Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NOOB - Port 22 only

    pfBlockerNG
    2
    5
    96
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      McMurphy last edited by

      I wish to use pfblockerng to only allow traffic from Australia to my server on port 22.

      As I understand pfsense works down through rules until it matches a "Permit" rule. I believe it makes more sense to have pfblockerng block everything other than Australia and then use a 2nd rule for access rather than have pfblockerng allow only Australia as this will not allow me the ability to add a 2nd rule to restrict the traffic to port 22 on my server.

      Is this the best way to configure it? i.e. use pfblockerng as part of a series of cascading rules as opposed to a rule in itself?

      1 Reply Last reply Reply Quote 0
      • JeGr
        JeGr LAYER 8 Moderator last edited by

        @McMurphy said in NOOB - Port 22 only:

        I believe it makes more sense to have pfblockerng block everything other than Australia and then use a 2nd rule for access rather than have pfblockerng allow only Australia

        Nope. pfSense blocks any WAN traffic by default. So it's pointless to "double block" anything as anything is already blocked if you have no WAN allow rule at all.

        as this will not allow me the ability to add a 2nd rule to restrict the traffic to port 22 on my server.

        Nope. You can simply use pfBlockerNG to create a Geo Alias for you. Simply set it up so it creates an alias table for Australia and create a rule with that alias as source yourself. Otherwise use the advanced settings (look at the [i]'s!) and limit it to port 22.
        But having it create aliases and use them in your custom rules gives you way more flexibility. And you can avoid doing pointless stuff as creating multiple rules just for one single use case.

        Always think: smaller rulesets are less error prone!

        Greets

        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 1
        • M
          McMurphy last edited by

          Excellent, this makes perfect sense.

          When I enable pfblockerng for Australia it auto creates a rule for IPv4 & IPv6. If I delete these rules they are recreated when I next update. If I have understood correctly, I do not want pfblockerng to create rules but instead create aliases I can use in my own rules.

          I cannot see where I can stop pfblockerng creating the firewall rules and just create aliases I can use in my rules.

          1 Reply Last reply Reply Quote 0
          • M
            McMurphy last edited by

            Actually... think I have it...

            1 Reply Last reply Reply Quote 0
            • M
              McMurphy last edited by McMurphy

              Yup got it. I didn't know it could create aliases I could use in my own rules ! Much better.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post