Plea for pfBlockerNG Tutorial

  • I am new to pfsense.  I have an SG-2440 in my home network.  I have pfBlockerNG going, but there are many settings and procedures about which I am confused.  I know there is at least one tutorial on Youtube, but it suggests blocking all incoming traffic, which isn't the intended purpose for the program, since as it has been pointed out, pfsense already blocks unwanted incoming traffic.  I would love to see a turtorial that covers the following (youtube or written out with pics):

    1.  The basic steps from beginning to end to get pfBlockerNG running at its highest potential.

    2.  How to set up aliases and the process used to block individual open ports.  I have one port open for my security cameras that runs through my home server to stunnel.  I also have a port used by OpenVPN.

    3.  How to set up the extra filter lists.  Being unfamiliar with the underlying architecture of pfsense, I have been trying to wrap my head around the way one is supposed to add the lists to the device via the code provided in other threads.

    I would do the tutorial if I understood pfBlockerNG, but it seems that this is one of the better packages for pfsense, and a comprehensive tutorial would help to clear up much confusion (such as blocking all incoming traffic).  Is there anything like this in the works, or does anyone know where I can find this information?

  • Moderator

  • @BBcan177:


    What to do ?
    Create some floating rules (as i read in the Wiki)
    create some alias as you replied ?

    In v1.10 I added some additional text to the TOP20 tab to help with this issue. (See Note:)

    Instead of blocking the world, you can change all of the "Deny" rule(s) to be a single "Permit Inbound" Rule…

    For example: It seems like you want to allow South America only to hit your Zimbra mail server, follow the instructions below:    (  BTW: Big fan of Zimbra!!  )

    • Remove all of your existing Country Blocking Rules.

    • Remove all of your existing "Pass" Firewall rules for Zimbra.
      You could also just disable these pass rules and keep them there as a backup, if pfBNG is disabled for any reason.

    • Goto "South America" Country Tab.

    • Select the IPv4/6 Countries that you want to allow access.

    • List Action: "Permit Inbound"

    • In "Advanced Inbound Firewall Rule Settings":

      • Enable the Custom Port checkbox

        Click the link "Click here to add/edit Aliases" and add a new pfSense Alias called "Mail_Ports" (Change the alias name to what ever you wish), and enter all of the Mail ports in the alias.

      • Enable Custom Destination checkbox

        Click the link "Click here to add/edit Aliases" and add a new pfSense Alias called "Mail_IPs"
        (Change the alias name to what ever you wish), and enter all of the Mail Destination IPs (ie: the 192.x.x.x address from your screenshot above)

      • Custom Protocol: Select "TCP/UDP" (Or as required)

    Hope that helps!

    This seems to be the pertinent post concerning setting up protection on my two open ports, but I am still not clear.  I was able to get the script to work, and it created 7 alias entries (IBlock, PRI1, PRI2, PRI3, SEC1, TOR, and MAIL).  In contrast to the above scenario where the firewall is already blocking unsolicited traffic to all ports, since my single port is open (via NAT under port forwarding) by default, would I set up the Advanced Inbound Firewall Rule to block everything except the US to that one port?  It seems that if I do the Permit Inbound as above, then I am already allowing traffic to the port in question, so I would need to deny all traffic except the US instead.

    Also, however I set it up, do I need to go in and do the same thing for each of the 7 alias/list entries created by the script?

    I'm going to assume that the port used by OpenVPN is inherently secure, since it is not treated as a regular open port.

    I apologize for my ignorance.  This is all very new to me, but I moved to pfsense after a fairly devastating hack into my server, and I want everything to be as secure as possible.

Log in to reply