pfBlockerNG "broke" the firewall . . .
-
This is going to sound nuts but please bear with me. I've been running pfsense for years. Yesterday I built a new box (2.7.2) and migrated my aliases, nat, rules (not extensive), dhcp, and a couple other things. This was to have a bigger disk so I could start doing pfBlockerNG. I host a mail server, personal cloud, media library, etc. at home. I turned it up using primarily this link. I'm an IT professional for over 2 decades using FWs from Novell to Sidewinder to PIX to ASA to Check Point. I'm not a noob . . . :-)
All that said, I started seeing pfB IPv4 blocks for all kinds of ports so I created a network alias of my inbound ports (25, 587, 465, 143, 443, etc.) and applied that as a custom DST for TCP/UDP (try to cut the noise for ports that aren't even allowed). I still saw the blocks on all kinds of other ports. At the same time, one of the main goals was to cut down on the crap hitting my SMTP server but I'm still seeing that. As an example, I blocked Malaysia yet still see a Malaysian address keep hitting me. I also had a basic rule I had created previously to block a few annoying networks. I added the specific address to that rule and STILL the traffic got through. Finally I shut down pfB and now that address is getting blocked by my rule. It appears that even though the rule was above the auto-created pfB rules it had no effect. I'm completely stumped. pfB completely upset my apple cart and I don't know why. I tried in both "floating" and "non-floating" rules but no diff.
I'm sorry to ask such a broad question but I don't know where to start. Does any of this ring a bell with anyone? Enabling pfB stops some rules from working (even if they are higher in non-floating mode) and it seems to ignore the custom DST ports? pfB shut off and the FW starts acting "normal." Again, this is a fresh build with only the bare minimum brought over on VMware, 3 nics (wan, lan, dmz), and I 60GB hard drive.
Any help is sincerely appreciated. If I can share more helpful info please let me know.
-
@willyd Generally you should just avoid using autogenerated rules in pfBlocker - it gets very “noisy” and very difficult to predict what will actually happen.
You should instead set all your custom lists, geo list, and feed based lists to ALIAS mode instead. That way pfBlocker will create the ALIAS lists with the proper content for you, but to actually use them, you have to create rules yourself. That way you get to use them as you best see fit in your rules, in the rule order your prefer.
-
I'll look into alias mode. That may be a better plan.
Update on my testing. I reenabled pfB but disabled the GeoIP stuff, only leaving the IPv4 blocklists. That seemed to work (saw some log entries) but then my custom "blacklist" rule stopped working. When I went and watched the firewall rules reload it died with an entry of "cannot define table bogonsv6: Cannot allocate memory." A quick search lead me to question the table limit (was at 400K) so I upped it to 1mil and reloaded the rules. Seems to be working now. I'll keep plugging along with smaller unit testing.
Thanks!
-
@willyd Old advice I’d seen was , if using pfBlocker, set that to 2m and increase if necessary. It has to hold all the lists.
-
Yeah, I'm thinking it was the table limit. Ever since bumping that things has stayed stable. I've added back in a couple of the GeoIP categories and it has kept working. Thanks for the advice.
-
Is there such a think as "closing" a topic on this forum?
-
@willyd said in pfBlockerNG "broke" the firewall . . .:
Is there such a think as "closing" a topic on this forum?
No. You may be able to edit the title.