Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Floating Rules (Match vs Block/Reject)

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      If there is a Floating Rule with a "Match" Rule and a WAN Interface Rule as follows, which rule would take priority?

      I would like to have the WAN rules fire first when the IP is listed specifically and for the Floating Rule only to fire if the Exact IP is not in the WAN Rules but still within the /24 range.

      Is this possible?

      Floating Rules

      "Match" WAN 74.82.47.0/24

      WAN Rules

      "Block" WAN 74.82.47.2

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        Would anyone have any comments?

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • D
          divsys
          last edited by

          From: https://doc.pfsense.org/index.php/What_are_Floating_Rules

          Floating rules are parsed before rules on other interfaces.

          You might be able to get what you want by inverting your logic.  Create an alias for the IP (or IP list) and match the floating rule on NOT(alias).

          If you can give a little more detail about the scenario you're trying to handle, maybe we can come up with a better solution.

          -jfp

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            Thanks for the reply Divsys,

            I have a script that downloads about 50 different Blocklists. I then look at how many IPs are in a /24 range and if it's over a defined variable, it can remove the individual IPS and add a single /24 block.

            I recently added a Maxmind geoip lookup to whitelist certain countries from that process. So now i'm trying to see if I can "match" these ranges in particular while still blocking the individual ones that are known to be malicious.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • D
              divsys
              last edited by

              So if I understand correctly, your blocklist might be a /24 net, but then you subsequently find 3 addresses that are actually "Good" in that range?

              Couldn't you just put the Good addresses in an alias list that you pass using a floating rule?

              That should get passed before they drop into the more inclusive /24 block.

              -jfp

              1 Reply Last reply Reply Quote 0
              • BBcan177B
                BBcan177 Moderator
                last edited by

                @divsys:

                So if I understand correctly, your blocklist might be a /24 net, but then you subsequently find 3 addresses that are actually "Good" in that range?

                Couldn't you just put the Good addresses in an alias list that you pass using a floating rule?

                That should get passed before they drop into the more inclusive /24 block.

                Other way around… Few bad ips and want to monitor the others in the /24 range.

                Don't really want to create an inverse alias with all the other IPs in those /24 ranges.

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                1 Reply Last reply Reply Quote 0
                • T
                  Trel
                  last edited by

                  @BBcan177:

                  @divsys:

                  So if I understand correctly, your blocklist might be a /24 net, but then you subsequently find 3 addresses that are actually "Good" in that range?

                  Couldn't you just put the Good addresses in an alias list that you pass using a floating rule?

                  That should get passed before they drop into the more inclusive /24 block.

                  Other way around… Few bad ips and want to monitor the others in the /24 range.

                  Don't really want to create an inverse alias with all the other IPs in those /24 ranges.

                  Why not create these two rules in this order

                  1. Block the known bad (block/reject)
                  2. Match the /24

                  It should stop on the blocked ones and then match any of the others.

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    @Trel:

                    Why not create these two rules in this order

                    1. Block the known bad (block/reject)
                    2. Match the /24

                    It should stop on the blocked ones and then match any of the others.

                    The Match rule has to be on the Floating Rules. So it will always 'Match" and not process a "Block" on the Interface Rules Side.

                    And you can't enter a "Match" rule on the Interface Rules only allows "Pass/Block/reject"

                    https://forum.pfsense.org/index.php?topic=77772.msg424216#msg424216

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.