Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlocker with Nested Aliases

    pfSense Packages
    3
    4
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonesr
      last edited by

      Good afternoon,

      I have been using pfBlocker for some time with several blocklists, set to "Deny Both" quite happily for some time. After cleaning up some rules I tried setting most of the lists to "Alias Only" and then nesting aliases for firewall rules. Now the traffic does not appear to be getting blocked, I was hoping for some help and clarification:

      The pfBlocker blocklists appear under Aliases as URL types - but I can only add the alias if I save it as a Network type. Otherwise I get the following errors (Hosts and Ports errors are expected, but included to show the difference between the URL types)
      Hosts - …cannot be nested because they are not of the same type
      Ports - ...cannot be nested because they are not of the same type
      URL - ...is not valid
      URL Table - ...You must provide a valid URL

      What I was hoping to achieve was something like this:

      Add pfBlocker's "Threat_Blocklist_1", "Threat_Blocklist_2" etc to "Alias_Threat_Blocklists"
      Add pfBlocker's "Spam_Blocklist_1", "Spam_Blocklist_2" etc to "Alias_Spam_Blocklists"

      Add pfblocker's "Advertisers_Blocklist_1", "Advertisers_Blocklist_2" etc to "Alias_Advertisers_Blocklists"

      Add "Alias_Threat_Blocklists" to "Rule_Always_Block"
      Add "Alias_Spam_Blocklists" to "Rule_Always_Block"

      Add "Alias_Advertisers_Blocklists" to "Rule_Mostly_Block"

      Add firewall rule BLOCK any traffic TO "Rule_Always_Block" as order 1

      Add firewall rule ALLOW any traffic FROM "Bypass_Advertisers_Blocklist_PCs" as order 2 (assume I have created this)

      Add firewall rule BLOCK any traffic TO "Rule_Mostly_Block" as order 3

      Is this possible? ----In fact as I type this I seem to be having more issues with these nested rules blocking all traffic if enabled, but I have learned today to allow time for changes to "settle" once applied, some of these lists are large and testing immediately after applying a change proves nothing. I will run more tests, but in the meantime if anyone could confirm if the theory of the above is possible I would be most grateful.

      Kind regards.

      pfSense AMD64 VGA - Assume latest version.
      Suricata, pfBlockerNG, SquidGuard, squid3.

      1 Reply Last reply Reply Quote 0
      • A
        ashes00
        last edited by

        jonesr - Did you ever figure this out?  I too want to nest URL aliases under a single WAN side blocking rule ALIAS, in order to clean up my FW rules.  I know its almost 12 months later, but thought I would check.  Thx
        Ash,

        1 Reply Last reply Reply Quote 0
        • F
          firewalluser
          last edited by

          I dont think I ever got nested alias to work, so at the time, I just setup an internal webserver which serves the pages/files the firewall wants. Works ok as a workaround/one way to skin the cat.

          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

          Asch Conformity, mainly the blind leading the blind.

          1 Reply Last reply Reply Quote 0
          • J
            jonesr
            last edited by

            I'm very sorry I haven't responded, I didn't get alerted to the thread being updated.

            I am embarrassed to be reminded of this as I did realise I was being less than observant when I first looked in to it, pfBlocker itself can use multiple lists per alias. To achieve what I described I now do the following - please note I am describing this from memory and I have just started using pfblockerNG instead so please don't…. assume I am correct (!)

            In pfBlocker:

            Create a new item "Alias_Always_Block"
            Add the IP blocklists as required to this - I had missed the fact I could simply click "+" to add multiple lists.
            Set as an Alias rather than a permit/deny.

            –My "Always Block" contains only a Pe**phile list.

            Create a new item "Alias_Mostly_Block"
            Add the IP blocklists as required to this.
            Set as an Alias rather than a permit/deny.

            --My "Mostly Block" contains for example malware and ad lists.

            In the pfSense Aliases (Firewall > Aliases> URLs) create an Alias "URLs_pfBlocker_Override" and add the URLs you wish to whitelist.

            Now create your firewall rules using aliases in this order, relative to your other rules (I use floating rules).

            • Block "Alias_Always_Block"

            • Allow "URLs_pfBlocker_Override"

            • Block "Alias_Mostly_Block"

            Whenever something breaks, add "www.example.com" to the "URLs_pfBlocker_Override" Alias - remember to refresh your rules and wait.

            You should now find you never see traffic to Pe**philes, and you may find certain websites get blocked because they are hosted by providers whose entire range has been added to a malware or ad list for some bad apples spoiling the bunch. Manually add them to your override URLs to allow for this.

            The above is overly simplified as my actual rules block everything, the URLs override rule only allows HTTP/HTTPS ports, and other allow rules I haven't described get the rest of my legitimate traffic working. I highly recommend reading this thread, I am only half way through it myself but it will explain in detail what I have glossed over here - https://forum.pfsense.org/index.php?topic=78062.0

            pfSense AMD64 VGA - Assume latest version.
            Suricata, pfBlockerNG, SquidGuard, squid3.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.