New User to pfSense - some doubts



  • Hello,
    I'm a long time user of WatchGuard Fireboxes. So naturally, I've become accustomed to them and how they work.
    That said, NAT is basically NAT and most firewalls work in a similar fashion so if you know how to set up one, you should not have too much trouble with another. Fair statement?

    I've been working on configuring pfSense 2.4.4 for a few days now.

    I'm having a very difficult time getting pfsense to filter inbound connections properly. I've tried many settings and am close to the point of doubt.

    By default, pfSense basically blocks everything and it's up to you to ALLOW access through rules.
    So what I did was installed pfSenseNG and configured it so that ONLY UNITED STATES IP addresses were allowed.

    That failed and I found numerous connections from many countries still taking place.

    So next I tried the opposite. I re-configured pFSenseNG to BLOCK ALL COUNTRIES OTHER THAN THE USA.
    And again, it failed. Again, I got many connections from countries all over the planet.

    Brazil especially. Given the configuration, I have no idea how this could even occur. Are some kind of IP masquerading schemes being used that are tricking the interface? I never had this issue with the Fireboxes.
    Maybe the GeoIP lists are not very up-to-date?

    I'm aware that the rules are applied from top to bottom, so that if I, for example, placed a global ALLOW rule BEFORE the DROP rules, then those countries could still have access. There are very few rules and none are before the pfSenseBlockerNG rules. The problem is that it's very hit or miss. Some countries are blocked, and some get through. I increased the variable that determines how many entries can be stored to 2,000,000 entries. Is that enough?

    Here are the WAN rules
    alt text


  • Netgate Administrator

    Probably what you want to do here is allow connections out to only North America destinations and replies back from them right?

    Those rules need to be on the LAN interface. By default pfSense allows all traffic out bound using the 'default allow all' rule on LAN. Change that rule to destination pfB_NAmerica.
    No connections are allowed in on WAN unless you have rules there to allow them.

    The important things to realise here are that pfSense filters inbound on it's interfaces and allows out everything by default.
    And that it's a stateful firewall so replies to connections are always allowed back.

    Steve



  • @stephenw10

    Thanks for the reply.
    Actually I don't want IP's outside the USA able to reach the server at all.
    If they are allowed to make initial contact they could potentially have already sent over a malicious payload.

    I don't think it's enough to simply prevent a response. Shouldn't one be able to completely prevent connections if so desired? I could certainly do that with the WG Fireboxes.

    What exactly in that set of rules is allowing Brazil connections to the WAN interface?
    (unless it's a deficiency in the GeoIP database)

    I realize that there's a bit of "impossibility" to this scenario given spoofing and the use of proxies etc etc etc.
    That's not really my concern. My concern is just having the firewall do what I ask of it and allowing IP addresses from Brazil and non US based IP address blocks is not it.



  • @HansSolo

    No, you're not understanding the basic function of pfsense, no matter what it's installed on. Unless you SPECIFICALLY create a WAN pass rule for traffic from anywhere, doesn't matter where in the world the traffic comes from, the traffic doesn't get thru to the inside of your firewall. Period, end of story.

    If you see addresses being denied on the firewall logs at the WAN connection, pfsense is doing exactly what it's programmed to do - block and deny traffic, letting none of that get through. You can look at the traffic logs all day, but basically it all boils down to just internet noise. Anything and everything out on the internet can touch your WAN interface. It's up to the firewall itself to keep all that out. It's doing the job just fine.

    Reread @stephenw10 post, he said it all there already.

    Jeff



  • @akuma1x said in New User to pfSense - some doubts:

    @HansSolo

    No, you're not understanding the basic function of pfsense, no matter what it's installed on. Unless you SPECIFICALLY create a WAN pass rule for traffic from anywhere, doesn't matter where in the world the traffic comes from, the traffic doesn't get thru to the inside of your firewall. Period, end of story.

    If you see addresses being denied on the firewall logs at the WAN connection, pfsense is doing exactly what it's programmed to do - block and deny traffic, letting none of that get through. You can look at the traffic logs all day, but basically it all boils down to just internet noise. Anything and everything out on the internet can touch your WAN interface. It's up to the firewall itself to keep all that out. It's doing the job just fine.

    Reread @stephenw10 post, he said it all there already.

    Jeff

    I wish that was true. However, I have Modsecurity running behind pfSense on a server and I can not only tell they "touched" the server (going right past pfSense), I can see exactly what they did and what they sent.
    As you may know, Modsecurity keeps a highly detailed record. So yes, even though there's absolutely no rule allowing it, I get "blocked" connections to my server.

    and this is why I started this thread. To find out why, because it should not be happening.

    Keep in mind as mentioned, i've used WatchGuard and Cisco appliances for a long time and they do not allow ANY "touching" the server once blocks are in place.

    So maybe, as I mentioned, it's a problem with the GeoIP database. Giving pfsense the benefit of the doubt, I'd bet a nickel that the foreign IP addresses making it through are in the USA database because those block do occasionally change the countries they are allocated to. ONE of the IP's that whistled right past pfsense is this one....45.65.128.250

    Now, if I could actually check the USA IP list to see if THAT IP address actually exists in the GeoIP file.

    That said, I posted the rules set for the WAN interface. What in that rule set could be allowing blocked connections past pfsense?

    Finally, there is always the possibility I'm having a total breakdown of comprehension. So if you (or someone) could be so kind as to explain (given the rule set I posted) how Brazil and other foreign IP's are still reaching the server itself and going right past pfsense?

    Thanks



  • Since that's your WAN interface, if I'm not mistaken and reading it correctly, you've opened up and allowed (with the green check marks) whatever is in the "pfB_NAmerica_v4" and "pfB_NAmerica_v6" alias sources to contact any internal network you've got configured on your pfsense box. That's most likely VERY BAD. And is probably why you're seeing traffic hitting an internal machine/host.

    A general rule of thumb is you put absolutely NO pass rules on your WAN interface, unless you know exactly what you're doing.

    Disable those 2 rules for now, reboot your pfsense box, and see what happens. Again, if nothing is set to pass or allow traffic on your WAN interface, nothing gets through.

    @stephenw10 suggested to move these 2 rules to your LAN interface. Let's try that after you disable them on WAN and do some testing.

    Jeff



  • @akuma1x said in New User to pfSense - some doubts:

    Since that's your WAN interface, if I'm not mistaken and reading it correctly, you've opened up and allowed (with the green check marks) whatever is in the "pfB_NAmerica_v4" and "pfB_NAmerica_v6" alias sources to contact any internal network you've got configured on your pfsense box. That's most likely VERY BAD. And is probably why you're seeing traffic hitting an internal machine/host.

    A general rule of thumb is you put absolutely NO pass rules on your WAN interface, unless you know exactly what you're doing.

    Disable those 2 rules for now, reboot your pfsense box, and see what happens. Again, if nothing is set to pass or allow traffic on your WAN interface, nothing gets through.

    @stephenw10 suggested to move these 2 rules to your LAN interface. Let's try that after you disable them on WAN and do some testing.

    Jeff

    Well Jeff,
    There is a server behind the pfsense firewall. If I allow nothing through the WAN interface, how do you propose anyone reaches the server?

    And nothing in the configuration will allow traffic to "ANY" internal network, I have a NAT rule that ONLY allows traffic that passes the WAN interface to go to a specific IP address ONLY and ONLY on ports 80 or 443.

    The first three rules you see are automatically configured by pfSenseBlockerNG.
    I did not configure those and as I said, I'm new to pfsense so I figured that the rules were configured to proxy the connections back to the filter. As you see, the destination is not an interface but the pfSenseBlockerNG system itself.
    What it does internally I'm not sure of but I was not able to connect to any Interfaces other than the correct one when I tested this with my cellphone from an external network.

    I'm more than willing to learn here. Anyone here familiar with pfSenseBlockerNG that can tell if those rules look kosher?
    There really is no way to edit those rules to change the ports and if you change anything actually, it breaks.

    Please tell me how to have a public server behind a firewall without allowing traffic to pass through?
    I may be new to pfsense, but certainly not new to networking and running a server. That said, I certainly don't consider myself any kind of expert either.



  • Alright, now we’re getting somewhere. You didn’t mention, until a post or so ago, that you were running a server inside your network. What kind of server is this, web server for websites or something? You say ports 80 and 443, that’s typically that kind of traffic.

    Jeff



  • @akuma1x said in New User to pfSense - some doubts:

    Alright, now we’re getting somewhere. You didn’t mention, until a post or so ago, that you were running a server inside your network. What kind of server is this, web server for websites or something? You say ports 80 and 443, that’s typically that kind of traffic.

    Jeff

    Actually I found his first post very specific.

    @HansSolo

    I'm having a very difficult time getting pfsense to filter inbound connections properly.

    Im actually running pfsense on retired Watchguard equipment. Works better than the original Watchguard software ever did. (And its not artificially speed limited based on how much money I paid for it.)

    But your mixing a few things up. pfsense is the (I call it firmware) and works spectacular when configured correctly.

    pfblocker is a package that can be added on to pfsense and also works spectacularly when configured correctly. I have only a couple of countries allowed to access my servers here and it works as advertised. I check regularly.. My guess is your lists are not updating correctly or you have something configured wrong.

    Since this appears to be a package question this thread should probably be moved to the "packages" part of this forum.. https://forum.netgate.com/category/62/pfblockerng

    @HansSolo

    If they are allowed to make initial contact they could potentially have already sent over a malicious payload.

    Your comment here made me laugh.. You will get those kinds of attempts from every country including the USA.. Some more than others obviously.. :) Its up to you to be on top of the security of your servers and don't assume.



  • @akuma1x said in New User to pfSense - some doubts:

    Alright, now we’re getting somewhere. You didn’t mention, until a post or so ago, that you were running a server inside your network. What kind of server is this, web server for websites or something? You say ports 80 and 443, that’s typically that kind of traffic.

    Jeff

    Good point. I guess sometimes we see things based on "our own" perspective....forgetting that there are other perspectives. Yes, web server for websites.



  • @chpalmer said in New User to pfSense - some doubts:

    @akuma1x said in New User to pfSense - some doubts:

    Alright, now we’re getting somewhere. You didn’t mention, until a post or so ago, that you were running a server inside your network. What kind of server is this, web server for websites or something? You say ports 80 and 443, that’s typically that kind of traffic.

    Jeff

    Actually I found his first post very specific.

    @HansSolo

    I'm having a very difficult time getting pfsense to filter inbound connections properly.

    Im actually running pfsense on retired Watchguard equipment. Works better than the original Watchguard software ever did. (And its not artificially speed limited based on how much money I paid for it.)

    But your mixing a few things up. pfsense is the (I call it firmware) and works spectacular when configured correctly.

    pfblocker is a package that can be added on to pfsense and also works spectacularly when configured correctly. I have only a couple of countries allowed to access my servers here and it works as advertised. I check regularly.. My guess is your lists are not updating correctly or you have something configured wrong.

    Since this appears to be a package question this thread should probably be moved to the "packages" part of this forum.. https://forum.netgate.com/category/62/pfblockerng

    @HansSolo

    If they are allowed to make initial contact they could potentially have already sent over a malicious payload.

    Your comment here made me laugh.. You will get those kinds of attempts from every country including the USA.. Some more than others obviously.. :) Its up to you to be on top of the security of your servers and don't assume.

    Awesome that you installed pfSense on a Firebox. I read about that but my boxes are the older x700 / x1000 boxes and I think I read it's harder to install on those? So I just installed pfSense on a 2005 model, AMD 64 X2 4200 HP PC. Once I finally figured out the partitioning process in pfSense install all went smoothly.

    As far as the country blocking, do you find that countries that are supposed to be blocked sometimes slip through?
    So far in my experiments with pfsense, too many are "slipping" through and being so new to pfSense, I'm not sure why.
    Do you know a way to examine the pfSenseBlockerNG files to see if a specific IP address is in it? I'd like to confirm just a few times that foreign IPs that are supposed to be blocked are NOT in the files just so I know why they're getting through because if they ARE in the file and still getting through, that's a whole different story.

    Did you block by blocking all countries you don't want....or by only allowing those you DO want? I tried both and still the unwanted IPs are slipping past pfsense somehow.

    My thoughts on pfSense were that it's got to be too polished and refined at this point for this to be happening so my suspicion has turned towards a failure in the country IP files (or my configurations).

    Another oddity....when I see that a foreign IP has hit the server, I usually cannot find it in the pfSense logs?
    That's baffling me at the moment but is probably part of the answer to this situation.

    Hoping for the "light bulb" moment any time now.



  • @HansSolo said in New User to pfSense - some doubts:

    Here are the WAN rules
    alt text

    From the image above I find it strangle that you have no activate states and there have only been 241B on the first pass rule, that is very little traffic.

    Just something to bear in mind, when i first came to pfSense I didn't understand how pf treats a packet. I would add a rule trying to block an active TCP connection and nothing would happen, that was because Apply Rules doesn't clear the state table. When pf receives a packet it will create a state for it if it is passed. Then subsequent packets are first checked against the state table and if a state exists they continue through, the ruleset isn't re checked.

    I find the best way to check a packet is to use the CLI and the command: pfctl -vvv -s states, this will give you the states with the ruleset number that the packet got passed on etc.

    If your server is getting packets from other countries run that command and find the entry for that IP.

    I hope this helps.


  • LAYER 8 Global Moderator

    @HansSolo said in New User to pfSense - some doubts:

    So far in my experiments with pfsense, too many are "slipping" through and being so new to pfSense, I'm not sure why.

    Connections do not "slip" through a firewall, they are either allowed or not allowed.. If traffic was allowed, then your rules allowed it.. While the countries listing are pretty good - if you think the pfblocker list of countries is 100% accurate then your kidding yourself. There is no list that is going to be 100%... IP ranges get transferred all the time for starters. A netblock might be registered to company X in country Y, but being used in country Z etc..

    We are in the process of transferring some IPs to another company in the EU, ie moving from arin to ripe.. How long do you think it will take for these "lists" to get updated, if they ever do? And when the listings do get updated - this new company we transferred to might be using the IPs in APAC, and not the EU, etc.

    Are you logging all traffic that is allowed via your rules? Had your logged rolled over in pfsense, it only shows in the gui last X number of entries, you can adjust.. But again not going to be complete logs and depending on how much your logging can roll over.. You would have to look in the actual logs vs the gui.. Better yet your logs should be sent to your logging server.

    But if pfsense allowed it, and you have set it to log - then it would log.



  • @johnpoz said in New User to pfSense - some doubts:

    @HansSolo said in New User to pfSense - some doubts:

    So far in my experiments with pfsense, too many are "slipping" through and being so new to pfSense, I'm not sure why.

    Connections do not "slip" through a firewall, they are either allowed or not allowed.. If traffic was allowed, then your rules allowed it.. While the countries listing are pretty good - if you think the pfblocker list of countries is 100% accurate then your kidding yourself. There is no list that is going to be 100%... IP ranges get transferred all the time for starters. A netblock might be registered to company X in country Y, but being used in country Z etc..

    We are in the process of transferring some IPs to another company in the EU, ie moving from arin to ripe.. How long do you think it will take for these "lists" to get updated, if they ever do? And when the listings do get updated - this new company we transferred to might be using the IPs in APAC, and not the EU, etc.

    Are you logging all traffic that is allowed via your rules? Had your logged rolled over in pfsense, it only shows in the gui last X number of entries, you can adjust.. But again not going to be complete logs and depending on how much your logging can roll over.. You would have to look in the actual logs vs the gui.. Better yet your logs should be sent to your logging server.

    But if pfsense allowed it, and you have set it to log - then it would log.

    Thanks. Agreed. As mentioned several times above, I realize it's more likely a short-coming with the lists rather than the firewall.

    I think your point about sending the logs to a logging server is a good one. I need to see all the logs sometimes, not just the last 50 entries.

    Not wanting to invest in any more WG (or other) firewall appliances and so REALLY hoping I can adapt to pfSense. (My only concern is that they will eventually end the "freebie" program once they get where they want to be market-wise., and the price will be up there. (Happens all the time)

    Thanks again


  • LAYER 8 Global Moderator

    @HansSolo said in New User to pfSense - some doubts:

    (My only concern is that they will eventually end the "freebie" program once they get where they want to be market-wise

    Dude if your here to troll this FUD... This has be asked an answered many many times all over the freaking internet... Free version of pfsense isn't going anywhere..


  • Netgate Administrator

    If those WAN rules are allow traffic only to that one internal server you really should change them to have that destination IP and ports. Right now you are allowing access from any IP in the list to the pfSense GUI. And any other services running on pfSense....

    I prefer to set pfBlocker to create Native aliases only and add the rules using them myself.

    Also the x700/x1000 was 32bit hardware so won't run current pfSense in case you were considering it.

    Steve



  • @stephenw10 said in New User to pfSense - some doubts:

    If those WAN rules are allow traffic only to that one internal server you really should change them to have that destination IP and ports. Right now you are allowing access from any IP in the list to the pfSense GUI. And any other services running on pfSense....

    I prefer to set pfBlocker to create Native aliases only and add the rules using them myself.

    Also the x700/x1000 was 32bit hardware so won't run current pfSense in case you were considering it.

    Steve

    Steve,
    I didn't create those rules.
    They were AutoGenerated BY pfSenseBlockerNG

    This rule does not give you the option to change the ports.
    I do sincerely hope they are not creating rules that compromise security.
    Like I said above, isn't there some kind of proxying going on here?

    If you look at the rules, they do not point to an IP address, alias or any location for that matter.
    They simply point to the blocking file configuration itself.

    Can you let me know if you STILL believe these rules are in error?
    Thanks


  • LAYER 8 Global Moderator

    @HansSolo said in New User to pfSense - some doubts:

    Can you let me know if you STILL believe these rules are in error?

    An any any rule on your wan is NEVER going to be a good thing to be honest.. be it you lock down the source in some way or not..



  • For anyone who comes to this thread later......

    At least in pfsense 2.4.4, here is how you can look at your pfSenseBlockerNG files and see ALL the IP addresses in any given file....

    In the WebConfiguration console, go to --> DIAGNOSTICS --> EDIT FILES

    There you get a graphical Directory listing of the entire PfSense system (it's a Linux system)

    The pfb_NAmerica file for example is located here.....(click on it and it will open in a text editor)

    /var/db/pfblockerng/original/pfB_NAmerica_v4.orig



  • @johnpoz said in New User to pfSense - some doubts:

    @HansSolo said in New User to pfSense - some doubts:

    Can you let me know if you STILL believe these rules are in error?

    An any any rule on your wan is NEVER going to be a good thing to be honest.. be it you lock down the source in some way or not..

    I agree....

    So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?

    Because once again, what you see in the diagram above is created during the install of pfsenseblockNG and I did not configure those rules.


  • Netgate Administrator

    Yes, you should change those rules.

    As I said, if I were doing it I would set pfBlocker to create aliases only, not add rules. Then add the rules I need separately using those aliases.

    pfBlocker only does what you configure it to do and looks like you configured it so add inbound pass rules. That is almost certainly not what you wanted. At least not without a destination/port.

    Steve


  • LAYER 8 Global Moderator

    @HansSolo said in New User to pfSense - some doubts:

    So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?

    NO!!! I just ran through the wizard and it didn't create single rule on my WAN!!



  • There seems to be some confusion floating here, so I'm posting a screen shot of the rule that everal keep saying I need to change.

    Here is the configuration for the rule in question for pfSenseBlockerNG.
    As you can see, it is not like a regular rule configuration screen and does not allow for the changes being suggested.....
    There is nowhere to change PORTS....and the destination could be changed to the IP of the server but I get an error when I make that change.

    alt text



  • There is no ports option as you have Protocol set to Any, that needs to be set to TCP/UDP or one of them to see ports. For example ESP, ICMP and AH protocols do not have ports.



  • @johnpoz said in New User to pfSense - some doubts:

    @HansSolo said in New User to pfSense - some doubts:

    So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?

    NO!!! I just ran through the wizard and it didn't create single rule on my WAN!!

    Really ????
    I didn't create those rules. Honest.
    I wonder if it's because our configurations are different? Are you running a server behind your pfSense?
    What version pfsense are you running?



  • @conor said in New User to pfSense - some doubts:

    There is no ports option as you have Protocol set to Any, that needs to be set to TCP/UDP or one of them to see ports. For example ESP, ICMP and AH protocols do not have ports.

    Ah!
    ok.

    It's a mystery then why those rules were created like that?

    I DID NOT create those rules and thought they were just part of the pfSenseBlockerNG setup.

    Good thing my server is still behind my WG Firebox at the moment and not the pfSense firewall.


  • LAYER 8 Global Moderator

    @HansSolo said in New User to pfSense - some doubts:

    I wonder if it's because our configurations are different? Are you running a server behind your pfSense?
    What version pfsense are you running?

    Yes I have ports forwarded, I run ntp server to the world via ntp pool.. I have friends and family access to my plex server.

    As to what version of pfsense I run - its in my signature.. And yes I would be running current, as any sane person should be.

    That you think an any any rule is ok on your wan - even IF some tool created it.. Is just beyond nuts...


  • Netgate Administrator

    They are created by pfBlocker but only because of how it's configured.

    pfBlocker can create firewall rules but does not have to. It depends what you have set the list action to.

    Typically it is set to add block rules to prevent LAN side clients reaching out to, for example, known malware sites.

    However I recommend setting the list action to Native Alias only and then using those aliases in rules you add yourself.

    Also worth noting the pfBlocker setup wizard is only in the dev version I believe.

    Steve


  • LAYER 8 Global Moderator

    While the wizard might be only in dev... The older version doesn't create rules like that without being told to do it..

    You don't install any version of pfblocker and next thing without doing anything have any any rules on your wan... That would be insane!!



  • @johnpoz said in New User to pfSense - some doubts:

    While the wizard might be only in dev... The older version doesn't create rules like that without being told to do it..

    You don't install any version of pfblocker and next thing without doing anything have any any rules on your wan... That would be insane!!

    ok ok...I'm probably not insane (or nuts). and no, I do not think ANY rule is "ok". Not sure where you assumed that. Just not familiar with pfsense and pfSenseBlockerNG. Day 3 with pfSense so I can't possibly know everything about how it and the blocker works under the hood. I thought it was some kind of fancy proxying of the lists and DNS manipulation.

    I did check with my cell phone and no access was granted to any unauthorized part of the network so no harm done.


  • LAYER 8 Global Moderator

    @HansSolo said in New User to pfSense - some doubts:

    I do not think ANY rule is "ok". Not sure where you assumed that

    Because you had them on your wan ;) And then asked if they were ok...



  • @johnpoz said in New User to pfSense - some doubts:

    @HansSolo said in New User to pfSense - some doubts:

    I do not think ANY rule is "ok". Not sure where you assumed that

    Because you had them on your wan ;) And then asked if they were ok...

    Well think about it.....
    If I was "insane" or "nuts", I probably wouldn't have even asked. ✌

    Let's not beat up the noobs just because they are not totally familiar with pfsense yet and don't know right off the bat if automated configurations that they didn't put there are legit or not (even if they look odd)

    Thanks for all the great advice everyone ! 😎


  • LAYER 8 Global Moderator

    Where exactly are you seeing that rule that doesn't allow you dest port in it.. What version of pfblocker are you running the older or dev version?



  • @johnpoz said in New User to pfSense - some doubts:

    Where exactly are you seeing that rule that doesn't allow you dest port in it.. What version of pfblocker are you running the older or dev version?

    by the time I reply, you will probably have discovered that that was answered above ☺

    as for the pfBlocker version.....3 days in, so I downloaded it probably yesterday. latest, I assume ?

    Let me check and see if I can find that version.....


  • LAYER 8 Global Moderator

    @HansSolo said in New User to pfSense - some doubts:

    pfSenseBlockerNG

    what version does it say.. that tells me not the old one... But maybe you have not updated your packages? Can not tell if you mean non dev or dev version.

    its listed right in your package manager
    example
    pfBlockerNG-devel 2.2.5_22

    there should be really screaming red flags on the pfblocker gui that its going to create an any any rule.. If that is what its doing.

    Where exactly did you go in pfblocker to create said rule.

    Paging @BBcan177 if pfblocker creates any any rules on the wan without huge warnings to the user.. That really should be changed..



  • @johnpoz said in New User to pfSense - some doubts:

    @HansSolo said in New User to pfSense - some doubts:

    pfSenseBlockerNG

    what version does it say.. that tells me not the old one... But maybe you have not updated your packages? Can not tell if you mean non dev or dev version.

    its listed right in your package manager
    example
    pfBlockerNG-devel 2.2.5_22

    there should be really screaming red flags on the pfblocker gui that its going to create an any any rule.. If that is what its doing.

    Where exactly did you go in pfblocker to create said rule.

    Paging @BBcan177 if pfblocker creates any any rules on the wan without huge warnings to the user.. That really should be changed..

    pfBlockerNG net 2.1.4_16

    Agreed. Unless......that rule doesn't actually give said access.
    Let's hope the developer will reply regardless of the outcome.

    I KNOW I didn't create those rules intentionally.....but maybe they got created some how that I'm not aware of other than by pfBlockerNG ?

    My gut feeling is that they were created intentionally and do not allow the access it appears.
    That said...I've changed them all as suggested.....to be safe. (And I have not yet reconnected pfsense, still using WG)

    And as mentioned, I DID CHECK WITH MY CELL PHONE and was not able to find any compromised connections.


  • LAYER 8 Global Moderator

    @HansSolo said in New User to pfSense - some doubts:

    Agreed. Unless......that rule doesn't actually give said access.

    It DOES!! since its a rule on your WAN...



  • @johnpoz said in New User to pfSense - some doubts:

    @HansSolo said in New User to pfSense - some doubts:

    Agreed. Unless......that rule doesn't actually give said access.

    It DOES!! since its a rule on your WAN...

    But in the source it lists a pfBlockerNG file, NOT a network location. What do you interpret that to mean?

    OTOH...I can't speak for anyone else, but there's so much information to absorb in such a short time, brain farts do occur.
    And it's possible I experienced a real winner.


  • LAYER 8 Global Moderator

    Doesn't matter if it only allows source IPs.. it is allowing to ANY ANY as dest.. So if user had a port forward to say 443 behind pfsense.. And it created a any any rule above that even if locked down to only NA... It now allows access to pfsense web gui and anything else that listens on pfsense wan, say dns, etc. etc.

    Which is BAD!!! I just installed that version, enabled it and did an update.. No rules on the WAN, only the rule on my lan blocking outbound access to stuff.



  • @johnpoz said in New User to pfSense - some doubts:

    Doesn't matter if it only allows source IPs.. it is allowing to ANY ANY as dest.. So if user had a port forward to say 443 behind pfsense.. And it created a any any rule above that even if locked down to only NA... It now allows access to pfsense web gui and anything else that listens on pfsense wan, say dns, etc. etc.

    Which is BAD!!! I just installed that version, enabled it and did an update.. No rules on the WAN, only the rule on my lan blocking outbound access to stuff.

    Ok.
    Then I have no clue how that rule got there and where it came from.
    I may have to chalk it up to trying to learn too much too fast over the last 3 days.


Log in to reply