Can you force a rule to apply before floating rules and hold it's position?
-
@SteveITS Wow. So it's working. I'll delete the pfb rules in the firewall and just leave the alias and ... finished. What a long haul. THANK YOU so much for your help Steve.
-
@cdsJerry Nice. So the "Unbound.conf file missing" error is gone? Or maybe doesn't matter?
-
@SteveITS I still see the "Unbound.conf file missing. Exiting" error when I look at the log during a CRON update but I guess it doesn't matter.
HOWEVER.... pfb is still putting it's firewall rules on the rule set, at the top. I had deleted them but it put them back when it runs the CRON. There's still something wrong. I have both the alias and the pfb rules. I have to be close. Do I need to set the pfb update to Disabled and just let the Alias do the updates?
-
@cdsJerry In Firewall/pfBlockerNG/IP/IPv4 what is Action set to for your entries? If you only want the alias then it should be Alias Native there.
Disabled would not generate the alias or download the list.
-
@SteveITS it is set for Alias Native with a Frequency of 12 hours.
BTW, it appears that it's now blocking a lot of valid traffic that it wasn't blocking before. For example the notice from this page was blocked. I only saw it after some of my vendors said their emails were bouncing back to them and I turned off pfBlocker. Once I turned it off I got a flood of emails so it's blocking a lot of traffic it never blocked before.I've had to disable it... the emails are still rolling it. At this point I'm afraid to turn it back on. It was blocking emails from all over the place including the USA. I don't understand why.
-
@cdsJerry Looking back above, the Top Spammers rules as I recall are just a poorly named entire-country list? Remove that one.
Not sure why it would be creating rules if all are set Alias Native. Which rules are being created? There are ways to use the Geo tab I think and create deny rules on that page, for instance...
-
@SteveITS That's what I was saying yesterday. If I have pfb enabled it's created both the alias AND the rules each time it updates.
And... I don't know what's happening that those rules are now blocking a lot of traffic to the mail server which were never blocked before. If I turn off pfb the emails come rolling in. I hadn't changed any of the countries etc in pfb so why the change?
It all seems so random. It never does what I expect it to do.
-
@cdsJerry If it's set to create the rules, it will also create the alias.
However if it's set to Alias Native it should not create rules.
Can you double check all four pfB tabs under IP are Alias Native?
re: mail server, post your pfB and/or port 25 WAN rules?
-
@SteveITS Under firewall/pfblocking/ip/ I don't have all four in use.
IPV4 has only one item, it's set to Alias Native
IPV6 Nothing defined
GeoIP has a list but there are no aliases?
Reputation - nothing entered.
And under reputation
The mail port rule is pretty straight forward and hasn't been changed in ages.
-
@cdsJerry All those Deny Inbound lines on the Geo tab will create rules. And if you receive mail from a server there it would be blocked.
You can change those to Alias Native, or else on the IPv4 tab create them yourself using country codes:
and:
I can't find a post in a quick search but as I mentioned above I think I've read here that Top Spammers is just a list of entire countries and nothing to do with actual spam. Disable that and see if your mail flows better.
-
@SteveITS For the most part I'm OK with blocking entire countries. I've de-selected the countries where we get valid traffic. But... why is it now suddenly blocking valid mail from all over the place when it wasn't blocking that email just two days ago when I didn't change any of those countries? I changed IVp4 to Native Alias then inserted that alias as a rule.. .that's all. The rest of the settings were unchanged so why the big change in traffic?
Is it because of the source definitions in the pfb alias? What's a better way to do that?
-
@cdsJerry If you're logging the block you can try to match up the IP with an alias. It might be easier to look it up at a site like iplocation.net to get the country.
re: Top Spammer, here is a thread about that list being the entire country. I couldn't find the original discussion I read.
https://forum.netgate.com/topic/186355/geoip-top-spammer-italy-lists-is-the-same-of-all-ips-of-europe-italy-lists -
@SteveITS I think the problem is the alias in pfblocker. pfSense blocks everything by default so you have to go and open things up to allow them to pass. The alias in pfBlocker has a source of US and US_rep. Effectively it's saying if the traffic isn't coming from the US, block it.
So none of the other GeoIP settings are making any difference because the traffic is blocked before it would even get evaluated by GeoIP. I don't think this alias is doing what we're wanting it to do, which is be a placeholder for all the GeoIP country settings instead of having each one generated and added to the top of the Rules set.
-
@cdsJerry The rules process in order. Are you using NAT for the mail server? If so can you post the NAT rules for it? The firewall rules posted above don't have a source.
Ultimately it sounds like you want to allow mail from only US mail servers? So then either the firewall rule or NAT rule would have a source of the US alias.
I would suggest using a third party spam filter, and then only allowing inbound from the spam filter IPs. But that isn't going to refuse mail coming from servers in other countries.
Also note Geo IP isn't necessarily 100% accurate. MaxMind updates once a month IIRC, and IPv4 space gets bought and sold a lot now.
-
@SteveITS My pfsense is running in pass through mode. It's not acting as a router. It's simply a firewall. Traffic passes through it (if allowed) to the servers behind it. I understand that's a but of an unusual setup but that's the way the expert set it up originally. I no longer have access to him.
No, I'm not trying to restrict email to only the US. I get email from several countries around the world. What I do what to do is shut down most countries because mostly they just attack my servers. I have both email and web servers behind the firewall so all that traffic needs to pass. We do 99% of our business to US customers but we do have vendors in other countries and support often comes from other countries, as do our credit card clearing services.
We already run a 3rd party spam filter and it does a pretty decent job. But why allow all those countries where we don't have reason to connect to slam away on our servers? We'd rather just tell them to go away. But that doesn't mean everyone other than the USA. It's not that simple. Plus as you said, GeoIP isn't 100%
So, I have always blocked a lot of countries while still allowing a few dozen in and it's worked pretty well until pfSense went nuts last week and then went insane and we had to start over. I'd be thrilled if I could just get back to where we were but restoring the configuration from the pre-mess doesn't seem to put us back to where we were. It seems not all the settings restore. And then of course there's the desire to put a couple rules stuck to the top of the rule set and that's what started all this mess in the first place.
I have a project I need to finish this week. I don't think I'll have time to circle back to this until Tuesday.