Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unresolvable source alias!

    Scheduled Pinned Locked Moved
    Firewalling
    5
    24
    11.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Antibiotic @Gertjan
      last edited by Antibiotic

      This post is deleted!
      1 Reply Last reply Reply Quote 0
      • G
        GPz1100 @SteveITS
        last edited by

        @SteveITS said in Unresolvable source alias!:

        @GPz1100 I think I’ve seen that occasionally on a restart but not all the time. I just run an update. You could set pfB to update more frequently…

        Steve, that's not really a viable solution either. Even if I set it update hourly, if the system should be restarted at the start of the hour, no emails would arrive for an hour.

        Generally the firewall is not restarted for weeks/months at a time, but the expectation is for it to be fully operational following a reboot.

        S 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Rebel Alliance @GPz1100
          last edited by

          @GPz1100 Yeah I don't disagree with that. But it doesn't seem to be consistent for us, is it every restart for you?

          I always uninstall pfBlocker when upgrading, and even then the aliases sometimes survive the restart. So it just seems wildly inconsistent.

          Q: How are are you creating them? We use the IPv4 tab directly:
          fd237b68-ad42-4a06-a0d5-9685138c092d-image.png

          @Antibiotic said in Unresolvable source alias!:

          no reason to log which blocked already by default? to reduce spam log, is it?

          That is what we do. Logging of default block rules, RFC1918, etc. can be enabled if it is ever necessary, for debugging.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @SteveITS
            last edited by

            I meant to add, in our case we have an external spam filter we use for all our clients, so when we had a mail server on premises we could allow only those IPs to connect on port 25.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            G 1 Reply Last reply Reply Quote 0
            • G
              GPz1100 @SteveITS
              last edited by GPz1100

              @SteveITS

              It's happening on every single reboot (don't ask how many times i've rebooted to test). Pfblockerng is configured with the following (for now).

              97a96b76-0909-4579-adb5-a46c3aae10a1-image.png

              This is configured to apply under floating rules for wan (inbound) and lan interfaces (outbound). As I understand it, this is the first level of blocking.

              Assuming a sending mta passes the above filter, then under geoip, I only want to receive email domestic mta's. Geoip is configured to only permit US/CA mail servers. I understand geoip isn't 100% accurate. There is a 2nd mx for the domain where these other mx's can connect to.

              As for the issue at hand, I think I got it fixed. Using a cron @reboot job, a script containing the following is run.

              
sleep 120
/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php update >> /var/log/pfblockerng/pfblockerng.log
sleep 2
/usr/local/bin/php -f /etc/rc.filter_configure

              I suppose this could also be a shellcmd, but that would pause the firewall bootup. This way the script waits til 2 min post reboot, then updates pfblockerng and does a forced filter reload. In typical operation, it's not likely a forced filter reload will be necessary as something in the pfblockerng update will likely be changed, causing it to request a filter reload any way. In testing, nothing changed, so filter reloads did not occur, thus not applying the updated alias.

              A 1 Reply Last reply Reply Quote 0
              • A
                Antibiotic @GPz1100
                last edited by

                @GPz1100 why action "deny both"! What the reason to block inbound, if its block by firewall itself?

                G S 2 Replies Last reply Reply Quote 0
                • G
                  GPz1100 @Antibiotic
                  last edited by

                  @Antibiotic I'm still finding my way around pfblocker and pfsense in general.

                  Good question. I still want to limit inbound port 25 to not only domestic mta's but also want to exclude harmful or those rated poorly.

                  How would I implement that?

                  1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Rebel Alliance @Antibiotic
                    last edited by

                    @Antibiotic said in Unresolvable source alias!:

                    why action "deny both"! What the reason to block inbound, if its block by firewall itself?

                    @GPz1100 is allowing port 25 inbound, but blocking the "bad people lists" is presumably above the rule allowing port 25.

                    If someone has no inbound NAT port forwards or firewall rules on WAN, then it is unnecessary to add more block rules.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    G 1 Reply Last reply Reply Quote 0
                    • G
                      GPz1100 @SteveITS
                      last edited by

                      @SteveITS

                      Exactly!

                      The question is, is it possible to create an alias containing nested aliases? For example, !PRI1 and pfB_NAmerica_v4? Meaning not in PRI1 list and in the NA list? Or would this still be two rules. I think the "quick" option would be applicable but that's available only for floating rules.

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        SteveITS Rebel Alliance @GPz1100
                        last edited by

                        @GPz1100 I don't know a direct answer to your question, but I would arrange the rules in order and not try to do that with aliases.

                        You can use Alias Native instead of Deny Both which only creates an alias, and does not create rules. Then you can create your own rules in whatever order you want.

                        Quick is on by default for all rules except floating rules. It just means, first match wins.
                        https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html#quick

                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                        Upvote 👍 helpful posts!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post