pfBlockerNG and blocking the world

In your video on using pfBlockerNG with GeoIP to block countries from your firewall you block the world except the US. In the instruction on the GeoIP tab it says:
Its also not recommended to block the “world”, instead consider rules to “Permit” traffic to/from selected Countries only.
Also consider protecting just the specific open WAN ports and its just as important to protect the outbound LAN traffic.

Can you explain how this would be done and or give an example of how to protect on open WAN port. Thanks enjoy your videos.

I am blocking inbound not out. Most of our work is inside the USA & Canada so we allow inbound connections from those ranges. This is done to help reduce the attack surface from inbound connections to our self hosted internal servers from those areas. We are not blocking connections to outbound as we visit sites that are in other countries.

So would it be better to just permit traffic from US and Canada and somehow protect the open ports?
" pfSense by default implicitly blocks all unsolicited inbound traffic to the WAN interface.
Therefore adding GeoIP based firewall rules to the WAN will not provide any benefit, unless there are open WAN ports."

Are you recommending for someone in the US with self hosting servers behind PFsense firewall to block all countries except US inbound to protect there servers on open ports? Sorry I just find this confusing.

We have inbound ports open to servers we host so we use it for inbound blocking. If you don’t have any ports open, then it’s not much of enhancement.

1 Like

Hi Tom, “coder-zero” from Belgium, first “great radmap” , my company is since 1997 , and I wanna give some inside advice in todays Globall BGB nodes, as first the firewall is useless, since the IP is not complete as the subnet (not mask but iana) is not logged, also the so called static IP runs outbound aswell under a gateway so what you see is usefull only by doing a reverse lookup then you get the ARP PTR , the dmain inside is a dnslookup records, the particular IP you talked is a comcast domain and was a DNS HTTPS attack , this is mostly due a domain leak triggering a snifer , what you think off my setup: Every inbound passes first a DNS who does a arp resolveing on the so called IP knocking to connect, every false positive get’s an automatic postfix mx mail request to acknack on system level, if the IP is false then that IP creates a mail storm created on his own system as it does a callback on a loop :slight_smile: since all that CA users forget the value as a CA I setup in dmains against themself, so every domain runs different CA that keeps the noise out off the system, (I coded my own tcp/ip library and webserver) so i have sme low level inside, (yeah and i’m Berkley BCD :))) rgds,marc

I have a question similar to this in regards to the " Its also not recommended to block the “world”, instead consider rules to “Permit” traffic to/from selected Countries only." advice.

If I “Permit Both” and don’t select anything does it work as well/better/cleaner rule set than if I just did “Block Both” and selected all?