Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlockerNG specific port access...

    Scheduled Pinned Locked Moved pfBlockerNG
    6 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jhendo6
      last edited by Jhendo6

      Hello all,

      I apologize if this info is already posted, I have searched and couldn't seem to find the answer I'm looking for and I'm stuck.

      I'm on 2.4.4-release-p1 using PFblockerNG 2.4.1_16 with two servers setup in CARP failover. On the WAN interface I have typical ports opened and forwarded to various servers one of which is a mail relay on port 25 and another a bind server on UDP 53. .

      Everything works like a charm, except that my efforts to allow port TCP 25 UDP 53 in from GeoIP blocked countries is failing. Because I have vendors from all over the world, I need to allow these ports. I also need to have port 80/443 available from a handful of specific countries.

      I have selected all countries (I know it is not best practice to block the world) accept for a select few, list action is Deny Inbound, and under Advanced Firewall Rule Settings I have enabled Customer DST Port for an alias with the following ports ranges: 1:24, 26:52, 54:586, 588:65535 and have set custom protocol to TCP/UDP... and many variations centric to this. The only way I have been able to get it to work is to move my 25/53 rules above PFbockerNG but they eventually get moved down even thought I manually created them. Because I have so many other ports opened from ANY, I need to have the blocker rules at top protecting those ports.

      I know I am missing something conceptually, and again I apologize if that info is already here, but, in a nutshell, how do I configure PFBlockerNG to allow specific ports from the world while allowing specific ports from specific countries?

      Thanks for the help!

      BBcan177B 1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator @Jhendo6
        last edited by

        @jhendo6

        In the General tab is a Rule Order option. Try to select one of the rule ordering options, or alternatively, use "Alias Type" settings which will not create any firewall rules, and you create them as required. See the blue infoblock "Action" icon for more details.

        Would also recommend to install pfBlockerNG-devel which is much improved.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • J
          Jhendo6
          last edited by

          Thanks BBcan177,

          I will check out the rule ordering option. For now I have disabled cron jobs to keep my 53/25 rules at the top but realize that is a temporary work around.

          I my logic correct in that by selecting all countries, setting list action to Deny Inbound, and using Customer DST Port with an alias with the following ports ranges: 1:24, 26:52, 54:586, 588:65535 w/custom protocol to TCP/UDP that I would be essentially blocking all TCP/UDP traffic from the countries selected accept for 25,53, and 587?

          Thanks again for you help.

          J 1 Reply Last reply Reply Quote 0
          • J
            Jhendo6 @Jhendo6
            last edited by

            *** Update ***

            I checked out rules order but was unable to find a combination that would fit my need as I only want to allow 25/53 from all while using pfBlocker to protect my other open ports. Under advanced inbound firewall rule settings, I tried to use Deny inbound Custom DST port alias that included 1:24, 26:52, 54:586, 588:65535 (ie. deny everything except 25/53/587) w/custom protocol to TCP/UDP but that didn't seem to work either.

            I'm finding it hard to believe that I am the only one who has wanted to allow certain ports globally while using pfBlocker GeoIP to protect all other open ports which makes me believe I am missing something simple.

            Any ideas?

            BBcan177B 1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator @Jhendo6
              last edited by

              @jhendo6

              You can always use "Alias Type" rules and then manually create the firewall rules to suit your needs... Refer to the blue infoblock icon for the "Action" icons.

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              T 1 Reply Last reply Reply Quote 0
              • T
                twistedstorm @BBcan177
                last edited by

                @BBcan177 I have a rule ordering problem. When pfblockerng is enabled my ports that I don't intend to have open are suddenly open is this an issue with rule order my rules are one allow rule for a few ips and then the pfblocker block followed by allow rules from pfsense? Would the alias type rules resolve this issue?

                1 Reply Last reply Reply Quote 0
                • E epifeny referenced this topic on
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.