duplicating pfblockerng features

[chrcoluk]

Hi guys.

My friends have already migrated to opnsense from pfsense, and I agree with the reasons they migrated, so am looking to migrate myself also, but the showstopper for me at the moment is pfblockerng.

I use it for 2 purposes.

1 - To load up DNSBL lists in my firewall to reroute traffic to a blackhole http server that hosts an empty image.  I know I could probably get this working manually like I used to on asuswrt, but I would much prefer a simpler solution provided within opnsense somehow.
2 - To load up ASN lists for the purpose of classifying traffic.

Has anyone got a solution to these problems? thanks.

[doug.dimick]

ASN lookup for policy routing is a necessary feature for me as well. Also see https://forum.opnsense.org/index.php?topic=5964.msg24801#msg24801.

[rajl]

PFBlocker is definitely much better than OPNSense's GEOIP functionality.   The OPNSense solution is a machete while PFBlocker provides you with a full suite of knives from machete to scalpel.

Some features that I wish were included in the OPNSense GEOIP include:
(1) Being able to permit or deny from countries/regions on a protocol and port basis.  For example, with PFBlocker, I can rely on the "deny all" rule to block traffic but open up access to ports 22, 80, and 443 for TCP and port 1194 for UDP from IPs only originating in $MY_COUNTRY.  In contrast, OPNSense only allows me to deny all traffic or permit all traffic from $COUNTRY.
(2) Have separate GEOIP rules for inbound and outbound traffic.  It's a little bit easier to conceptualize and fine-tune your rules, especially if you have different sets of countries you want to include in your inbound and outbound lists (like I do).
(3) DNS Blacklisting and Blocking - PFBlocker does a pretty good job of filtering ads and other unwanted content at the network level.  However, there are ways to incorporate this into UnBound using blacklists.

[mimugmail]

Huh? Are you talking about Geo IP Filter as Alias table or in IPS? With Alias table you can achieve everything like in pfBlocker Geo IP

[AdSchellevis]

I guess there have been quite some misunderstanding of what's possible in OPNsense in regards to GEO support:

(1) Easy to do, create an alias for your selected countries and add a firewall rule using that alias.
(2) Same as (1) with floating rules if you want to select "direction"
(3) Likely also possible with an "url table" alias (for example using http://www.spamhaus.org/drop/drop.txt)

The "rerouting" functionality is probably a port forward to a local host and address, which should also be possible with aliases (and portforward rules).

We choose to incorporate most important alias features in our core product in stead of adding another plugin overlapping quite some functionality of what's already in there. Our 18.1 version will also incorporate a rewrite of the code behind the aliases (and supporting more frequent updates), but all described above have been in OPNsense for quite some time already (at least more then a year).


For custom aliases you can use an external type alias, which won't be touched by OPNsense and can be used in the firewall and nat rules. This is available as of 18.1.

[doug.dimick]

What options are available to create aliases using ASNs?

[AdSchellevis]

in 18.1 you could add an "external" alias and fill the contents with a custom script (for example use the one you already created).

using the following command to load the table:

Code Select Expand

pfctl -t my_ext_alias -T replace -f list_of_aliases

Show the contents (also possible from the gui):

Code Select Expand

pfctl -t my_ext_alias -T show

[onefix]

For the DNSBL, you can try following this:

https://devinstechblog.com/block-ads-with-dns-in-opnsense/

I'm also researching the possibility of creating a version of the script in that post that will create external aliases as well.

[chrcoluk]

just a quick update guys.

I am making a CLI system which will handle my needs in the short term, it will be shared here in the community when its in a workable state, from that point I hope we can all together progress it and maybe add a GUI at some point as well.  I will post back when I have further news on this.

AdSchellevis yep my plan will be to utilise any existing opnsense features where they exist such as the alias tables.

[chrcoluk]

ASN lookup for policy routing is a necessary feature for me as well. Also see https://forum.opnsense.org/index.php?topic=5964.msg24801#msg24801.

yep thanks

[rajl]

Rather than go back and edit an earlier post, I will just post again and admit I was wrong.

It turns out that OPNSense does allow for pretty fine grained control of ingress and egress GeoIP blocking using aliases.  The issue is the documentation and the fact that OPNSense provides two mechanisms for GeoIP filtering.  The documentation refers to the one builtin to the IDS/IPS system.  That one is rather underwhelming (and somewhat buggy for me).  The other is provided using PF aliases and is pretty feature rich and flexible.  I like it a lot more than the one included in the IDS/IPS.  However, it the system using aliases is discouraged in the documentation and it's existence is not readily apparent from the table of contents.

[mimugmail]

I'm quite sure after 18.1 release there will be a focus on updating the docs :) Thanks for you patience with GeoIP  8)

[marjohn56]

Ah, but if the docs are all correct then it spoils the voyage of discovery..  :P

[mimugmail]

Docs are never complete :D

[marjohn56]

Hear's the saying, if you need the docs you shouldn't be playing.

Read them, tell yourself they are all wrong and then ask someone.  8)