I’m currently moving from a whitebox pfsense installation to a Netgate 1537 firewall. Part of this upgrade includes bringing pfsense and it’s applications up to date, which means that I’m moving from pfblockerNG 2.1.4_26 to 3.2.0_6.
This has broken the way the IP whitelist implementation (Not set up by me, hasn’t been updated in years). The current implementation has a pfblocker alias at the top of my WAN interface rules:
Any time I needed to add an address I’d simply add it to the custom address list, run an update and everything was good. Apparently this no longer allowed in V3:
Due to the lack of documentation for pfblockerNG it’s unclear what the advanced inbound firewall rule settings do:
It seems like it’s wanting me to define a list of ports or destination IP addresses that the IP’s in my custom list will have access to. It seems silly to create an alias that includes all IP addresses, as I want any traffic coming from whitelisted IP’s to be able to access any destination IP and port. I get the feeling like I’ve strayed off the ‘best practice’ path. What are you guys doing for whitelisting IP addresses on your WAN interface? My firewall rule order is:
“| pfB_Pass/Match | pfB_Block/Reject | pfSense Pass/Match | pfSense Block/Reject |”