The pfSense Store

Author Topic: pfBlocker  (Read 182807 times)

0 Members and 1 Guest are viewing this topic.

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
    • View Profile
Re: pfBlocker
« Reply #330 on: January 15, 2012, 01:20:56 pm »
I tried that and it didn't work, but "pfBlocker-aliasname for Squid"  does.. The '-' made the difference.. As always, thank you!!

Offline taryezveb

  • Full Member
  • ***
  • Posts: 104
    • View Profile
Re: pfBlocker
« Reply #331 on: January 15, 2012, 02:58:58 pm »
I'm using squid to improve web performance and for logging.. I have setup a couple of list within pfBlocker to block inbound(WAN) and outbound(LAN) Since squid uses localhost, i figured it would need to be a floating rule for it to catch. After reading a few post, but hunch was right..

Can you please explain. Does this mean if one is using Squid and pfBlocker. A floating rule for Squid is need in order for Squid to use the lists used in pfBlocker?

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9961
    • View Profile
Re: pfBlocker
« Reply #332 on: January 15, 2012, 03:12:52 pm »
Can you please explain. Does this mean if one is using Squid and pfBlocker. A floating rule for Squid is need in order for Squid to use the lists used in pfBlocker?

Yes, read this topic.

http://forum.pfsense.org/index.php/topic,44479.0.html

Offline taryezveb

  • Full Member
  • ***
  • Posts: 104
    • View Profile
Re: pfBlocker
« Reply #333 on: January 15, 2012, 03:23:47 pm »

Yes, read this topic.

http://forum.pfsense.org/index.php/topic,44479.0.html

Thanks, just read it but do not fully understand. Maybe once I add the floating rule(s), I will.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9961
    • View Profile
Re: pfBlocker
« Reply #334 on: January 15, 2012, 03:30:43 pm »
pfSense is a statefull firewall, so all rules are applied where connections begin.

Squid does not use LAN or WAN rules but localhost rules as it starts communications to web servers locally.

The only way to apply rules on localhost, is using floating rules.


This way squid wil not be able to connect to any China web site if firewall is blocking access to China's ips.




Offline taryezveb

  • Full Member
  • ***
  • Posts: 104
    • View Profile
Re: pfBlocker
« Reply #335 on: January 15, 2012, 03:39:44 pm »
Thanks for that explanation, I understand it better :) But I'm still not sure how the floating rule(s) show be properly created.

Like this?:

Action: Reject
Interface: WAN
Direction: any
Protocol: any
Source: any
Destination: pfBlockerAliasname
Description: pfBlockerAliasname-Squid

Sorry if these are obvious questions.
« Last Edit: January 15, 2012, 03:55:59 pm by taryezveb »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9961
    • View Profile
Re: pfBlocker
« Reply #336 on: January 15, 2012, 03:56:13 pm »
Change interface to any and direction to out.

Offline taryezveb

  • Full Member
  • ***
  • Posts: 104
    • View Profile
Re: pfBlocker
« Reply #337 on: January 15, 2012, 03:59:58 pm »
Ok, Thanks a lot for your help! :)

Offline fsavoir

  • Newbie
  • *
  • Posts: 9
    • View Profile
pfBlocker don't add rules to firewall ?
« Reply #338 on: January 16, 2012, 02:31:11 am »
Hi,
I'm new to this list.... But great work on pfSense and all packages.
On my french install system pfBlocker never and any rules to firewall any tips? to track this down?
pfSense 2.0.1 and pfBlock 1.0.1

Thanks.

Fred

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9961
    • View Profile
Re: pfBlocker
« Reply #339 on: January 16, 2012, 04:01:28 am »
You need at least one firewall rule on interface you want to configure pfBlocker.

Offline fsavoir

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: pfBlocker
« Reply #340 on: January 16, 2012, 04:17:11 am »
Hi,

Thanks for your reply... I did have the default rules...... Isn't enough ?
"
*    RFC 1918 networks    *    *    *    *    *       Block private networks    
*    Reserved/not assigned by IANA    *    *    *    *    *    *    Block bogon networks
"

Thanks.

Fred
« Last Edit: January 16, 2012, 04:23:46 am by fsavoir »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9961
    • View Profile
Re: pfBlocker
« Reply #341 on: January 16, 2012, 04:32:39 am »
Default rules are not saved on interface rules config XML.

Create a rule and then apply pfBlocker config.

Offline fsavoir

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: pfBlocker
« Reply #342 on: January 16, 2012, 05:20:21 am »
Thanks again for your reply,

Could we be more specific? I need to add a rule in Firewall -> Rules then Lan or Wan ?

Such a dummy rules?

Thanks again.

Fred

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9961
    • View Profile
Re: pfBlocker
« Reply #343 on: January 16, 2012, 05:26:47 am »
Lan has a default rule, you will see pfBlocker rules there if you apply deny outbound action on your lists.

If you have no wan rules, you do not need deny inbound action on pfblocker lists as you are already blocking everything.

Offline fsavoir

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: pfBlocker
« Reply #344 on: January 16, 2012, 05:30:23 am »
ok may be I don't explain well enough... But pfblocker never add any rules in any tabs (lan, wan, floating) of the firewall.
So even If I had one in floating ... then select turn on pfblocker and add top country spammers... always a red down arrow :( and no rules anywear.

So I think I'm missing something here :(

I even added a rules to myself in the Lan... Still Red arrow.

Again thanks.

Fred
« Last Edit: January 16, 2012, 05:48:00 am by fsavoir »