Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PFBlockerng WAN Firewall Rules

    Firewalling
    2
    6
    125
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      captaindarth last edited by

      PFSense noob here (but LOVING it after moving from Unifi), and I have PFBlockerng running and successfully blocking DNS blacklists. But I have a quick question - I have a port forward open, and judging from what I've seen from others' setup, there seems to typically be a block rule setup on the WAN to capture things like Geo IP blocks, etc. However, the wizard did not set up any type of WAN blocking rule for PFBlockerng. Am I missing something that is supposed to be set up on the WAN firewall rule for PFBlcokerng to work?

      N 1 Reply Last reply Reply Quote 0
      • N
        netblues @captaindarth last edited by

        @captaindarth Are tou using the floating rules way of pfblockerng or the per interface approach?

        C 1 Reply Last reply Reply Quote 0
        • C
          captaindarth @netblues last edited by

          @netblues I'm using the per interface approach.

          N 1 Reply Last reply Reply Quote 0
          • N
            netblues @captaindarth last edited by

            @captaindarth You also said dns blacklists.
            Dns blacklist essentially dont need firewall rules by design.
            Ip blocking does. There is an option on the ip tab on which interfaces rules should be generated and applied.

            C 1 Reply Last reply Reply Quote 0
            • C
              captaindarth @netblues last edited by

              @netblues here is a screenshot of the IP tab:
              Screen Shot 2021-01-18 at 9.51.36 PM.png

              As I understand it (which can be corrected if I am wrong), this tab above is the rule that is doing the DNS blacklisting. And because I only have one entry here to deny outbound, this is why I don't see any PFBlockerng firewall rules on the WAN interface, correct? Here is what I see on the WAN and LAN firewall rules:
              Screen Shot 2021-01-18 at 9.54.02 PM.png
              Screen Shot 2021-01-18 at 9.54.07 PM.png

              N 1 Reply Last reply Reply Quote 0
              • N
                netblues @captaindarth last edited by netblues

                @captaindarth Yes you are right.
                Denying outbound what is blocked by dns is an extra level of protection.
                If you were using eg pihole, then you would hope the client does what pihole instructs (and doesn't try any hardcoded ip's directly)

                My ip tab looks like this
                50c2e796-bda5-4715-9aed-65a9774e3206-image.png
                and a test scenario blocking inbound would be like this
                0ba34a82-159a-4f79-b66d-7d1ef0028ae7-image.png

                And I m not using the automatic rule generation, which puts rules first, which isn't what is required most of the times.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy