pfblocker IP list bypass

michmoor · Jun 15, 2023, 8:13 PM

@SteveITS I did an update and a reload.
My expectation is that I see it in the Floating Rules list. If i create a custom IPv4 list do i have to use it as an Alias?

michmoor · Jun 15, 2023, 8:23 PM

I guess the question is how do you create a IP bypass list in pfblocker?

provels · Jun 15, 2023, 8:46 PM

@michmoor
Try this

michmoor · Jun 15, 2023, 8:48 PM

@provels Im not using DNSBL. This is for IP

SteveITS · Jun 15, 2023, 8:57 PM

@michmoor said in pfblocker IP list bypass:

My expectation is that I see it in the Floating Rules list. If i create a custom IPv4 list do i have to use it as an Alias?

I've not actually tried that so don't know the answer. If you create your own rules using aliases you can order them as needed and create a rule above it to bypass the blocks, and not try to have pfB generate that allow rule. It's at least, one way to do it.

stephenw10 · Jun 15, 2023, 9:07 PM

I assume you do see rules for the other 4 lists?

michmoor · Jun 15, 2023, 9:25 PM

@stephenw10 Yep. Those are there. Screen Cap of that.
This is starting to look like a bug. The custom group just isnt being processed.

🔒 Log in to view

Logs

===[  DNSBL Process  ]================================================

 Loading DNSBL Statistics... completed
 Loading DNSBL SafeSearch... disabled
 Loading DNSBL Whitelist... completed

[ MPatrol ]			 exists. [ 06/15/23 17:23:25 ]
[ PhishingArmy ]		 exists.
[ OISD ]			 exists.
[ URLhaus_Mal ]			 exists.
[ CoinBlocker_All ]		 exists.
[ Abuse_ThreatFox ]		 exists. [ 06/15/23 17:23:26 ]
[ CustomBlockList_custom ]	 exists.

===[  GeoIP Process  ]============================================

[ pfB_NAmerica_v4 ]		 exists. [ 06/15/23 17:23:28 ]

===[  IPv4 Process  ]=================================================

[ Abuse_Feodo_C2_Agr_v4 ]	 exists.
[ Abuse_SSLBL_Agr_v4 ]		 exists.
[ CINS_army_v4 ]		 exists.
[ ET_Block_v4 ]			 exists.
[ ET_Comp_v4 ]			 exists.
[ ISC_Block_v4 ]		 exists.
[ Spamhaus_Drop_v4 ]		 exists.
[ Spamhaus_eDrop_v4 ]		 exists.
[ Talos_BL_v4 ]			 exists.
[ BDS_TOR_v4 ]			 exists.
[ DMe_TOR_All_v4 ]		 exists.
[ ET_TOR_All_v4 ]		 exists.
[ PROJECT_TOR_EN_v4 ]		 exists.
[ Alienvault_v4 ]		 exists.
[ AS714_v4 ]			 exists.
[ AS15169_v4 ]			 exists.

===[  Aliastables / Rules  ]==========================================

No changes to Firewall rules, skipping Filter Reload
No Changes to Aliases, Skipping pfctl Update

===[  Kill States  ]==================================================

No matching states found

======================================================================

 UPDATE PROCESS ENDED [ 06/15/23 17:23:30 ]

michmoor · Jun 15, 2023, 9:38 PM

As a workaround for now I created a a floating rule and set it to the top. Then changed the rules processing order in pfblocker.
Maybe its the better way to do it but the pfblockerNG is my preferred way of handling it but IPv4 custom rules set up like this doesnt work.

Can anyone reproduce this on their end?

🔒 Log in to view

stephenw10 · Jun 15, 2023, 9:49 PM

If you set it as block in pfBlocker does the rule get created?

I don't see that custom list in the update logs...

michmoor · Jun 15, 2023, 10:15 PM

@stephenw10 It does not.

🔒 Log in to view

stephenw10 · Jun 15, 2023, 10:23 PM

Ok, so it's probably not populating the list. Or it's not enabled or similar.

michmoor · Jun 15, 2023, 10:41 PM

@stephenw10 Yeah for some reason it just doesnt see the custom group. I'll open a redmine

Also i do have an Ports Alias that i use in an Inbound Firewall rule in conjunction wtih GeoIP thats processed without issue.

🔒 Log in to view

stephenw10 · Jun 15, 2023, 11:20 PM

This seems like it might just be the list isn't configured correctly. What is in that list apart from the custom firewall source?

stephenw10 · Jun 15, 2023, 11:23 PM

Yes, in fact re-reading this it looks like you might have created an empty list and just added the alias the firewall rules section as a source to use?
That won't create any rules since nothing is actually listed.

You probably want to add the IPs directly in the 'IPv4 Custom_List' section.

michmoor · Jun 15, 2023, 11:23 PM

This post is deleted!

michmoor · Jun 16, 2023, 12:02 AM

@stephenw10 Ok I see what you mean now. My logic was faulty.
But when i add it to the custom IPv4 list those IPs show up as Destinations. I suppose setting it to Alias Native would work but anyway to have the IPs listed in my field set to source

EDIT: Figured it all out...
Going out for a drink. haha.
@stephenw10 @SteveITS Appreciate yall

EDIT2: For future me or anyone else who looks back at this.

Create the custom group with the IPv4 Custom_List IPs.
Set to Alias Permit
Under Floating Rules , create a Pass rule.
Set the Firewall Auto Rule Order to pfSense Pass...
Adjust accordingly.

My rule is at the top exactly where I needed it to be.

🔒 Log in to view

stephenw10 · Jun 16, 2023, 1:33 PM

Yup, that's probably how you'd have to do it.

My only concern there is that the pfBlocker auto-rules might get moved above that when they are reloaded. You should check that.

michmoor · Jun 16, 2023, 1:33 PM

@stephenw10 Still at the top of the rule set.

I made sure to make the following change overnight.

🔒 Log in to view