Pfblocker on one computer



  • I'm trying to use pfblocker for just one computer. By that I mean I want one computer that is only allowed to access ip addresses in the united states.

    Is this possible? I checked if pfblocker left some rules in the firewall rules so I could specify which computer for it to act on, but I didn't see anything.


  • Moderator

    pfBNG sorts the Maxmind Country files into a folder which you can use to create manual firewall rules.

    The specific folder/file is    /usr/pbi/pfblockerng-amd64/share/GeoIP/US_v4.txt

    So you can create a pfBNG Alias using "Alias Permit" with the above localfile in the URL field.

    Create a manual "Pass" firewall rule on the LAN Interface for this particular LAN IP that you want to allow outbound to US addressees only, using the created Alias above.

    Create a manual "Reject" firewall rule on the LAN to reject "any" ips,  below the "pass" rule for this particular LAN IP.



  • @BBcan177:

    pfBNG sorts the Maxmind Country files into a folder which you can use to create manual firewall rules.

    The specific folder/file is    /usr/pbi/pfblockerng-amd64/share/GeoIP/US_v4.txt

    So you can create a pfBNG Alias using "Alias Permit" with the above localfile in the URL field.

    Create a manual "Pass" firewall rule on the LAN Interface for this particular LAN IP that you want to allow outbound to US addressees only, using the created Alias above.

    Create a manual "Reject" firewall rule on the LAN to reject "any" ips,  below the "pass" rule for this particular LAN IP.

    Under the ipv4 tab in pfblocker ng I created an alias called 'America' with these settings

    Then under the firewall rules under LAN I picked the source ip for my computer.

    Under destination I selected single host or alias

    I put America there, but it says it "America is not a valid destination IP address or alias."


  • Banned

    I think you are doing it all wrong? You should NOT use "Permit both" but rather create an alias and use that alias in your own firewall rule(s) - with source and/or destination being that one computer, depending on inbound/outbound…



  • @doktornotor:

    I think you are doing it all wrong? You should NOT use "Permit both" but rather create an alias and use that alias in your own firewall rule(s) - with source and/or destination being that one computer, depending on inbound/outbound…

    What do you mean exactly by create an alias and use that in firewall rules?  I just made an alias there in pfng, or do you mean another one under firewall aliases?. I could set the pfng alias to permit outbound instead, but I don't think it would really matter. If you could explain a bit more in depth, I think I'd be able to follow better.


  • Banned

    Dude. The "List Action" in pfBNG.



  • I set it to Alias Permit

    Then under the firewall rules it still doesn't know what pfb_America or America is

    If anything looks wrong here, let me know https://dl.dropboxusercontent.com/u/46294175/pfsense/screencapture-192-168-8-1-pkg_edit-php-1438996251086.png


  • Banned

    Because that'd be pfBAmerica… Dunno, the damned alias box has autocomplete, and there are lengthy explainations in the pfBNG GUI... The pfb is for rule description.

    When using 'Alias' rules, change (pfB_) to ( pfb_ ) in the beginning of rule description

    Sigh.

    Example of using this on WAN (with NAT):

    Will only allow access via the NAT if the source does NOT match the pfBNG alias.



  • It's not doing any sort of autocomplete for me on chrome.

    Which alias box are you even referring to? Also where are rule descriptions? Is that the same as list description?

    Seriously just point it out, and there's no need to be an ass about this. I've never used pfng, there's a lot of options.

    https://dl.dropboxusercontent.com/u/46294175/pfsense/screencapture-192-168-8-1-pkg_edit-php-1438996793149.png

    https://dl.dropboxusercontent.com/u/46294175/pfsense/screencapture-192-168-8-1-firewall_rules_edit-php-1438997003402.png


  • Moderator

    After saving the Alias, did you goto the Update Tab and select "Force Update". This will create the alias, you would then set this alias to update Once per week to keep the IPs in the alias in sync with Maxmind.



  • @BBcan177:

    After saving the Alias, did you goto the Update Tab and select "Force Update". This will create the alias, you would then set this alias to update Once per week to keep the IPs in the alias in sync with Maxmind.

    Thanks a lot that worked

    EDIT: I'm having issues using the not sign.

    pfB_America works, but ! pfB_America is not recognized in the destination field.

    I could just use two rules, so it's not that big of a deal.

    EDIT: It works, thanks guys. I just used two separate rules instead of using '!'


  • Banned

    You do NOT put ! mark there. You tick the NOT checkbox.