One way logging possible?

mlines

Hi, I am using the PRI1 lists with pfblockerNG and have it set to Deny Both (to protect my VPN connection and to detect possibly infected systems inside my network). Is there a way to configure pfblocker so that I can have logging enabled but only for outbound attempts? I've tried modifying the firewall rules directly however it seems that whenever pfblocker reloads the rules get reset.

mlines

I figured it out for those who are interested after reading other posts. Modify the existing auto rules across all interfaces to change the descriptions from "pfB" to "pfb" and modify the logging as I wish. Then change the lists in pfblockerng from Deny Both to Alias Native. Reload and the modified rules are now retained.

provels

Unless I'm missing something, I think you would only need to block outbound, since all inbound is blocked by default anyway. There is security on your VPN conn, right?

mlines

@provels Setting Deny Both blocks access to the VPN port from malicious sources. Without this I get a lot of pounding on the VPN port

provels

@mlines FWIW, I understand what you mean, but either way the FW burns CPU to make the call.

JeGr

@mlines said in One way logging possible?:

I figured it out for those who are interested after reading other posts. Modify the existing auto rules across all interfaces to change the descriptions from "pfB" to "pfb" and modify the logging as I wish. Then change the lists in pfblockerng from Deny Both to Alias Native. Reload and the modified rules are now retained.

Not exactly right. You are using pfB to generate an alias for the PRI1 lists, right?

So if you want to create your firewall rules yourself and don't want pfB to mess with it, switch it to "Alias Deny" as that way you can profit from dedup and other mechanism of multiple lists combined. You can also use "Alias Native" if you want but you can read up in the help, what the difference is.

Anyway renaming anything in the description is not necessary! Just switch it to "Alias xy" and pfBlocker won't create rules itself so you can design, modify and place your rules yourself without interference. That's my recommendation anyway to use pfB to manage and download thoses lists, GeoIPs or DNSBLs but only let it create the aliases and use them in your own rules yourself.

As @provels states correctly, if you don't have inbound traffic, blocking PRI1 per se doesn't increase security a bit. If you have say a DMZ with multiple servers/services or running a VPN, you can use it to filter traffic before the pass rules allow traffic to hit your services, that's right. If all you have e.g. are a rule for allowing OpenVPN inbound, you can easily modify that pass rule with a "source NOT pfb_PRI1_v4" to block out IPs from the PRI1 alias without needing a second block rule or anything. Explicitly blocking traffic for PRI1 alias is only needed/wanted, if you want to see how much hits/traffic that actually accounts for or if you want to log it for any reasons :)

Otherwise having PRI1 blocked on the LAN side (or WAN outbound) - or some other lists like malware or bot control net - makes perfect sense. Just watch out that your alias doesn't include the RFC1918 (private nets) IP ranges or you might be wondering why you can't access other LAN/VLAN subnets anymore ;)

Greets