Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Properly whitelisting IP addresses

    pfBlockerNG
    2
    4
    328
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KKIT
      last edited by

      Hi,

      when trying to whitelist IP addresses, I can add them via the reports page and create a custom IPv4 list.

      So far so good but unfortunately it is unclear for me whether or not I need to set the rule to "Permit Both". If I do that, I get the error that I need to specify a port and that it poses a security risk.

      What's the best approach to whitelisting IP addresses (not talking about DNSBL).

      Thanks

      T 1 Reply Last reply Reply Quote 0
      • T
        Tzvia @KKIT
        last edited by

        @kkit The point of a firewall is to allow internal devices to get to the internet but NOT allow unsolicited requests IN. If you wish to get to this website, for example, forum.netgate.com is replying to your computer's request for the data so it is allowed in. But forum.netgate.com can't just barge into your computer unless your computer asks for it first. So allow rules are typically on INTERNAL interfaces. If someone outside your network needs to get IN, unsolicited (an employee at your company, for example), setup a VPN and grant access that way. Don't go opening IPs on the WAN side without a special use case.

        Tzvia

        Current build:
        Qotom-Q555G6 Core i5 7200
        8 gigs ram
        64gig MSATA
        PFSense 2.60-RELEASE
        Snort
        PFBlockerNG-Devel

        K 1 Reply Last reply Reply Quote 0
        • K
          KKIT @Tzvia
          last edited by

          @tzvia My question was regarding the proper IP whitelisting process in pfBlocker.

          T 1 Reply Last reply Reply Quote 0
          • T
            Tzvia @KKIT
            last edited by

            @kkit I initially thought that but as you mentioned opening both ways and it asking about ports incoming, I re-thought it..

            What PFSense is essentially doing, is providing an easy way to see a list of commonly used lists of advertising, trackers, coinblockers and malicious sites, and automate a way to download and update, with an easy to navigate interface. If you have an allow outgoing list setup, (example, I have the InterNIC root DNS servers in a allow out to make sure they aren't blocked), you can just jump into pfBlockerNG/IP/IPv4, select that IPV4 list, scroll down to IPv4 Custom_List and add them there, quick and dirty... You could also just create a firewall ALIAS and manually add what you want to that and use it in a allow outbound rule. I did this for my work's ASNs, 11 IPV4 ranges and 1 IPV6, so that I don't run into issues as I work from home 3 days a week. Another way is if the IP that is being blocked is normally reached by a domain name, like your typical website, you can add the domain to the DNSBL/DNSBL Whitelist as the domain name. Maybe 90% of the time I just add the domain that corresponds with the IP, to the DNSBL whitelist and that takes care of it.

            Tzvia

            Current build:
            Qotom-Q555G6 Core i5 7200
            8 gigs ram
            64gig MSATA
            PFSense 2.60-RELEASE
            Snort
            PFBlockerNG-Devel

            1 Reply Last reply Reply Quote 0
            • First post
              Last post