All HowTo's Cyber-Security pfSense & Netgate

pfBlockerNG and Whitelisting Internal Source Addresses – pfSense

This article explains a method of whitelisting one or more devices on your internal network so that pfBlockerNG doesn’t block those devices/servers due to any configured restrictions. For example, you might block a country using pfBlockerNG’s GeoIP filtering, but you may need one of your internal devices to be able to connect to services in that blocked country.

This article is focused on IP restrictions, not DNS. The pfBlockerNG DNS filtering is separate.

I’ve had no luck using the pfBlockerNG built-in solutions to whitelisting, so my work-around is to use a “floating” firewall rule. I was not able to use a traditional interface rule because pfBlockerNG re-orders those when running the update process. But pfBlockerNG does not alter the floating rules (unless you specifically configure it to).

The limitation of the pfBlockerNG recommended way to whitelist solution is that whitelisted IP addresses end up as the destination rather than the source. I’m happy to be correct on this in the comments.

Here’s the results of the pfBlockerNG rules on the LAN interface blocking outbound connections:

 

Here’s the floating rule to ensure “some” devices/servers can still get to resources in the blocked regions. In this case, we’re using an “alias” for the whitelisted devices/servers, but that’s up to you.

The details of the above rule are below:

Tip: Be as specific as possible to the protocol, direction and (if possible) the target.

Leave a Reply

Your email address will not be published. Required fields are marked *