Netgate Store

Author Topic: Firewall Rules Order  (Read 1298 times)

0 Members and 1 Guest are viewing this topic.

Offline Stewart

  • Full Member
  • ***
  • Posts: 281
  • Karma: +16/-2
    • View Profile
Firewall Rules Order
« on: January 03, 2018, 12:02:53 pm »
Whenever I apply changes to pfBlockerNG it rearranges the firewall rules order and places the blocks above the pass on both the WAN and LAN configured ports.  Is there a way to change that?  It effectively makes the whitelist usesless for me and I have to go rearrange the rules each time.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10570
  • Karma: +1209/-324
    • View Profile
Re: Firewall Rules Order
« Reply #1 on: January 03, 2018, 12:06:10 pm »
Yeah use GeoIP type Alias Native. That will create the aliases but will not place any rules. You can then make the rules yourself and they will stay where you put them.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline RonpfS

  • Hero Member
  • *****
  • Posts: 752
  • Karma: +99/-2
    • View Profile
Re: Firewall Rules Order
« Reply #2 on: January 03, 2018, 12:28:41 pm »
You can adjust the FW Rules ordering in Firewall / pfBlockerNG / IP ; IP Interface/Rules Configuration ; Firewall 'Auto' Rule Order
2.3.5-RELEASE-p2 (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
pfBlockerNG 2.1.2_3/Dev, suricata 4.0.4_1

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10570
  • Karma: +1209/-324
    • View Profile
Re: Firewall Rules Order
« Reply #3 on: January 03, 2018, 12:32:08 pm »
Right. If one of those options works for you on all interfaces.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Stewart

  • Full Member
  • ***
  • Posts: 281
  • Karma: +16/-2
    • View Profile
Re: Firewall Rules Order
« Reply #4 on: January 03, 2018, 02:29:40 pm »
You can adjust the FW Rules ordering in Firewall / pfBlockerNG / IP ; IP Interface/Rules Configuration ; Firewall 'Auto' Rule Order

Thanks.  I'll give it a shot.  Why isn't the default to allow the Pass above Block?  Does it just choose the first alphabetically from the list?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10570
  • Karma: +1209/-324
    • View Profile
Re: Firewall Rules Order
« Reply #5 on: January 03, 2018, 02:47:43 pm »
Because if you Pass access from any to your web servers then block with pfBlocker, the block rules will not be hit.

Everyone's requirements are different.

I personally don't like the thought of a package manipulating my firewall rules.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2619
  • Karma: +829/-5
    • View Profile
    • Click for Support
Re: Firewall Rules Order
« Reply #6 on: January 03, 2018, 03:53:11 pm »
Because if you Pass access from any to your web servers then block with pfBlocker, the block rules will not be hit.

Everyone's requirements are different.

I personally don't like the thought of a package manipulating my firewall rules.

Yes It's not a fit for all users. But most users tend to have simpler rules and the ordering options listed may work for them. Other options include adding the Permit rules to pfBNG so that some scenarios can work.

Otherwise, users can opt for "Alias type" rules, which will just create the Aliastable of IPs, and the user can make all of the rules as required... There is also a trick to use Auto Type rules which will create the Rules on all of the required interfaces. Then the user can manually edit each one and only change the Description to start with "pfb_" (Lowercase).  Then edit each Alias to use "Alias type" ... So it saves the user from having to manually create all the rules the first time...

Other options include using the Adv. In/Out rule settings to further customize the rules....

YMMV...
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10570
  • Karma: +1209/-324
    • View Profile
Re: Firewall Rules Order
« Reply #7 on: January 03, 2018, 04:05:17 pm »
Excellent. Thank you.

I was hoping for a way to get them all set up automatically then convert them to manual.

Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Stewart

  • Full Member
  • ***
  • Posts: 281
  • Karma: +16/-2
    • View Profile
Re: Firewall Rules Order
« Reply #8 on: January 03, 2018, 04:43:26 pm »
Because if you Pass access from any to your web servers then block with pfBlocker, the block rules will not be hit.

Everyone's requirements are different.

I can see that everyone's requirements are different.  It just seems odd that by default the package can create whitelists but doesn't apply them in a way that works.  Once you know it's an easy change but it seems inconsistent.

Quote
I personally don't like the thought of a package manipulating my firewall rules.

If you don't like packages manipulating your firewall rules then I would assume you don't use pfBlocker since that is how it functions?  Is there anything that you do instead that would mimic the features?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10570
  • Karma: +1209/-324
    • View Profile
Re: Firewall Rules Order
« Reply #9 on: January 03, 2018, 07:40:54 pm »
The package does do something meaningful for users. Just because it is not right for YOU doesn't mean it is broken.

Use type Alias Native, let pfBlocker manage the aliases and use them in rules as you see fit.

Read all of the above again, particularly the part about changing the rule description so pfBlocker stops messing about with them.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Stewart

  • Full Member
  • ***
  • Posts: 281
  • Karma: +16/-2
    • View Profile
Re: Firewall Rules Order
« Reply #10 on: January 04, 2018, 04:55:16 pm »
The package does do something meaningful for users. Just because it is not right for YOU doesn't mean it is broken.

Use type Alias Native, let pfBlocker manage the aliases and use them in rules as you see fit.

Read all of the above again, particularly the part about changing the rule description so pfBlocker stops messing about with them.

You misunderstand.  It's working after changing the rule order.  I'm just wondering why the default rule order is the one chosen as default.  I realize it isn't broken.  It just seems odd to me that the default order makes the white listing ineffective.  It seems to me that a different rule order would be better suited to be default.  I was just asking what the reason was for this particular order to be default.  I wasn't stating it was broken.  I was merely speculating a question.

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2619
  • Karma: +829/-5
    • View Profile
    • Click for Support
Re: Firewall Rules Order
« Reply #11 on: January 05, 2018, 09:19:58 am »
The package does do something meaningful for users. Just because it is not right for YOU doesn't mean it is broken.

Use type Alias Native, let pfBlocker manage the aliases and use them in rules as you see fit.

Read all of the above again, particularly the part about changing the rule description so pfBlocker stops messing about with them.

You misunderstand.  It's working after changing the rule order.  I'm just wondering why the default rule order is the one chosen as default.  I realize it isn't broken.  It just seems odd to me that the default order makes the white listing ineffective.  It seems to me that a different rule order would be better suited to be default.  I was just asking what the reason was for this particular order to be default.  I wasn't stating it was broken.  I was merely speculating a question.

YMMV... The default is what was the original setting from v1 of pfBlocker... so its never been changed...  I'll consider some changes to the code to possibly a notice message when a Permit rule is added to check the rule order settings....  No matter what is selected it will work if your case, but possibly affect other scenarios.... There are too many options to make an "easy button"....
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2619
  • Karma: +829/-5
    • View Profile
    • Click for Support
Re: Firewall Rules Order
« Reply #12 on: January 05, 2018, 09:21:04 am »
The package does do something meaningful for users. Just because it is not right for YOU doesn't mean it is broken.

Use type Alias Native, let pfBlocker manage the aliases and use them in rules as you see fit.

Read all of the above again, particularly the part about changing the rule description so pfBlocker stops messing about with them.

Also keep in mind that users can use other "Alias type" options, like "Alias Deny" which will do the same thing, but utilize deduplication/suppression etc...
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline chudak

  • Full Member
  • ***
  • Posts: 135
  • Karma: +2/-3
    • View Profile
Re: Firewall Rules Order
« Reply #13 on: January 15, 2018, 02:46:58 pm »
You can adjust the FW Rules ordering in Firewall / pfBlockerNG / IP ; IP Interface/Rules Configuration ; Firewall 'Auto' Rule Order

The only problem is that there is no order option which would place pfSense pass and block rules above pfBlockerNG rules
pfBlockerNG rules always pushes "block" rules on the bottom and this seems like a problem.

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2619
  • Karma: +829/-5
    • View Profile
    • Click for Support
Re: Firewall Rules Order
« Reply #14 on: January 15, 2018, 09:37:45 pm »
You can always add the pfSense Blocked IPs to a pfBlockerNG customlist instead.... Then no need for a different Rule order option.... Plus these IPs will be deduplicated with the other IP Feeds in use...
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline chudak

  • Full Member
  • ***
  • Posts: 135
  • Karma: +2/-3
    • View Profile
Re: Firewall Rules Order
« Reply #15 on: January 16, 2018, 02:53:33 pm »
You can always add the pfSense Blocked IPs to a pfBlockerNG customlist instead.... Then no need for a different Rule order option.... Plus these IPs will be deduplicated with the other IP Feeds in use...

I guess I don't know how to make it happn and you can elaborate a bit.
I have  rules like this =>  https://snag.gy/HceE21.jpg
(One rule allow DNS to pfSense only and other block all non pfSense DNS quires)

When pfBlockerNG updates or reloads and resorts rules it actually inserts  pfBlockerNG rules before pfSense block DNS rule.

I tried all options, including using Floating Rules in pfBlockerNG and so far found no remedy (logged a feature request that I believe would help https://redmine.pfsense.org/issues/8279).

So @BBcan177 pls elaborate.
« Last Edit: January 22, 2018, 07:28:31 pm by chudak »

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2619
  • Karma: +829/-5
    • View Profile
    • Click for Support
Re: Firewall Rules Order
« Reply #16 on: January 23, 2018, 05:25:42 pm »
You can create a new alias in pfBlockerNG and add "0.0.0.0" which is equivalent to "any" IP, into the custom list...

Then edit either the Advanced Inbound or Outbound Firewall rule settings to configure the balance of the rules options...

You can then define this Alias Action setting to Permit or Block...

You can drag the Aliases from the IP tab to re-order as you wish.

Also as stated above, you can use "Alias Type" rules and create all the rules manually.
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline chudak

  • Full Member
  • ***
  • Posts: 135
  • Karma: +2/-3
    • View Profile
Re: Firewall Rules Order
« Reply #17 on: January 24, 2018, 08:06:29 am »
You can create a new alias in pfBlockerNG and add "0.0.0.0" which is equivalent to "any" IP, into the custom list...

Then edit either the Advanced Inbound or Outbound Firewall rule settings to configure the balance of the rules options...

You can then define this Alias Action setting to Permit or Block...

You can drag the Aliases from the IP tab to re-order as you wish.

Also as stated above, you can use "Alias Type" rules and create all the rules manually.

Thank you!  But I have more questions then answers to those steps, need more info.

It seems overall the rules order in combination with pfB has room for improvement  :D

Offline chudak

  • Full Member
  • ***
  • Posts: 135
  • Karma: +2/-3
    • View Profile
Re: Firewall Rules Order
« Reply #18 on: April 15, 2018, 12:09:37 pm »
You can create a new alias in pfBlockerNG and add "0.0.0.0" which is equivalent to "any" IP, into the custom list...

Then edit either the Advanced Inbound or Outbound Firewall rule settings to configure the balance of the rules options...

You can then define this Alias Action setting to Permit or Block...

You can drag the Aliases from the IP tab to re-order as you wish.

Also as stated above, you can use "Alias Type" rules and create all the rules manually.


I don't know but all those changes seem too much and too complicated.

Here is my example, I want to keep untouched rules order to make all network clients to use pfSense router as DNS server like:

pass - Allow DNS to pfSense only
block - Block all DNS not to pfSense

And every time pfBlockerNG updates, my "block" rule get pushed to the end of the list.

It seems wrong to me regardless of workarounds.  As I described in this https://redmine.pfsense.org/issues/8279

Why won't we either

1 - in pfBlockerNG, Rule Order add option - "Do not change (preserve) existing order"

or

2 - in Firewall Rules <IF> add say a check box "Preserve existing order", which will not allow the order to be changed.

???