Floating Rules (Match vs Block/Reject)

BBcan177 · Jun 1, 2014, 2:49 AM

If there is a Floating Rule with a "Match" Rule and a WAN Interface Rule as follows, which rule would take priority?

I would like to have the WAN rules fire first when the IP is listed specifically and for the Floating Rule only to fire if the Exact IP is not in the WAN Rules but still within the /24 range.

Is this possible?

Floating Rules

"Match" WAN 74.82.47.0/24

WAN Rules

"Block" WAN 74.82.47.2

BBcan177 · Jun 3, 2014, 1:24 PM

Would anyone have any comments?

divsys · Jun 3, 2014, 1:57 PM

From: https://doc.pfsense.org/index.php/What_are_Floating_Rules

Floating rules are parsed before rules on other interfaces.

You might be able to get what you want by inverting your logic. Create an alias for the IP (or IP list) and match the floating rule on NOT(alias).

If you can give a little more detail about the scenario you're trying to handle, maybe we can come up with a better solution.

BBcan177 · Jun 3, 2014, 2:18 PM

Thanks for the reply Divsys,

I have a script that downloads about 50 different Blocklists. I then look at how many IPs are in a /24 range and if it's over a defined variable, it can remove the individual IPS and add a single /24 block.

I recently added a Maxmind geoip lookup to whitelist certain countries from that process. So now i'm trying to see if I can "match" these ranges in particular while still blocking the individual ones that are known to be malicious.

divsys · Jun 3, 2014, 5:08 PM

So if I understand correctly, your blocklist might be a /24 net, but then you subsequently find 3 addresses that are actually "Good" in that range?

Couldn't you just put the Good addresses in an alias list that you pass using a floating rule?

That should get passed before they drop into the more inclusive /24 block.

BBcan177 · Jun 3, 2014, 5:17 PM

@divsys:

So if I understand correctly, your blocklist might be a /24 net, but then you subsequently find 3 addresses that are actually "Good" in that range?

Couldn't you just put the Good addresses in an alias list that you pass using a floating rule?

That should get passed before they drop into the more inclusive /24 block.

Other way around… Few bad ips and want to monitor the others in the /24 range.

Don't really want to create an inverse alias with all the other IPs in those /24 ranges.

Trel · Jun 10, 2014, 6:06 PM

@BBcan177:

@divsys:

So if I understand correctly, your blocklist might be a /24 net, but then you subsequently find 3 addresses that are actually "Good" in that range?

Couldn't you just put the Good addresses in an alias list that you pass using a floating rule?

That should get passed before they drop into the more inclusive /24 block.

Other way around… Few bad ips and want to monitor the others in the /24 range.

Don't really want to create an inverse alias with all the other IPs in those /24 ranges.

Why not create these two rules in this order

1. Block the known bad (block/reject)
2. Match the /24

It should stop on the blocked ones and then match any of the others.

BBcan177 · Jun 10, 2014, 6:10 PM

@Trel:

Why not create these two rules in this order

1. Block the known bad (block/reject)
2. Match the /24

It should stop on the blocked ones and then match any of the others.

The Match rule has to be on the Floating Rules. So it will always 'Match" and not process a "Block" on the Interface Rules Side.

And you can't enter a "Match" rule on the Interface Rules only allows "Pass/Block/reject"

https://forum.pfsense.org/index.php?topic=77772.msg424216#msg424216