Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Custom pfBlockerNG rule order

    Scheduled Pinned Locked Moved pfBlockerNG
    8 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      slim2016
      last edited by

      Is there no way of disabling auto rule order?

      On some ports it doesn't matter where the source ip is and other ports I want it controlled on who gets in.

      The order of rules I would like is:

      pfSense Pass/Match
      pfB_Block/Reject
      pfSense Pass/Match

      e.g.

      pfSense Pass/Match (allow any source ip's gong to port 2451)
      pfB_Block/Reject
      pfSense Pass/Match (allow ip's after being filtered by pfB_Block/Reject to go to port 443)

      I can manually order the rules buts once the ip rules are updated they go back to the auto rule order. The alias rules don't apply here because i can't choose 'any source' in the alias rules to pass to a specific port in the advance settings.

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        @slim2016 said in Custom pfBlockerNG rule order:

        On some ports it doesn't matter where the source ip is and other ports I want it controlled on who gets in.
        The order of rules I would like is:
        pfSense Pass/Match
        pfB_Block/Reject
        pfSense Pass/Match
        e.g.
        pfSense Pass/Match (allow any source ip's gong to port 2451)
        pfB_Block/Reject
        pfSense Pass/Match (allow ip's after being filtered by pfB_Block/Reject to go to port 443)
        I can manually order the rules buts once the ip rules are updated they go back to the auto rule order. The alias rules don't apply here because i can't choose 'any source' in the alias rules to pass to a specific port in the advance settings.

        Use pfBlocker to create aliases then create your firewall rules.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • S
          slim2016
          last edited by

          How do you create an alias for ANY source ip address?

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @slim2016
            last edited by NogBadTheBad

            @slim2016

            The alias can be used as source or destination.

            Screenshot 2019-06-14 at 13.14.49.png

            Then use it in a firewall rule.

            Screenshot 2019-06-14 at 13.16.32.png

            Screenshot 2019-06-14 at 13.54.17.png

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 2
            • S
              slim2016
              last edited by

              Thanks, i've done a similar rule, I've allowed GeoIP connecting to port 2451 to pass through at the top, then i have the pfblockeNG block rules then i have port forward rule, any source connecting to port 2451 to redirect to the internal ip address. Seems to be working. Strange thing though, when you click on the states for the port forward rule there are no states, however, the top rule (GeoIP rule to port 2451) contains all the correct states.

              NogBadTheBadN 1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad @slim2016
                last edited by

                @slim2016
                Kill all the firewall states and test again.

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                1 Reply Last reply Reply Quote 0
                • C
                  coffeecup25
                  last edited by

                  I solved this problem a while ago.

                  Basically, floating rules are evaluated before anything else. Move whatever is special to floating rules. Them decide on the provided sort order.

                  1 Reply Last reply Reply Quote 1
                  • S
                    slim2016
                    last edited by

                    Just out of curiosity is not possible to place NAT/Port Forwarded rules to be placed in Floating Rules automatically or moved to floating rules?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.