Creating a rule to bypass pfBlocker

pftdm007

Hello,

Ive tried for days to make it work but it wont.  I have a service trying to use a SSL server located in a region that is currently being blocked by pfBlocker.  In order to allow connection to the server, I have created an alias under Firewall > Alias and then used "networks" in the drop down list, entered the network address (i.e. abc.network.com) and selected CIDR as 32.

Then I saved and created a rule by doing Firewall > Rules

Action : Pass
Disabled: Unchecked
Interface: WAN
Protocol TCP
Source type: Single host or alias : my alias
Then saved.

Then I moved the rule to the top of the list in PfSense and clicked apply changes.

The servers still get blocked.

If I disable pfblocker, everything works as expected.  Somehow the way I created the alias and the rule doesnt allow access to the servers.

What I am doing wrong???

chpalmer

Move that rule to the top of the rule list before the pfblocker rules. If you resave pfblocker you will have to remover your rule to before as the resave will move the pfblocker rules back to the top.

Nachtfalke

Just for curiosity:
When you create an alias with domain "abc.network.com" do you have so select "Network" or do you have to select "Host".
I would think using "host" is the correct one but I am not sure.

But what chpalmer said is absolutly correct. The rule you created must be on the top of all other rules on the WAN interface.
source IP must be your alias

pftdm007

Hello,

SO I double checked the suggestions, but its not working.

First I have tried both "Hosts" & "Networks" for the Alias.. Not doing anything.  Then my custom rule was moved to the top of the list.  Not working either.

See screenshot for the rule config in case something's wrong…

Nachtfalke

Hi again,

I am unsure if I understand your question in the first post correct. You wrote:

(…)I have a service trying to use a SSL server located in a region that is currently being blocked by pfBlocker.  In order to allow connection to the server,(...)

So the question is:
a) Does the server on the internet establish a connection to your pfsense/network?
or
b) Do you want to connect to the server on the internet?

If the case is b) then pfblocker has nothing to do with that and you need to check your LAN firewall rules.
If it's case a) then make sure you have entered the correct FQDNs in the alias. Remember:

facebokk.com does not automatically resolve apps.facebook.com
For every domain and subdomain you need an additional entry in the Alias list.

PS: Your ALLOW rule "peak times" allows every traffic from everywhere when this rule/shedule is active. Your pfblocker rules cannot do anything until the peak rule if active. Just for your information.

pftdm007

b) Do you want to connect to the server on the internet?

Its a usenet server.  My local client needs to connect to the servers.

If the case is b) then pfblocker has nothing to do with that and you need to check your LAN firewall rules.

I will check this and move (or re-create) the rule in the LAN rules.  In the meantime, the rules I created are going back to the bottom of the list for no reasons.  See screenshot.

So now the topic split in 2 questions, the second being about the "peak times" rule.  So if I understand correctly, if the peak rule is NOT active, the pfblocker rules are NOT active?  If so, this is a major deal breaker and needs to be fixed in subsequent pfsense revisions….

Nachtfalke

You misunderstood me.

Firewall rules work if they are in the correct order. The first rule which matchs will be used.

So if you PEAK rule, which allows traffic from "any to any" is on the very top of all other rules and is active, then no other rules will take action because the "any to any" PEAK rule matches the traffic. It matches all kind of traffic. Then no pfblocker rule which is down the PEAK rule can take action.

On you last screenshot yor PEAK rule is down the pfblocker rules. This means if someone from africa wants to connect then he will be blocked. No matter if the PEAK rule is active or not. Traffic from africa will always be blocked.

So my question would be:
What is your intention with the PEAK rule? What should it do?

pftdm007

Hey Nachfalke,

sorry buddy, I didnt understand well…

In a nutshell, I want to:

-have pfblocker rules ALWAYS active.  They CANNOT be scheduled based or time based and must be protecting my network continuously.

-the "peak" rule is meant to limit bandwidth during certain periods of the day.  My ISP doesnt count data usage between 2AM & 8AM so during that time span, I want pfSense to use the WAN's D/L & U/L speeds at maximum capacity.  Otherwise, restrict to lets say 1Mbps D/L & 800Kbps U/L.. I already have a schedule implemented and its using limiters.  So the real question is:  should the Peak rule be on TOP of the list or somewhere else?

-Finally, the allowedaliases rule is meant to allow connectivity to & from the usenet servers I am trying to use.  Likewise to the pfblocker rule, it should be permanent and continuously active.

What modifications do you suggest?

Nachtfalke

@lpallard

Now it's clear I think  :)

The "allowedaliases" must be on TOP of the pfblocker rules. So the order should be this:

allowedaliases
pfblocker
peak
other rules

I think now we got it  8)

chpalmer

And remember- anytime you click "Save" on the pfblocker screen it will move its rules back to the top on the firewall page.

pftdm007

Hmmm..  doesnt work.

I double checked my schedule, it seems OK to me.

I double checked the Alias, it is set to "Host(s)" with the FQDN addresses such as news.supernews.com.

I double checked the Traffic shaper > Limiter, and I have 2 limiter rules: one for incoming traffic, one for outgoing.  Both are enabled and their rates are specified.

Right now I did not create any custom rules in LAN. pfBlocker created its own stuff but thats it.  Earlier you had mentioned:

If the case is b) then pfblocker has nothing to do with that and you need to check your LAN firewall rules.

But before I installed pfBlocker, all was fine with the usenet servers.  As a matter of fact, if I didable pofblocker, I can connect to the servers.  I have even created a duplicate of the allowedaliases rule in the LAN list of rules and put it at the top before pofblocker's rules.  Not helping either.

In the firewall logs I see:

pf: 192.168.0.101.60025 > 178.22.82.40.5563: Flags [s], cksum 0x45cd (correct), seq 3250693445, win 5840, options [mss 1460,sackOK,TS val 793546639 ecr 0,nop,wscale 6], length 0

Is this log entry relevant?
[/s]

Nachtfalke

Do you use pfblocker on LAN or on WAN or on both?
In general you only use this on WAN - but probably you can use it on LAN, too.

Can you post you actual WAN and LAN rules?

For your allowedalias - you should enable the firewall log and check all relevant IPs and their DNS name to make sure you really got all the IPs in your alias. I suppose that "news.supernews.com" is the only URL needed.

pftdm007

I am using pfBlocker on WAN only. I will confirm when I get back home tonight but I am 99.99999% sure..

WAN rules I already posted in one of my posts above.  Hasnt changed.  LAN rules are identical (with the newly created allowedaliases rule on top) but other than that, its the pfblocker rules.  Again I will post a screenshot tonight.

I have enabled the FW logs for allowedalias.  There are 4 usenet servers to be able to connect to.  In the alias for these servers, I added all 4.

All I see in the logs are similar messages as posted before, with the IP address changing all the time (resolving to a cloud of servers I guess…).  Thats it.  I dont know how to interpret these messages.  The IP in bold below is the usenet server I am trying to connect to.  This IP changes from time to time.

pf: 192.168.0.101.60025 > 178.22.82.40.5563: Flags, cksum 0x45cd (correct), seq 3250693445, win 5840, options [mss 1460,sackOK,TS val 793546639 ecr 0,nop,wscale 6], length 0

pftdm007

Attached are screenshots of both LAN & WAN rulesets.

THis is what I see in pfsense's logs (firewall) when I try to connect to either one of the 4 servers:

Server 1 (eunews.blocknews.net):

pf: 192.168.0.101.44670 > 178.22.82.42.5563: Flags [s], cksum 0x417f (correct), seq 2814321279, win 5840, options [mss 1460,sackOK,TS val 36477375 ecr 0,nop,wscale 6], length 0

Server 2 (news.eu.supernews.com):
[code]pf: 192.168.0.101.53238 > 138.199.67.30.563: Flags [s], cksum 0x6809 (correct), seq 927555493, win 5840, options [mss 1460,sackOK,TS val 36359922 ecr 0,nop,wscale 6], length 0

Server 3 (news.supernews.com): [b]WORKED[/b]
[b]Nothing appeared in Firewall logs[/b]

Server 4 (usnews.blocknews.net):
[code]pf: 192.168.0.101.34235 > 198.186.190.126.563: Flags [s], cksum 0x439c (correct), seq 2491495109, win 5840, options [mss 1460,sackOK,TS val 36460013 ecr 0,nop,wscale 6], length 0

![ISS1.jpg](/public/_imported_attachments_/1/ISS1.jpg)
![ISS1.jpg_thumb](/public/_imported_attachments_/1/ISS1.jpg_thumb)
![ISS2.jpg](/public/_imported_attachments_/1/ISS2.jpg)
![ISS2.jpg_thumb](/public/_imported_attachments_/1/ISS2.jpg_thumb)[/s][/code][/s][/code][/s]

chpalmer

dangerous setup there.

pftdm007

@chpalmer:

dangerous setup there.

Any way you can explain why??  What I am doing wrong?  The rules you see were either:

created by a normal pfsense installation
created by pfblocker (pfblocker…)
created by me (allowedaliases)

jimp

@lpallard:

@chpalmer:

dangerous setup there.

Any way you can explain why??  What I am doing wrong?  The rules you see were either:

created by a normal pfsense installation
created by pfblocker (pfblocker…)
created by me (allowedaliases)

Your last rule is allowing everything in on your WAN that isn't blocked by pfBlocker above that rule, which is dangerous.

You should only pass in the exact ports/IPs that you need, never pass everything in on WAN if you can help it.

pftdm007

Your last rule is allowing everything in on your WAN that isn't blocked by pfBlocker above that rule, which is dangerous.

The last rule being peakperiod right?

Nachtfalke said:

PS: Your ALLOW rule "peak times" allows every traffic from everywhere when this rule/shedule is active. Your pfblocker rules cannot do anything until the peak rule if active. Just for your information.

I believe he was saying exactly the same thing.  Then I misunderstood him at that time.

Then I dont understand how to have the dangerous rule (peakperiod) active 24/7.  This rule has to control the bandwidth speeds on the WAN for whatever is going in/out.  Its NOT meant to allow/block traffic (its not a firewall rule in my mind, more a choking/traffic shaping rule).

jahonix

@lpallard:

I have a service trying to use a SSL server located in a region that is currently being blocked by pfBlocker.
…
Action : Pass
Disabled: Unchecked
Interface: WAN
Protocol TCP
Source type: Single host or alias : my alias

You want to connect from LAN (or any other local subnet) to a server on WAN, right?
Move the rule to the local interface where your traffic originates from.
In your setup you would allow the server in to you. I doubt you wanna do that…

pftdm007

OK I am still having problems…

Basically the speed limiter is not working.  ON the good side, the allowedaliases rule is now working.  Initially I didnt understand the way rules really worked but now I think I am better at it.

On LAN, I added my custom rule to allow connection to the outside servers.  I added a destination to the rule so now this rule sits on top of the list and AFAIK allows connection from the local client to the alias.  See screen shot for details. It is working, but is it safe now??

On WAN, the speed limiter rule doesnt work.  I am not sure how to add a rule on the WAN side to limit the in/out speeds without allowing the entire world to get in as chpalmer said…