[Guide] How to allow/block multi pfBlockerNG GeoIP lists in Pfsense


binhex

Recommended Posts

I didn't see many guides on this so thought i would write it up and post on here, just incase anybody wants to do the same thing, any questions let me know!.

 

How to use multi list pfBlockerNG GeoIP block/allow aliases for Pfsense
 

Description

So by default you cannot select multiple GeoIP blocklist aliases, such as 'pfB_NAmerica_v4' and 'pfB_Top_v4' in the Firewall/Rules section, thus it becomes tricky to allow access to say, IP addresses from countries in the 'North america' GeoIP list and the 'Top 20' GeoIP list.
 

In order to get around this limitation we need to create a custom GeoIP list which combines multiple GeoIP lists into a single list, this is how you do it:-
 

1. Install pfBlockerNG
2. Go to 'Firewall/pfBlockerNG/GeoIP'
3. Select the countries from all the available lists e.g. 'Top 20', 'North America' etc - NOTE do NOT select countries to block, instead select the countries to allow.
4. Once selected go to 'Firewall/Aliases/All' to show a list of all available aliases, in there you should now see your newly selected lists with their alias names e.g.:-
 

pfB_NAmerica_v4        https://127.0.0.1:443/pfblockerng/pfblockerng.php?pfb=pfB_NAmerica_v4        pfBlockerNG _v4 Country Alias
pfB_Top_v4            https://127.0.0.1:443/pfblockerng/pfblockerng.php?pfb=pfB_Top_v4            pfBlockerNG _v4 Country Alias

Make a note of the names of the lists and the url's, we will need this later on to construct our merged list.
 

5. Go to 'Firewall/pfBlockerNG/IPV4' (or IPV6 if you are blocking/allowing IPv6 addresses)
6. Click on 'Add' and define an alias name, NOTE do NOT prefix the alias name with 'pfB' as this will be done for you.
7. Under the ipv4 list enter in the url from step 4 and set a header/label of the name of the list, e.g. 'pfB_NAmerica_v4'
8. Click 'Add' and repeat step 7. for the other list(s).
9. Select your list action to be 'alias permit'  and define 'Frequency' for updating the list
10. Click on save.
11. Go back to 'Firewall/Aliases/All' to show a list of all available aliases, in there you should now see your newly created custom ipv4 alias, e.g.:-

pfB_Multi_USUK        https://127.0.0.1:443/pfblockerng/pfblockerng.php?pfb=pfB_Multi_USUK        pfBlockerNG List Alias

12. Go to 'Firewall/Rules' and click on the rule you want to GeoIP block/allow, under 'Source' set it to single hosr or alias and enter in the name of the alias for the merged list, e.g. 'pfB_Multi_USUK'
13. Click on save and repeat for each rule that you want to GeoIP block/allow.
 

Troubleshooting
---------------

Q1. I am getting the following error message, what does it mean and how do i fix it?:-

There were error(s) loading the rules: /tmp/rules.debug:27: cannot define table pfB_Multi_USUK: Cannot allocate memory - The line in question reads [27]: table <pfB_Multi_USUK> persist file "/var/db/aliastables/pfB_Multi_USUK.txt"
 

A1. This is due to memory constraints on the system, you need to increase 'Firewall Maximum Table Entries' to allow for larger IP lists

This is done by going to 'System/Advanced/Firewall & NAT' and then increasing the number of 'Firewall Maximum Table Entries' to something larger. Play around with this number until you stop receiving error messages (value depends on number of selected countries in the GeoIP lists).
 

Q2. I think i have created my new merged geoip alias, but i am still not blocked/allowed, what could be the cause?.
 

A2. You may need to 'Force' the lists to be regenerated once you have created the new merged alias.

This is done by going to 'Firewall/pfBlockerNG/Update' and clicking on 'run', monitor output and check for A1. issues.
 

Edited by binhex
  • Like 1
Link to comment
  • 1 month later...

Hello Binhex,

 

Thanks for posting this and all the other work you do.

 

I'm having a problem getting it working so wanted to check I am doing it correctly. What I am trying to do is block all inbound traffic (I have some open ports) apart from the UK and a few specific IP addresses (lets encrypt renewal etc).

 

This is how I set it up using pfBlockerNG-devel and your post.

  • I created the GeoIP alias list for the UK with List Action Alias Native.
  • I then created a second alias with List Action Alias Native that has the first list plus whois settings for the other IPs I want to allow access.
  • I then created a firewall rule to block all IPs unless they are in the combined alias list.

The problen is that if I use the combined list it does not allow UK IPs to access the firewall. If I just use the UK IP alias then it works. I have tried a few things but can not get it working so I'm using the rule with the UK only list for now.

 

Any tips you have would be very useful as I am not sure what to try next.

 

Regards,

 

Chris

 

 

Link to comment
  • 1 year later...

Hello,

@binhex

Here is how I create an alias combining several GeoIP lists.

I simply use the already existing aliases. Like that:

4mtiY5l.png

 

There is an auto-complete menu to add any country:

fIae5fS.png

 

 

Then I update the feeds

 Updating: pfB_Authorized_Countries_v4
1 table created.21803 addresses added.

 

After that, I can use this alias in any rules.

 

I do wrong ? Or maybe I misunderstood something. I'm pretty new with pfsense.

 

 

Edited by pee_bear
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.