1. Home
  2. pfSense Packages
  3. pfBlockerNG
  4. pfblocker-devel does not block ip

pfblocker-devel does not block ip

  • L

    Im having some traffic, which keeps coming in, on my mailserver, which I would like to block with pfblocker-ng-(devel). Its version "2.2.5_29"

    I've created an custom IP IPv4 category, and it seems to work. If I set the direction to "Deny both" I cannot access the blocked IP anymore, but traffic keeps coming in. I can see in the logs on the targeted server, and I also get this with tcpdump on the same server. (ips, masked)...

    14:34:40.037124 IP (tos 0x0, ttl 49, id 19471, offset 0, flags [DF], proto TCP (6), length 60)
    XXX.26332 > YYY.587: Flags [S], cksum 0x9c18 (correct), seq 888453245, win 29200, options [mss 1460,sackOK,TS val 2221667442 ecr 0,nop,wscale 10], length 0
14:35:03.020934 IP (tos 0x0, ttl 49, id 3436, offset 0, flags [DF], proto TCP (6), length 60)
    XXX1.29660 > YYY.587: Flags [S], cksum 0xfe80 (correct), seq 3773580117, win 29200, options [mss 1460,sackOK,TS val 2221690425 ecr 0,nop,wscale 10], length 0

    alt text

    alt text

    What am I missing here ? Is it because there are is an NAT rule, which overrides this ?. 🤔

    --edit--
    Just enabled the "Kill States", but the issue persists.

    --edit again--
    So, NAT rules are passed before custom rules, which must be why..
    https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-processing-order.html

    I've changed the NAT rule, to the source does NOT match my pfblocker block alias rule, which is working. BUT, I can only apply one of these.

    0
  • L

    Ok, so I think I got this working.

    I've created an alias under firewall rules with "networks" as type, where I have the added the pfBlockerNG names of the lists I have enabled under IP/IPv4 and IP/GeoIP.

    Then for the NAT rules, i've added this alias as "inverted" source.

    So, if I add/modify these lists, then the alias needs to be modified as well. Not an very big deal for me, but could be for others ??

    But maybe im missing a magic checkmark, so this happens automatically? :)

    0
  • NollipfSense

    @lbm_ said in pfblocker-devel does not block ip:

    I've created an alias under firewall rules

    There, you go...that's exactly what I would say.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy