Firewall 'Auto' Rule Order for pfBlockerNG

Hi there,
I am configuring the pfBlockerNG firewall. In Firewall=>pfblockerNG=>IP I find the Firewall ‘Auto’ Rule Order, which Tom in his thourough video leaves it in its default mode. If I do that the pfBlockerNG rules preceeds my pfsense ones on the WAN and finally I don’t seem to be able to use openvpn or connect to my machines via ssh. I really haven’t understood why yet, as I am connecting either from a legitimate mobile provider or my work network (a research institution). In any case, what if I place my own rules before those of pfBlockerNG? That seems to solve the issue, but I am wondering if this should not be done for some reason that escapes me.
Thank you in advance for any help!

Rules are processed from the top down and need to be in the correct order for what you are trying to achieve. Because pfSense drops by default this usually means the pfBlocker rules go at the top to block “bad” IP ranges or GeoIP regions before your rules to allow traffic to open ports. It would be less helpful to block traffic with a pfBlocker rule right before it is going to be dropped by default. It would be a good idea to figure out what is blocking your traffic first though.

If you need more granular control then you can build aliases with pfBlocker and create your own rules wherever you like that reference those aliases. To do this you just change the action in pfBlocker from deny to alias deny for that list, then create a firewall rule to reject traffic to/from that alias. Make sense?

Thank you for the answer. Actually, after purging and reinstalling pfBlockerNG in default mode, I figured that the geoip lists of top spammer and that of Europe spammers blocked my connections from work, from my mobile provider and also from a google cloud vm I have localized in the UK. The ip’s I used in France and the UK seemed to be contained in those lists and they are blocked. I just disabled the geoip block, but kept all the rest ip and dns blocking. I am wondering if I am the only one to have that problem.

You can edit the top spammer list and not select all of them. If you block all of those countries you are going to have trouble. This is normal and what BBcan177 means when it says at the top of the list that “it’s not recommended to block the ‘world’”.

Funny story…do you know which country sends the most spam and will break everything if you block it? USA. Some USA datacenters that link to other countries (Amazon on the east coast has a direct connection to Brazil for example) will come up as both countries and as such be blocked if you block either of those countries. I figured that out the hard way.

Edit: UK and France are both on the top spammers list. This isn’t bad IPs in those countries, it’s all of them.

To build on my previous post, if you want some advice about GeoIP blocking I would start here: The Spamhaus Project - The Top 10 Most Abused TLDs

I block all of those top level domains (TLDs) in DNSBL > TLD Blacklist/Whitelist, plus cn and ru. I check back monthly and update the list and when I do a take a long look at the bot lists (because I don’t host an email server spam lists don’t help me). I use that information to build my list of GeoIP regions to block, plus China so I can see devices trying to call home because everything is made there, and Russia because nothing should ever go there.

Next, look at your resource consumption on pfSense and do the whole GeoIP thing in reverse, blocking by default and allowing just the regions you need, and see which comes out better. I found that blocking a few bad places is less maintenance and good enough for home and SMB, but if I were paid to manage a big corporate firewall (high value target) I would certainly block by default. Have fun!

I will follow your advise. I will block only a few countries (such as China, Russia etc) and open the rest. I am already blocking TLD’s in DNSBL, an action that seems effective and doesnt have any adverse effects.

All of them?? I totally misunderstood the scope of the pfBlockerNG lists! I thought only the bad one were included! Now I understand why they block me. Thanks!