Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Not able to whitelist a particular IP

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 249 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      diehard_02
      last edited by

      hello,

      I need some help here. I have pfsnese + with pfblockerNG + Snort installed. I do have some basic configurations and rules. But I do have an ip address that, it doesn't matter what I do (created rules, put on very top, whitelisted within pfgblock) and nothing, I cannot have this website to open. the ip for this address is: 71.19.251.70. Could anybody help me, please?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @diehard_02
        last edited by

        @diehard_02

        You were able to visit that site with pfSense, and now you've added some tools and you can't visit the site ?

        pfBlockerng shows what IP it blocked.
        pfBlockerng, by itself, when you install it, does nothing. When you start to add IP lists (that contain the IP of the site you want to visit) and you then set up that list to be used to block connection going outside, then yeah, then you get what you are looking for.

        If you use DNSBL, visit Firewall > pfBlockerNG > Alerts and look up the host name of the site.

        If you use IP lists, remove them all, and re add them one after the other. As soon as pfBlocker starts to block, you've found the list where you have to place your whitelist.
        Or open every IP list, and look for the IP yourself.

        snort : that's way over my pay grade, that an expert filter tool, can't tell anything about that one.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        D 1 Reply Last reply Reply Quote 0
        • D
          diehard_02 @Gertjan
          last edited by

          @Gertjan Thanks for the reply. I was able to find this IP been blocked by the pfB_PRI1_v4. It doesn't matter adding that ip to the whitelist, it remains blocked.... Not Sure what to do anymore.... I will keep trying.
          appreciate it.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @diehard_02
            last edited by Gertjan

            @diehard_02

            Normally, I don't use IP block lists, as I don't need a tool that forbids me to go somewhere, if I don't want to go there in the first place.

            But ok - let's install pfB_PRI1_v4 :

            ee4fdc0a-9804-4b9c-abf9-62c0f0d171b6-image.png

            and activate it so it block outbound connections :

            80c4f7c2-b068-4e3d-b0bb-a86e8f85d987-image.png

            After a Force reload :

            c95b3e02-c7e7-4a0d-a9ba-5c0a53d8cb64-image.png

            all is set up : I've now a floating rule that blocks all IPv4 addresses/networks that are in the list :

            f1edc018-bb9d-48bf-a73a-1d7f49945496-image.png

            Let's look at the list : https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

            0f44c70c-ca51-43e2-ac92-88649fce2947-image.png

            and take the very first IP (IP? not the network !) as an example :

            I take a browser, and go to :

            2e5e5021-d9de-41fb-9a5e-d17238d825ac-image.png

            and sure enough, after some time :

            44562a39-7245-4e82-ace1-76fc5d735744-image.png

            The pfBlockerng alert tells me the same thing :

            d45d24e7-30ac-41c5-b65b-702bf3f97a87-image.png

            and under IP Block stats I see the same thing : my PC, 192.168.1.6, was blocked when it tried to access 1.10.16.1 :

            53c6353f-7329-4e81-a73b-a7011738b82b-image.png

            Ok, I add this IP to the white list of this feed :

            Click on the black round +symbol :

            f1d49b39-94b8-4b63-b71a-1c40fb03b205-image.png

            You are probably asked if a whitelist should be created, and if you want to add a comment, etc.

            Now I wind up on this page :

            afcd7a72-afcf-4291-ad17-1021dc603c44-image.png

            and at the bottom I can see that "10.16.10.1" was added.
            Save this page.

            When force reloading, I can see that I have the original feed, and the whitelist :

            5a12009a-df70-4163-8d6c-3388f47584db-image.png

            Sure enough, 10.16.10.1 wasn't a web server, so my browser, still can't connect to it, but this IP isn't blocked anymore.
            When I visit it again, the IP block counter doesn't rise = the IP wasn't blocked by pfSense.

            edit :

            Just to be sure, as this is not a click contest, but we're still managing a firewall the old classic way :

            bbb8e55d-8c3e-42e9-b44a-a1534e39b2bb-image.png

            Check that the new Whitelist or permit rule is above the block rule.
            My white list rule hs taken 'hits' :

            ca77e322-0a9c-4ab9-b99e-4438cdec4368-image.png

            which means that the rule (with just one IP in it) matched outgoing traffic : that was me trying to contact 10.16.10.1 with my browser.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.