How to deny all except a particular country using pfblockerNG 3.2.0.6 in pfsense 2.7.0?
-
Dear Users,
I would like to block all inbound traffic from all world countries except for a particular one.
How can I do it in pfsense 2.7.0 using pfblockerNG 3.2.0.6 without having to block each countries in the Firewall/pfBlockerNG/IP/GeoIP management page?
Thank you in advance.
Mauro -
@mauro-tridici
From the GEO IP page of pfBlockerNG:pfSense by default implicitly blocks all unsolicited inbound traffic to the WAN interface.
Therefore adding GeoIP based firewall rules to the WAN will not provide any benefit, unless there are open WAN ports.I myself block outbound traffic by blocking my LAN segments and OpenVPN Server and Wireguard Server.
-
@mauro-tridici You’re two pfSense versions behind.
https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshootingAnswer: don’t, allow only the desired country. Create an IPv4 tab alias using “GeoIP” and it will autocomplete the country code. Of course set up MaxMind first…and you may need to run a pfB update for the autocomplete to work.
-
Yup that's the most important thing to realise here: allow the traffic you want; block everything else by default.
Some users make the mistake of adding block rules for all other countries and that creates a huge number of rules using a lot of resources.
-
Hello everyone,
many thanks for your replies.
I just updated pfSense to the latest available stable version 2.7.2.
pfBlockerNG is up to date now (v.3.2.0.8), but it is not clear to me how to create the alias you mentioned and how to use it.Could you please help me to complete this task?
Thanks again,
Mauro -
@mauro-tridici create an alias with your country or countries you want to allow, and or any other IPs
This is the alias that is allowed to talk to my plex server. See I allow US Ips, also Morocco because I have a family member currently living there. Then some other IPs that are used to check if my plex server is up and if not warn me.
The reason for the other lists is because some of those IPs are not always from the US.. Many monitoring services use IPs from all over the planet to make sure your service is up.
That one labeled PlexRemoteCheck is list plex puts out for their IPs that validate your server is available remote - and it can be IPs outside the US as well.
