Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules question

    Scheduled Pinned Locked Moved pfBlockerNG
    5 Posts 3 Posters 797 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • telservT Offline
      telserv
      last edited by

      I'm just finishing recovering from a firewall hardware failure. That failure caused me to re-read the pfBlockerNG information, which is when I found that rather than block many countries, I should be allowing a few countries. Makes sense.

      My objective is to allow some ports from some countries. So how do I configure the rules? Allow countries rules (from pfBlockerNG) and then allow specific port rules below that? Or would that unblock every query from the allowed countries and never get down the rules list, to which ports I want to use?

      pfSense 2.7.2 and pfBlockerNG_devel 3.2.0_17

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @telserv
        last edited by johnpoz

        @telserv here is how I do it.. For example for my plex

        rule.jpg

        I have some family living in Belgium currently, then some lists of stuff that checks if plex is online, and if not I get an alert. Then allowing US, where the rest of my users are located.

        I then use this alias I created in my port forward. So only the IPs in this alias are allowed to my plex.

        The plex service that checks if your plex is available remotely sometimes uses IP that are not in the US.. that s3-eu-west list is a list they put out. Same with the other check tools hetrix, status cake and uptimerobot - they check from IPs that are outside the US sometimes.. So I need to allow those specific IPs that are outside my country of the US if I want them to work correctly.

        If all your different port forwards are going to allow the same list of IPs you could get away with just the 1 alias and just use the same alias in your port forwards for your different ports.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        ahking19A telservT 2 Replies Last reply Reply Quote 0
        • ahking19A Offline
          ahking19 @johnpoz
          last edited by

          @johnpoz correct me if I'm wrong but you use "Alias Native" in pfBlocker to create your country alias lists right? Rather than allowing pfBlocker to automatically create the firewall rules.

          @telserv you will also need to create a MaxMind account to download the GeoIP data. There is a link on the pfBlocker GeoIP page.

          On the pfBlocker IP setup page you will need to input your MaxMind account info.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator @ahking19
            last edited by

            @ahking19 correct, not a fan of auto rules.. I create my own aliases in pfblocker, and then use them in my rules how I want to use them.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 1
            • telservT Offline
              telserv @johnpoz
              last edited by

              @johnpoz Thank you for the detailed and quick reply! I'm still looking at it to ensure I understand.
              @ahking19 I did understand your message, and I created the firewall rules myself, as opposed to auto. Thank you.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.