"any" protocol not working with advanced inbound or outbound IP rules
-
I'm running pfSense 2.4.4-RELEASE-p2 with pfBlockerNG-devel 2.2.5_22.
I have a few IP rules setup (both IPv4 and IPv6) and they're working, except that I need a few of the advanced ones to allow ICMP on top of TCP and UDP. Unfortunately, for a reason I don't understand, the "any" option in the protocol selection isn't supported for advanced rules. If I go and manually update the pfBlockerNG-generated rules to have "any" protocol after they'Re loaded it achieves what I'm looking for, without any bad effect that I can see. Unfortunately this gets reset every hour as the rules get updated.
I know I could create manual rules to support it but then I run into a different issue where I use pfBlockerNG to block Geo IPs and I need that block to apply before manual rules, except for these specific boxes that I exempt using the advanced IP rules. Because of the way pfBlockerNG re-orders firewall rules every time it updates either all of my manual rules get exempted from pfBlockerNG's Geo blocking rules or none are.
Ideally the advanced IP rules would either support "any" as a protocol or have an added option of "TCP/UDP/ICMP" (ICMPv6 for IPv6 rules).
-
I would really suggest against use of anything that creates auto rules for you.. If your getting more complex then simple block rule on the top.. Your prob going to be better off just using the pfblocker aliases in your own rules... And don't create any auto rules with pfblocker at all. Just let it update its aliases that you use in your rules and forwards, etc.
-
Huh! I hadn't thought of that but that just might be what I need to do. A little more handraulic than I like but results are more important.
Guess I got a bit of experimenting to do. Thanks for the suggestion!
-
@IamGimli said in "any" protocol not working with advanced inbound or outbound IP rules:
Ideally the advanced IP rules would either support "any" as a protocol or have an added option of "TCP/UDP/ICMP" (ICMPv6 for IPv6 rules).
At the bottom of each IPv4/6/GeoIP Alias is "Advanced Inbound/Outbound" firewall rule settings where you can pre-define those firewall rule settings. Auto-rules are ok but if you have more advanced firewall rules, you can always opt for "Alias Type" rules, and manually create the firewall rules accordingly.
Click on the Blue Infoblock icon for the "Action" setting in the IPv4/6/GeoIP Tab for more details. -
Thanks again for the recommendation to use manual rules with pfBlockerNG aliases, it's working great!
It was also remarkably easy to setup, just copied the auto-generated rules that I needed, changing their description to remove the leading pfB_ and voilà! I was also able to rationalize a lot of the rules so overall the implementation is much cleaner and leaner.
-
@BBcan177 Sorry for necro posting but...I'm finding this annoying. I just went to add in a feed and it gave me these errors about me needing to create inbound and outbound rules, that I shouldn't choose "any", etc. So I had to go setup an alias for web ports like 443 and 80 EVEN THOUGH it's a white list that should allow ANY ports in or out. This is now restricting me and doesn't make things easy. I have to fart around and do source and destination ports. Source ports always change seemingly.
The old versions of PFB didn't do this which is why it seems to "work" until I want to go edit a feed to "permit both". Then I get all kinds of errors about these rules.
Why not just allow "permit both" from any to any port like it used to? I can't move on in life until I fart around with the port source and destination. This seems like you're making it more complicated than it needs to be. When getting the error it doesn't save my stuff.
Can you bring back "simple" functionality? I probably now broke something with my global white list since destination ports can be anything not just port 80 and 443.
Thanks.
-
This post is deleted! -
This post is deleted!