pfBlockerNG granular inbound and outbound rules
-
I am running PFSence as a multi-tenant solution with each tenant having their own isolated VLAN.
Each tenant is assigned a public IP address for inbound rules going to their app server.
I am trying to figure out how to set up separate rules for each client for inbound and outbound via GEO-IP.
pfBlockerNG rule set is global and not per rule /network. I want to set up each client that requires different GEO-IP locations. For exchange US inbound only, Canada inbounds only same for outbound.
The advanced inbound lets you make aliases but are limited to adding rules only for that destination.
example inbound rules I am trying to do.
- inbound rule from UK only to tenant 1
- inbound rule from US only to tenant 2
- inbound rule from CA only to tenant 3
-
@durwinius You need to disable pfBlocker automatic rules, and instead ask it to create Alias allow/deny lists. Once Force update has been run, Those ALIASES will be visible in ALIASES on your Firewall, and you can create the needed rules on each interface at your own leisure and priority.
-
One note for the difference between Alias Deny and Alias Native is that, IIRC, if deduplication is enabled, pfB will dedupe across lists, which may give unexpected results if one has overlaps.