Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disable pfBlocker through SSH?

    pfBlockerNG
    2
    7
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      furom
      last edited by furom

      Hi,

      I have stumbled into the rabbit hole several times now trying to get pfBlocker. I somehow always seem to configure something making me appriciate backups even more.

      For example under IP Interface/Rules Configuration, should I select all my interfaces? Last time I did this I lost access, so trying to be proactive this time.

      Where in SSH can I disable pfBlocker if I mess up again?

      I'd like to end up with at least DNS blocking and some sensible settings if possible :)

      Thanks

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @furom
        last edited by

        @furom Rules Configuration is for selecting where your auto generated Deny rules go. Generally all WANs and all LANs if you want to block inbound and outbound (though WAN defaults to block all).

        What I normally do is create the lists as Alias Native and then create my own rules.

        From shell/console there is https://docs.netgate.com/pfsense/en/latest/config/console-menu.html#restore-recent-configuration

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        F 1 Reply Last reply Reply Quote 1
        • F
          furom @SteveITS
          last edited by

          @steveits said in Disable pfBlocker through SSH?:

          @furom Rules Configuration is for selecting where your auto generated Deny rules go. Generally all WANs and all LANs if you want to block inbound and outbound (though WAN defaults to block all).

          What I normally do is create the lists as Alias Native and then create my own rules.

          From shell/console there is https://docs.netgate.com/pfsense/en/latest/config/console-menu.html#restore-recent-configuration

          Thank you! Will read more of what "Alias Native" means. I want to keep it simple until grasping it correctly (hopefully) this time. :)

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @furom
            last edited by

            @furom said in Disable pfBlocker through SSH?:

            Alias Native

            That choice only creates aliases and does not create any rules.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            F 1 Reply Last reply Reply Quote 1
            • F
              furom @SteveITS
              last edited by

              @steveits said in Disable pfBlocker through SSH?:

              @furom said in Disable pfBlocker through SSH?:

              Alias Native

              That choice only creates aliases and does not create any rules.

              Ok, what would be the added value of not having pfBlocker create them, apart from more control?

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @furom
                last edited by

                @furom Two I know of:

                1. Control (easier to create exceptions/rules above the deny)
                2. Per other threads, if deduplication is on and deny rules are used, apparently dedupe happens across the deny lists. If they are being used for different ports, then only one port gets blocked for the duplicate IP.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                F 1 Reply Last reply Reply Quote 1
                • F
                  furom @SteveITS
                  last edited by

                  @steveits said in Disable pfBlocker through SSH?:

                  @furom Two I know of:

                  1. Control (easier to create exceptions/rules above the deny)
                  2. Per other threads, if deduplication is on and deny rules are used, apparently dedupe happens across the deny lists. If they are being used for different ports, then only one port gets blocked for the duplicate IP.

                  Sounds like a good reason to. I'll keep that in mind, thank you!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.