Firewall rules with multiple IPs (ACL)



  • Is there a way for me to add multiple address (in CIDR notation) to a firewall rule? For example, if I want to block incoming traffic from all addresses native to Iran, I would need an ACL consisting of about 2,725 CIDR blocks, starting with 2.144.0.0/16 and ending with 217.218.0.0/15. Rather than making 2,725 rules in this example, can I dump the entire list into a block rule, or use some separate ACL function to accomplish this task?

    Thank you!

    P.S. I am using a NG-1100 running PFsense 2.4.x



  • Use the pfBlockerNG package for something like that.

    Otherwise, for individual IP addresses or networks, you can add all them to an alias (Firewall > Aliases > IP) and use this one in the firewall rule.



  • Ok, I see what you mean about the alias option. That could work, but I was hoping for a text box, not a list of blanks; that method could cost me what little sanity I have left.
    I am installing that package, and will give it a try. Thank you!


  • Galactic Empire Netgate

    Hi @cyberminion,

    At Firewall > Aliases, there is an Import button on the bottom.

    Paste in the aliases to import separated by a carriage return. Common examples are lists of IPs, networks, blacklists, etc. The list may contain IP addresses, with or without CIDR prefix, IP ranges, blank lines (ignored) and an optional description after each IP. e.g.:

    172.16.1.2
    172.16.0.0/24
    10.11.12.100-10.11.12.200
    192.168.1.254 Home router
    10.20.0.0/16 Office network
    10.40.1.10-10.40.1.19 Managed switches
    

    Thank you,

    -James


Log in to reply