PfblockerNG opens ports when enabled
I am having a strange situation on my pfSense firewall. A couple of days ago I updated pfSense to 2.4.4_r3. After that when pfBlockerNG/GeoIP is enabled it opens some ports on WAN that should not be opened. By default pfSense should block all that is not allowed, but in my situation it does not work.
Country X is selected
List Action: Permit Inboud
Enable Logging: Enable
Advanced Inboud Firewall Rules Settings:
Custom DST Port: Enabled, Set to Alias of list of ports that I want traffic to be allowed on the firewall
Custom Protocol: any
Custom Gateway: default
I've tried many things but without success. To block the ports I created rules and moved them before the auto rules. It works some time, but after the cron update the auto rules go up and the ports are open again.
Settings on the General tab:
Inbound firewall rules: WAN, Block
Outbound Firewall Rules: LAN, Reject
Rule Order: | pfB_Block/Reject | All other
Please, advise. Thanks in advance
I've done some more research and got the following.
When GeoIP is enabled and List Action=Permit, ports 81 (firewall itself) and port 53 (firewall's DNS forwarder) are open on WAN.
I also tried List Action=Alias Native and created a rule manually (let us say rule_1) I got the ports 81 and 53 open on WAN as with auto rules. I can block these ports by creating rules before the rule_1, but it I'd like to keep things simple.
My aim is to limit the traffic on open ports (not 81 and not 53) to a particular country. It looks like GeoIP's auto rules are first and even on top of firewall's default block. Is it something that should be expected? Is my understanding of pfSense's block all if not allowed incorrect? Please, advise.
Install pfBlockerNG-devel which is much improved. Also when using "Adv. Inbound/Outbound" settings you need to set the protocol setting. It can't be "any".
Thanks for your reply BBcan177. I set the protocol to TCP/UDP, however when I enable the rule created using the alias of GeoIP (Alias Native and etc.), I get ports 81 and 53 open on WAN. Is it expected or an abnormal thing? If it is expected, then I will block ports 81 and 53 creating block rules before the pass rule. I'd prefer to keep the non-devel package (at least for now) if the behaviour of the devel package is the same. Please, let me know.
Figured this out.
I replaced pfBlcokerNG with pfBlockerNG-Devel but the behavior remained the same. Creating a rule based on a GeoIP alias containing a country, opens ports 81 and 53 to the world (despite ports 81 and 53 are not included in the alias settings; only the required ports are included). To avoid this, in addition to (or instead of) having Custom DST Port in Firewall > pfBlockerNG > IP > GeoIP > Continent > Advanced Inbound Firewall Rule Settings, the ports are also required to be set in the Destination Port Range of the Rule, otherwise ports 81 and 53 (in addition to other opened ports) would be opened to the world. In my case I disabled the Custom DST Port and set the Destination Ports Range in the rule. I am not sure about the purpose of the "Custom DST Port" in GeoIP.