NOOB - Port 22 only



  • I wish to use pfblockerng to only allow traffic from Australia to my server on port 22.

    As I understand pfsense works down through rules until it matches a "Permit" rule. I believe it makes more sense to have pfblockerng block everything other than Australia and then use a 2nd rule for access rather than have pfblockerng allow only Australia as this will not allow me the ability to add a 2nd rule to restrict the traffic to port 22 on my server.

    Is this the best way to configure it? i.e. use pfblockerng as part of a series of cascading rules as opposed to a rule in itself?


  • LAYER 8 Moderator

    @McMurphy said in NOOB - Port 22 only:

    I believe it makes more sense to have pfblockerng block everything other than Australia and then use a 2nd rule for access rather than have pfblockerng allow only Australia

    Nope. pfSense blocks any WAN traffic by default. So it's pointless to "double block" anything as anything is already blocked if you have no WAN allow rule at all.

    as this will not allow me the ability to add a 2nd rule to restrict the traffic to port 22 on my server.

    Nope. You can simply use pfBlockerNG to create a Geo Alias for you. Simply set it up so it creates an alias table for Australia and create a rule with that alias as source yourself. Otherwise use the advanced settings (look at the [i]'s!) and limit it to port 22.
    But having it create aliases and use them in your custom rules gives you way more flexibility. And you can avoid doing pointless stuff as creating multiple rules just for one single use case.

    Always think: smaller rulesets are less error prone!

    Greets



  • Excellent, this makes perfect sense.

    When I enable pfblockerng for Australia it auto creates a rule for IPv4 & IPv6. If I delete these rules they are recreated when I next update. If I have understood correctly, I do not want pfblockerng to create rules but instead create aliases I can use in my own rules.

    I cannot see where I can stop pfblockerng creating the firewall rules and just create aliases I can use in my rules.



  • Actually... think I have it...



  • Yup got it. I didn't know it could create aliases I could use in my own rules ! Much better.


Log in to reply