PfBlockerNG rules is going downwards in the firewall rule everyday
-
@dougc420:
I wish this was an easy fix really i do.
It would be extremely easy to do if you designed things in a SANE way. Why the HECK are you blocking the ENTIRE WORLD via pfBNG?! Allow what you need, the rest is blocked by default. Been said like zillion times. Here we go again. Hundreds of thousands of CIDRs in firewall rules, totally useless. Absurd. Please, get some basic understanding of default deny before deploying similar WTF setups.
-
I actually do have the country's unblocked that I require and have taken the time to work out our desired flow of traffic. I do wish to globally block all traffic in the world to our exchange on port 25 and ONLY allow it to talk to our hosted mail providers. It is peace of mind to know that I do not need to worry about that.
This is a preferred configuration for us however we would like to be able to manage our rules accordingly and not have to log in every day and re sort them.
The odd thing is that the behavior on a like firewall is different. Firewall two with the same config the rules stay but on this firewall the rules resort after Crond.
What am I missing here? -
Hi Doug,
The "Rule Order" that you selected ordered the rules as per the Order you selected. I think you want to use the second option as the manual pass rules that you created are 'pfSense Pass' rules not 'pfBNG pass' rules.
Please see the following links for what Dok has mentioned:
https://forum.pfsense.org/index.php?topic=86212.msg548324#msg548324
https://forum.pfsense.org/index.php?topic=86212.msg553921#msg553921
https://forum.pfsense.org/index.php?topic=102071.0 -
OK a clever friend of mine found the solution.
When I setup PFB it auto created rules.
The list action was set to "Deny" by change that to "Alias Deny" and deleting and recreating the rules manually.
This fixed the sorting order issue where the rules would move in priority.I also see the logic doktornotor shared.
Rather thank blocking 4,225,000,000 port combinations and 3,706,452,992 public IP addresses causing much computational overhead.
It is better rather to make selective entries to PFB specific openings and let pfSense do that inherently and not globally blocking everything using PFB because pf already does all that.Thank you everyone for your help I really appreciate your support.
Now I do not have an absurd WTF setup. (: -
@dougc420:
OK a clever friend of mine found the solution.
When I setup PFB it auto created rules.
The list action was set to "Deny" by change that to "Alias Deny" and deleting and recreating the rules manually.
This fixed the sorting order issue where the rules would move in priority.I also see the logic doktornotor shared.
Rather thank blocking 4,225,000,000 port combinations and 3,706,452,992 public IP addresses causing much computational overhead.
It is better rather to make selective entries to PFB specific openings and let pfSense do that inherently and not globally blocking everything using PFB because pf already does all that.Thank you everyone for your help I really appreciate your support.
Now I do not have an absurd WTF setup. (:+1, this solved it for me as well. My issue was I wanted to block the same IP's on LAN and WAN, but I needed the order to be different on the interfaces as I needed passthrough rules on the LAN, which obviously didn't work. Only drawback I seem to be getting due to this approach is that Alerts in the pfblockerNG now is empty so it is challenging to know which block list actually initiated a block. edit Duh, forgot to mark "log this".
