Custom pfBlockerNG rule order



  • Is there no way of disabling auto rule order?

    On some ports it doesn't matter where the source ip is and other ports I want it controlled on who gets in.

    The order of rules I would like is:

    pfSense Pass/Match
    pfB_Block/Reject
    pfSense Pass/Match

    e.g.

    pfSense Pass/Match (allow any source ip's gong to port 2451)
    pfB_Block/Reject
    pfSense Pass/Match (allow ip's after being filtered by pfB_Block/Reject to go to port 443)

    I can manually order the rules buts once the ip rules are updated they go back to the auto rule order. The alias rules don't apply here because i can't choose 'any source' in the alias rules to pass to a specific port in the advance settings.


  • Galactic Empire

    @slim2016 said in Custom pfBlockerNG rule order:

    On some ports it doesn't matter where the source ip is and other ports I want it controlled on who gets in.
    The order of rules I would like is:
    pfSense Pass/Match
    pfB_Block/Reject
    pfSense Pass/Match
    e.g.
    pfSense Pass/Match (allow any source ip's gong to port 2451)
    pfB_Block/Reject
    pfSense Pass/Match (allow ip's after being filtered by pfB_Block/Reject to go to port 443)
    I can manually order the rules buts once the ip rules are updated they go back to the auto rule order. The alias rules don't apply here because i can't choose 'any source' in the alias rules to pass to a specific port in the advance settings.

    Use pfBlocker to create aliases then create your firewall rules.



  • How do you create an alias for ANY source ip address?


  • Galactic Empire

    @slim2016

    The alias can be used as source or destination.

    Screenshot 2019-06-14 at 13.14.49.png

    Then use it in a firewall rule.

    Screenshot 2019-06-14 at 13.16.32.png

    Screenshot 2019-06-14 at 13.54.17.png



  • Thanks, i've done a similar rule, I've allowed GeoIP connecting to port 2451 to pass through at the top, then i have the pfblockeNG block rules then i have port forward rule, any source connecting to port 2451 to redirect to the internal ip address. Seems to be working. Strange thing though, when you click on the states for the port forward rule there are no states, however, the top rule (GeoIP rule to port 2451) contains all the correct states.


  • Galactic Empire

    @slim2016
    Kill all the firewall states and test again.



  • I solved this problem a while ago.

    Basically, floating rules are evaluated before anything else. Move whatever is special to floating rules. Them decide on the provided sort order.



  • Just out of curiosity is not possible to place NAT/Port Forwarded rules to be placed in Floating Rules automatically or moved to floating rules?


Log in to reply