How to block ingress public static ip addresses?

I want to set a WAN firewall rule in pfSense to block ingress static public IP addresses. Is there a way how to distinguish static from dynamic public ip addresses? I looked at but this is more for smtp servers not usable in a pfSense firewall rule i think. Maybe there is a active maintained (block)list with all dynamic or static ip address space i can use for this?

I don’t know of any actively maintained list of them but if there was one it would probably be very large.

1 Like

Hmm yes that might be true. Didn’t think of that duh.
Thank you Tom!

Why do you want to allow connections from dynamic public IPs but block it from static IPs? I’m trying to understand the goal.

I have few ports open on WAN (80,443 etc.). I am not interested in ingress connections from static ip addresses, which are mostly hosting companies who want to advertise or systems who want to practice their hack knowledge on my network. It was just a experiment i want to test and see if it works for me. But just like Tom wrote the list would probably be very large and eats away a lot of pfSense resources. It was just a wild idea and i was also interested if it could be done.

I get your general logic - you are interested in connections from regular users, mostly at home. I’ll just put out there that such an approach, even if the list were automatically updated and generally correct, would block things you probably do want (guests at hotels, other enthusiasts who have static IPs at home, anyone who uses a WISP or satellite provider that can’t even give out public IPv4’s at all) and not block things you want blocked (hackers that intentionally use DHCP connections, botnets made of compromised home devices, IP-spoofing (D)DOS attacks).

All very true and important to realize if the services i run would be for production / public purposes, they are not. I have now blocked all countries accept my own (NL) on my local Apache webserver with mod_geoip module. Everything is just experimental. I mostly personally know the visitors of my servers I have them in a whitelist but with dynamic IP’s that doesn’t work to well and sometimes i want to open it more for people i meet so they can connect to my icecast server for instance. And i was curious if it could be done. So just playing and learning :wink: Still lots of useful information in your reply to think about thank you for that!

The best way to protect your server would be to implement a remote access VPN solution in front of it. This way your server isn’t just sitting out there on the internet available for people to play with. You could use cert auth and MFA which would guarantee they are allowed to access it.

I have a OpenVPN server running on my pfSense for private use. Giving visitors of my servers vpn access is not workable for me. Thank you for the suggestion.

I’m not very clear on what, exactly, you are trying to prevent, but we simply block all ports below 49152 and above 65535 on the WAN (any reply to an outgoing query will return on a “dynamic” port, which will always be between 49152 and 65535). We tell our “favored” clients that they need to use {a specific port, which is above 65535} to access our servers and then they must have a username (which we assign), a password (which they can choose and change), and a timecode from Google Authenticator or a FIDO2 key, which we will happily provide.

We get hit numerous times every day with connection attempts from Russia on all the usual ports, and our Netgate firewall dutifully notes the attempts and rejects them. In our particular business we neither want nor accept connections to our corporate web site, largely because we only accept new clients by referral from an existing client. If we wanted a public web site, we would never host it on our servers.

All of that sounds good, except…. There are no ports above 65535. At best its getting mapped to some lower port number, via a method that may not work the same across various client systems (Windows vs OSX, Firefox vs Chrome)

Yup. My bad. That’s what I get for trying to do too many tasks at the same time. Actually, we use two ports just below 65535 – one for the corporate VPN and one for client HTTPS connections to a web server. Both of those are port forwarded to an appropriate address.