pfBlockerNG specific port access...
-
Hello all,
I apologize if this info is already posted, I have searched and couldn't seem to find the answer I'm looking for and I'm stuck.
I'm on 2.4.4-release-p1 using PFblockerNG 2.4.1_16 with two servers setup in CARP failover. On the WAN interface I have typical ports opened and forwarded to various servers one of which is a mail relay on port 25 and another a bind server on UDP 53. .
Everything works like a charm, except that my efforts to allow port TCP 25 UDP 53 in from GeoIP blocked countries is failing. Because I have vendors from all over the world, I need to allow these ports. I also need to have port 80/443 available from a handful of specific countries.
I have selected all countries (I know it is not best practice to block the world) accept for a select few, list action is Deny Inbound, and under Advanced Firewall Rule Settings I have enabled Customer DST Port for an alias with the following ports ranges: 1:24, 26:52, 54:586, 588:65535 and have set custom protocol to TCP/UDP... and many variations centric to this. The only way I have been able to get it to work is to move my 25/53 rules above PFbockerNG but they eventually get moved down even thought I manually created them. Because I have so many other ports opened from ANY, I need to have the blocker rules at top protecting those ports.
I know I am missing something conceptually, and again I apologize if that info is already here, but, in a nutshell, how do I configure PFBlockerNG to allow specific ports from the world while allowing specific ports from specific countries?
Thanks for the help!
-
In the General tab is a Rule Order option. Try to select one of the rule ordering options, or alternatively, use "Alias Type" settings which will not create any firewall rules, and you create them as required. See the blue infoblock "Action" icon for more details.
Would also recommend to install pfBlockerNG-devel which is much improved.
-
Thanks BBcan177,
I will check out the rule ordering option. For now I have disabled cron jobs to keep my 53/25 rules at the top but realize that is a temporary work around.
I my logic correct in that by selecting all countries, setting list action to Deny Inbound, and using Customer DST Port with an alias with the following ports ranges: 1:24, 26:52, 54:586, 588:65535 w/custom protocol to TCP/UDP that I would be essentially blocking all TCP/UDP traffic from the countries selected accept for 25,53, and 587?
Thanks again for you help.
-
*** Update ***
I checked out rules order but was unable to find a combination that would fit my need as I only want to allow 25/53 from all while using pfBlocker to protect my other open ports. Under advanced inbound firewall rule settings, I tried to use Deny inbound Custom DST port alias that included 1:24, 26:52, 54:586, 588:65535 (ie. deny everything except 25/53/587) w/custom protocol to TCP/UDP but that didn't seem to work either.
I'm finding it hard to believe that I am the only one who has wanted to allow certain ports globally while using pfBlocker GeoIP to protect all other open ports which makes me believe I am missing something simple.
Any ideas?
-
You can always use "Alias Type" rules and then manually create the firewall rules to suit your needs... Refer to the blue infoblock icon for the "Action" icons.
-
@BBcan177 I have a rule ordering problem. When pfblockerng is enabled my ports that I don't intend to have open are suddenly open is this an issue with rule order my rules are one allow rule for a few ips and then the pfblocker block followed by allow rules from pfsense? Would the alias type rules resolve this issue?
