Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Geo block takes precedence over all other rules?

    Scheduled Pinned Locked Moved pfBlockerNG
    6 Posts 4 Posters 790 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      belze
      last edited by

      I'm not new to pfSense, so I don't believe I'm doing anything wrong but maybe I am...or maybe I just couldn't find the pertinent information regarding Geo block rule order.

      It seems to me that these lists are processed first no matter what. I have Geo block rules for a few countries set as a floating rule, blocking in/out. Above these rules I have some floating rules to permit access to port 80 and 443 for certain domain names and IPs. They are set as "quick". I also changed the pfBlocker rule order to put all permits first.

      Even though my rule order would suggest the permit is applied first, the IP of where I'm trying to go is always caught by the Geo block rule.

      pfborder.jpg

      rulesfloat.jpg

      From the pics above you can see IP 185.230.63.171 as an example. If I try to go to that IP the permit rule never sees it, as the states/bytes never increase, but the Asia outbound block rule sees it and blocks the traffic.

      I've reset states and the FW but it still happens. I've gotten around this issue by disabling the outbound block and only blocking inbound, but it seems to me that something is wrong or not documented fully.

      johnpozJ S 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @belze
        last edited by

        @belze yes floating are evaluated before interface rules.

        https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html#rule-processing-order

        Floating Rules
Interface Group Rules
Interface Rules

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        B 1 Reply Last reply Reply Quote 0
        • B
          belze @johnpoz
          last edited by belze

          @johnpoz Thanks for the response. I should have elaborated more.
          I know floating rules are evaluated before interface rules, but are the rules ALWAYS evaluated top down per rule tab (LAN, WAN, Floating, etc)?

          If so, this seems to be unintended behavior since I set the "quick" option on the pass rules.

          I can always get around it by say putting the Geo block on the interfaces and the permits on the floating tab, but if what I'm seeing is a bug I wanted to get it out here so it could be fixed.

          Bob.DigB 1 Reply Last reply Reply Quote 0
          • Bob.DigB
            Bob.Dig LAYER 8 @belze
            last edited by Bob.Dig

            @belze said in Geo block takes precedence over all other rules?:

            but if what I'm seeing is a bug I wanted to get it out here so it could be fixed.

            No bug, your rules are just messy as hell, some basics are missing.

            1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @belze
              last edited by

              @belze Set the Geo entry up as Alias Native and then it just creates an alias. you can then create your own rules in the order you wish.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              johnpozJ 1 Reply Last reply Reply Quote 1
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @SteveITS
                last edited by

                ^ exactly - this is what I would do.. And what I do do for my use of geoip based rules.. But I don't block with them - I allow with them. Only allow the countries my users are in for plex, etc..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.