pfBlockerNG and blocking the world

In your video on using pfBlockerNG with GeoIP to block countries from your firewall you block the world except the US. In the instruction on the GeoIP tab it says:
Its also not recommended to block the “world”, instead consider rules to “Permit” traffic to/from selected Countries only.
Also consider protecting just the specific open WAN ports and its just as important to protect the outbound LAN traffic.

Can you explain how this would be done and or give an example of how to protect on open WAN port. Thanks enjoy your videos.

I am blocking inbound not out. Most of our work is inside the USA & Canada so we allow inbound connections from those ranges. This is done to help reduce the attack surface from inbound connections to our self hosted internal servers from those areas. We are not blocking connections to outbound as we visit sites that are in other countries.

1 Like

So would it be better to just permit traffic from US and Canada and somehow protect the open ports?
" pfSense by default implicitly blocks all unsolicited inbound traffic to the WAN interface.
Therefore adding GeoIP based firewall rules to the WAN will not provide any benefit, unless there are open WAN ports."

Are you recommending for someone in the US with self hosting servers behind PFsense firewall to block all countries except US inbound to protect there servers on open ports? Sorry I just find this confusing.

We have inbound ports open to servers we host so we use it for inbound blocking. If you don’t have any ports open, then it’s not much of enhancement.

1 Like

Hi Tom, “coder-zero” from Belgium, first “great radmap” , my company is since 1997 , and I wanna give some inside advice in todays Globall BGB nodes, as first the firewall is useless, since the IP is not complete as the subnet (not mask but iana) is not logged, also the so called static IP runs outbound aswell under a gateway so what you see is usefull only by doing a reverse lookup then you get the ARP PTR , the dmain inside is a dnslookup records, the particular IP you talked is a comcast domain and was a DNS HTTPS attack , this is mostly due a domain leak triggering a snifer , what you think off my setup: Every inbound passes first a DNS who does a arp resolveing on the so called IP knocking to connect, every false positive get’s an automatic postfix mx mail request to acknack on system level, if the IP is false then that IP creates a mail storm created on his own system as it does a callback on a loop :slight_smile: since all that CA users forget the value as a CA I setup in dmains against themself, so every domain runs different CA that keeps the noise out off the system, (I coded my own tcp/ip library and webserver) so i have sme low level inside, (yeah and i’m Berkley BCD :))) rgds,marc

I have a question similar to this in regards to the " Its also not recommended to block the “world”, instead consider rules to “Permit” traffic to/from selected Countries only." advice.

If I “Permit Both” and don’t select anything does it work as well/better/cleaner rule set than if I just did “Block Both” and selected all?

I have the same doubts. I’m a little bit confused with the GeoIP config. For example: if I want to deny inbound connections from many countries but permit only 2 or 3, I think I need to set the role to Deny Inbound and select on the list all countries that I want to block, and leave the countries that I want to permit unselected?? Am I right??

Yes, create a deny rule for the locations to deny with those places selected. Worth noting pfsense denys all inbound traffic by default so this is only useful if you have ports open, if you don’t then it’s redundant.

Yep, I agree about using the GEO IP for blocking is redundant if you don’t have any ports opened. Wireguard and OpenVPN aren’t affected since they require certs for it to work and it gets ignored by port scanners.

I do have my self hosted Nextcloud instance running but at a very high port number 61000 range due to my ISP blocking port 443 for https. It gave me an advantage is that most port scanners don’t scan past 2000 anyway. I rarely see anything gets scanned at the open port I am using. I also use fail2ban inside Nextcloud and it’s going through HAProxy on pfsense.

I use pihole and starting to get the hang of pfblocker so I will be dropping pihole soon.

Although makes me wonder I don’t need Suricata since pfblocker blocks known malicious / virus websites anyway?