Properly whitelisting IP addresses

KKIT · Mar 1, 2023, 9:39 AM

Hi,

when trying to whitelist IP addresses, I can add them via the reports page and create a custom IPv4 list.

So far so good but unfortunately it is unclear for me whether or not I need to set the rule to "Permit Both". If I do that, I get the error that I need to specify a port and that it poses a security risk.

What's the best approach to whitelisting IP addresses (not talking about DNSBL).

Thanks

Tzvia · Mar 12, 2023, 4:41 PM

@kkit The point of a firewall is to allow internal devices to get to the internet but NOT allow unsolicited requests IN. If you wish to get to this website, for example, forum.netgate.com is replying to your computer's request for the data so it is allowed in. But forum.netgate.com can't just barge into your computer unless your computer asks for it first. So allow rules are typically on INTERNAL interfaces. If someone outside your network needs to get IN, unsolicited (an employee at your company, for example), setup a VPN and grant access that way. Don't go opening IPs on the WAN side without a special use case.

KKIT · Mar 12, 2023, 7:06 PM

@tzvia My question was regarding the proper IP whitelisting process in pfBlocker.

Tzvia · Mar 13, 2023, 1:53 AM

@kkit I initially thought that but as you mentioned opening both ways and it asking about ports incoming, I re-thought it..

What PFSense is essentially doing, is providing an easy way to see a list of commonly used lists of advertising, trackers, coinblockers and malicious sites, and automate a way to download and update, with an easy to navigate interface. If you have an allow outgoing list setup, (example, I have the InterNIC root DNS servers in a allow out to make sure they aren't blocked), you can just jump into pfBlockerNG/IP/IPv4, select that IPV4 list, scroll down to IPv4 Custom_List and add them there, quick and dirty... You could also just create a firewall ALIAS and manually add what you want to that and use it in a allow outbound rule. I did this for my work's ASNs, 11 IPV4 ranges and 1 IPV6, so that I don't run into issues as I work from home 3 days a week. Another way is if the IP that is being blocked is normally reached by a domain name, like your typical website, you can add the domain to the DNSBL/DNSBL Whitelist as the domain name. Maybe 90% of the time I just add the domain that corresponds with the IP, to the DNSBL whitelist and that takes care of it.