4. Advice - Allowing client to bypass pfblocker-ng

Advice - Allowing client to bypass pfblocker-ng

  • W

    Hi there,
    so I've installed pfblocker-ng and setup my dns rules (see attached) on the firewall and added my lists for DNSBL and all is working perfectly. I lookup a known bad site and it resolves to 10.10.10.1 .. excellent

    However I want to allow my desktop smartphone to bypass pfblocker and I'm having issues getting it to work. I followed Lawrence on youtube and he advise to put a rule at the top of the list to allow an IP to DNS before the block (also in attached pic) but no joy .. I still get sent to 10.10.10.1 on a lookup.

    any help appreciated
    0_1538481945833_rules.PNG

    0

  • There is one post here

    https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips

    1
    W
     1 Reply
  • W

    @ronpfs said in Advice - Allowing client to bypass pfblocker-ng:

    There is one post here

    https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips

    That worked :) Thank you very much.

    For newbies like myself.. a little hint .. the custom option is at the end under DNS resolver.

    0
  • P

    Lawrence rule serves to allow host 192.168.10.3 to change its own DNS server setting and use an external one, bypassing internal DNS resolver and then the DNSBL filter. Requests to access an external DNS server from all other hosts are denied by the last firewall rule above.

    However, if host 192.168.10.3 keeps using the internal DNS, its calls to DNS are subjected to the DNSBL filter as all the the other host calls. In this case the solution to bypass this filter is the one proposed above.

    0
  • LAYER 8 Global Moderator

    The allow rule to pfsense is wrong... It allows access to ANY thing on the lan net on port 53 UDP.. So any client on the lan net could access any dns they want that resides on lan net. That rule should be set to pfsense Lan IP as the destination.

    It should also be both udp and tcp

    Same for the other rules - dns can be both udp and dns... While allowing only udp will prob work for most stuff, if the client needs to switch over to use tcp for a reason, then the dns queries would fail.

    0
  • LAYER 8 Moderator

    I'd change the allow rules to "LAN net" (or in case of the .10.3 an alias) and the block rule to source any? So you block out unwanted clients, that may have been connected to the network and setup with an alternative IP range?
    And wouldn't "This Firewall" be good instead of "LAN address" in case you upgrade that to a CARP setup?

    Just a thought

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy