging of the IP in the default block log.

  • Banned

  • ok, thanks to all. Yes, that confirms most of what I was thinking plus some things I hadn't considered.

    Yes, it is nice to see where blocks are coming from.. but I think that need will fade once I watch things for a while.. in order to keep things streamlined and using less memory. I imagine the same could be said for IP/Domain blocks on the Inbound WAN not being necessary.. or Inbound on any of the other interfaces for that matter.

    Would there be a benefit to having it on the Outbound WAN.. or rather outbound on the Restricted/Guest wifi (where my kids would be connected)? One thing I am trying to protect from is the kids clicking on something on their tablets/games etc that then connects to some overseas url which then opens a hole for things to be downloaded.

  • LAYER 8 Global Moderator

    You normally would not put any sort of rule on "outbound" wan..

    Rules are evaluated as traffic enters an interface towards pfsense from the network that interface is connected too.

    If you want to block something on your lan or opt or any other "lan" side network then you would place the block on the that interface.

Log in to reply