[solved] pfBlockerNG blocks outgoing connections despite rule is Deny Inbound



  • pfBlockerNG v1.08 on pfSense 2.2.2 does block outgoing connections to selected countries, despite rule is set to 'Deny Inbound'.

    What should I check in order to sort the issue out?

    Thank you in advance,

    Luigi


  • Moderator

    Hi, Luigi,

    Are there any pfBNG firewall rules listed in the LAN Firewall tab?  Did you mix the In/out interfaces in the 'General' tab?

    If the rule was previously set to 'Deny outbound or Deny Both" it could have states which can be cleared.

    On another note, keep in mind that pfSense is a stateful firewall by design and is implicitly blocking all unsolicited traffic on the WAN. So with no open ports on the WAN, a 'Deny inbound' will just show alerts for packets that are already blocked by pfSense. Users should be more concerned with open ports and the Outbound traffic.



  • Hello BBcan177,

    many thanks for your prompt reply.

    Are there any pfBNG firewall rules listed in the LAN Firewall tab?

    Nope, pfBNG firewall rules are listed in the Floating Fw tab only (and just when pfBNG get enabled).

    Did you mix the In/out interfaces in the 'General' tab?

    Checked: both are set on WAN IF.

    If the rule was previously set to 'Deny outbound or Deny Both" it could have states which can be cleared.

    That was not the case, however I rebooted the machine(s) twice so previous states should not be the problem here.

    Users should be more concerned with open ports and the Outbound traffic.

    That's correct, but please consider we're protecting a critical web application which shall be accessed from Italian endpoints only. Moreover, it adds a layer of security against bot scans.

    Is there anything else I could check? May uninstalling and re-installing the package worth a try?

    Best regards,

    Luigi


  • Banned

    @Luigi:

    Did you mix the In/out interfaces in the 'General' tab?

    Checked: both are set on WAN IF.

    Yeah. Which is completely wrong. Stop selecting WAN interface under "Outbound Firewall Rules".



  • Hello doktornotor,

    thanks for your hint.

    Unfortunately, unckecking WAN from Outbound Interfaces list did not help.

    I also tried disabling/re-enabling pfBNG, and triggering a Force Reload filters but, as soon as I enable pfBNG again, I get several error messages like:

    [ An error occurred while uploading your pfSense configuration to portal.pfsense.org]
    Unable to retrieve package info from https://packages.pfsense.org. Cached data will be used.

    which tell me that Outgoing connections are still being blocked.

    Regards,

    Luigi


  • Moderator

    @Luigi:

    Unfortunately, unckecking WAN from Outbound Interfaces list did not help.

    [ An error occurred while uploading your pfSense configuration to portal.pfsense.org]
    Unable to retrieve package info from https://packages.pfsense.org. Cached data will be

    The first issue is that the WAN interface was selected for the Outbound Rules.

    Second issue is that the error above shows that it didn't apply the changes to the rule due to some error so it reverted back to its previous config state.

    You have to see why its failing to apply the new rule changes.


  • Moderator

    @Luigi:

    That's correct, but please consider we're protecting a critical web application which shall be accessed from Italian endpoints only. Moreover, it adds a layer of security against bot scans.

    You should also consider using a pfBNG "Alias Permit" Rule.

    Then manually create the Floating rule with the Alias created with "Alias Permit" and choose the Port and Destination LAN addresses for the Rule. More details on "Alias Rules" are listed in all of the IPv4/6 and continent tabs.

    This will allow only the "selected country - Italy" to access the Web App.

    This is a better approach then trying to block the world and only allow a few access.



  • I tried to uninstall, reboot and re-install package while keeping the option 'Keep Settings/Lists After Disable/Re-Install/De-Install' unticked, but previos settings are still there… Simply, I cannot get rid of previous configuration.

    I'm going to try the Alias method suggested by you.


  • Moderator

    Something is stopping the saving of the configuration so this is why it never clears.

    Manually delete all pfBNG rules in the Firewall tab … and Save... After a page refresh, do you see any remaining pfBNG Rules? After that, check the system.log and see if there are any errors. Maybe there are other rule issues with NAT or something else that is preventing the save of the config changes?



  • Hello BBcan177,

    ultimately I did succeed in making a clean install and, after a further reboot, all reverted back to the normality.

    Then I picked 'Europe-Italy' and 'Alias Permit', getting a URLs Alias as expected.

    I created a Floating rule but connections outside Italy are still allowed. It doesn't work.

    I tried with either 'Match' and 'Pass' as actions, and with DMZ and WAN as destinations.

    What I'm missing out of the Floating rule configuration (besides the basic understanding)?

    Thank you in advance,

    Luigi




  • … I assume I missed a second rule, in order, aimed at blocking any other connection attempt. But, honestly, I'm afraid I could be locked out by setting such a rule...



  • @BBcan177:

    You should also consider using a pfBNG "Alias Permit" Rule. Then manually create the Floating rule with the Alias created with "Alias Permit" and choose the Port and Destination LAN addresses for the Rule. More details on "Alias Rules" are listed in all of the IPv4/6 and continent tabs. This will allow only the "selected country - Italy" to access the Web App. This is a better approach then trying to block the world and only allow a few access.

    Damn, it was so easy… I don't know why it didn't worked earlier, I assume package installation was somewhat messed, or my mind was, yesterday...

    I simply did:
    1. Achieve a clean package install (no previous settings retained);
    2. Select just WAN in Incoming interface list, and just Italy in the countries list;
    3. Create an Alias Permit URL alias as per your suggestion;
    4. Use the alias for a basic Pass rule on WAN interface (no Floating rules here, now I do prefer to KISS);

    ... and... wha-ah! It worked straightforward. As expected, you would say (and you would be right).

    Thank you very much for your support and your patience.

    Have a nice Sunday,

    Luigi