"any" protocol not working with advanced inbound or outbound IP rules



  • I'm running pfSense 2.4.4-RELEASE-p2 with pfBlockerNG-devel 2.2.5_22.

    I have a few IP rules setup (both IPv4 and IPv6) and they're working, except that I need a few of the advanced ones to allow ICMP on top of TCP and UDP. Unfortunately, for a reason I don't understand, the "any" option in the protocol selection isn't supported for advanced rules. If I go and manually update the pfBlockerNG-generated rules to have "any" protocol after they'Re loaded it achieves what I'm looking for, without any bad effect that I can see. Unfortunately this gets reset every hour as the rules get updated.

    I know I could create manual rules to support it but then I run into a different issue where I use pfBlockerNG to block Geo IPs and I need that block to apply before manual rules, except for these specific boxes that I exempt using the advanced IP rules. Because of the way pfBlockerNG re-orders firewall rules every time it updates either all of my manual rules get exempted from pfBlockerNG's Geo blocking rules or none are.

    Ideally the advanced IP rules would either support "any" as a protocol or have an added option of "TCP/UDP/ICMP" (ICMPv6 for IPv6 rules).


  • LAYER 8 Global Moderator

    I would really suggest against use of anything that creates auto rules for you.. If your getting more complex then simple block rule on the top.. Your prob going to be better off just using the pfblocker aliases in your own rules... And don't create any auto rules with pfblocker at all. Just let it update its aliases that you use in your rules and forwards, etc.



  • Huh! I hadn't thought of that but that just might be what I need to do. A little more handraulic than I like but results are more important.

    Guess I got a bit of experimenting to do. Thanks for the suggestion!


  • Moderator

    @IamGimli said in "any" protocol not working with advanced inbound or outbound IP rules:

    Ideally the advanced IP rules would either support "any" as a protocol or have an added option of "TCP/UDP/ICMP" (ICMPv6 for IPv6 rules).

    At the bottom of each IPv4/6/GeoIP Alias is "Advanced Inbound/Outbound" firewall rule settings where you can pre-define those firewall rule settings. Auto-rules are ok but if you have more advanced firewall rules, you can always opt for "Alias Type" rules, and manually create the firewall rules accordingly.
    Click on the Blue Infoblock icon for the "Action" setting in the IPv4/6/GeoIP Tab for more details.



  • Thanks again for the recommendation to use manual rules with pfBlockerNG aliases, it's working great!

    It was also remarkably easy to setup, just copied the auto-generated rules that I needed, changing their description to remove the leading pfB_ and voilĂ ! I was also able to rationalize a lot of the rules so overall the implementation is much cleaner and leaner.


Log in to reply