Block incoming IP except for a few address ranges



  • I'm new, and the network admin at my local church with around 800 users of the wireless network.  We are considering switching from Untangle -> pfSense and have a couple questions:

    1. How do I block all incoming traffic except for a handful of IP address blocks?  I have this on Untangle with several allow rules followed by a single 'block all' rule and want to set up a similar thing here.

    2. This may require it's own post in another category, but here goes anyways.  Untangle allows me to capture web traffic info in a PostgreSQL database that I can then run my own queries against, and keep it all on the router itself.  How could I configure something like pflow/netflow or something similar to do the same.  I really want the netflow collector to use a PostgreSQL database and be installed on the router like I do with Untangle  (There are several reasons for this, but I don't want to go into them here).  The server is an HP DL360 G6 with 2 quad-core Xeon and 16GB RAM (a donation from my workplace), so I know it can handle this.



  • I'm no expert either, but when editing a rule you can select a source address along with a netmask, so it seems you can do the same thing in pfsense as with Untangle. Should be pretty easy to set it up and give it a try.

    I cannot answer your second question.


  • Banned

    Block all is already there. You allow what you need.



  • Block all is not already there.  I set up a port forward /NAT rule for ssh and I can ssh in from any IP address.  This is not what I want.  I take a rather paranoid view of security by allow from certain IPs and block incoming connections from the rest of the world.

    I am seeing these 'alias' things.  Is it possible to define an alias that is several different IP/mask block ranges and treat them as a single entity?  If I can do that, it should be really easy to accomplish what I want.


  • Netgate

    Yeah.  Your port forward said to allow anyone to connect.

    Create an alias containing the subnets you want to be allowed in and use that as the source address for your firewall rules.  Everything not passed will be blocked.



  • That helps.  I will try that.



  • I must say I really like the whole ALIAS thing ;D  This was so much easier to do here than in Untangle!