I have added this on my web server to limit the SSH brute force attacks, and it works quite well.

But I would very much like to have it in the firewall instead of on the server because I think it belongs there and it is quite annoying when I, by accident, lock myself out for 10 minutes when connecting from a local client. Maybe I should just change it so it doesn't block 192.168.* addresses ;)

What it does is that it logs and blocks the third attempt and  it just blocks the 4.+  to avoid my logs are flodded.

iptables -A INPUT -p tcp –dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP

That'd be okay.  I'd use them only for 1 or 2 OPT subnets.  And so far, no need for traffic shaping, since it's just for home.

But I continue leaning further toward the EPIA CL6000 with two LANs, even as we "speak".

Ok the squid works fine, Tranparent Mode and the portforwarding. But wenn I configure an other pfsense box, wich is the defaulf gateway in my lan, to forward every port 80 traffic (with the same portforwarding rule) to the squid pfsense box with an other PPPOE connection to the net it does not work. Something wrong in my mind?

@bushtor:

Will do ;-)

.. especially if you tell me where I can find the dhcp mac config file from the ipcop box shell.

Sorry, a typo :-(  Of course I meant 'the pfsense box shell'…

However I have located it ans solved the problem ;-)

Tor

Other solution:

enable remote syslog server at the pfsense and create a block rule with "log" enabled disable logging of default deny rule install syslog deamon at your client that sends you a mail on receiving this alert or plays a beep or a popup or whatever (depends on the tool you use) create a rule in the webgui for this connection to pass above the logging rule and disable it (you can quickenable/disable this rule by clicking the small pass icon in front of the rule and hitting apply)

It's not like a popup and only clicking an allow or deny button but might work depending on how often you need it.

i'm happy to hear that  :D

thanks a lot !

@rexster:

@sullrich:

DNSForwarder and friend already uses that.  This is at a different level.

(oot)
but there at least few thousands hosts in the list.
how can i make the update automatic?

Please un-hijack this thread and start a new one.  I really have no idea how we are now talking abotu DNS Forwarder in the ALIAS thread!

So it looks like by default, the ftp helper is enabled on all interfaces.  In order for LAN and WAN to access my ftp server in the DMZ, I had to disable the ftp helper on all interfaces, LAN, WAN, and DMZ.  As soon as I turned that off, all is well.

Download the config.xml and copy/paste your macs to the right part keeping the formatting of the xml intact. Then reupload it.

"Is dual wan compatible with FTP?
Short answer: no.

If you are trying to use the FTP proxy and DUAL wan or Load Balancing this will not work due to the fact that we have to redirect traffic to a userland proxy when the helpers are enabled.

However, the long answer is that you can utilize dual wan ftp if you use a 1:1 or port-forward the large port ranges required by the server which in most cases of newer ftp daemons is configurable."

ok  ;)… and how about the long answer?  ??? ???

I already use NAT 1:1, Passive FTP (port 55000-60000) and disable userland FTP-Proxy.
Download is slow, but upload is fine.

http://www.experts-exchange.com/Security/Q_20968914.html

Found the problem!!! It was were azureus was changing the upnp on the modem to go stright to the pc nic instead of through pfsense and then pfsense was loosing track of the ports and traffic as all out going traffice was going throug pfsense but incoming wasn't

Take a look at http://www.net-security.org/article.php?id=876

I fix the prob - Dummy mistake.
I forgot to make NAT -Outbound Rules on lan and opt1 for 192.168.1.0/24
X Advanced flag

the error was that the other machine was told on public net,  but route the packets  back on 192.168.1.0/24 iface directly to client and
not over the gw-adress.

Thanks.

Yeah, those are wrong.

at LAN:
block, proto any, source any, destination OPT1 subnet
block, proto any, source any, destination OPT2 subnet
pass, proto any, source lan subnet, destination any (default LAN to any)

at OPT1:
block, proto any, source any, destination LAN subnet
block, proto any, source any, destination OPT2 subnet
pass, proto any, source OPT1 subnet, destination any

at OPT2:
block, proto any, source any, destination LAN subnet
block, proto any, source any, destination OPT1 subnet
pass, proto any, source OPT2 subnet, destination any

You always block incoming traffic at an interface.

whatever works best for you  ;)

in youre rule you have
! mailserver
or do you have
!mailserver
???

!mailserver is correct
picture is not clear in this

no tried and same problem.

@althornin:

You are allowing "prod net rule allow any to any" - your firewall is doing exactly that!
change the rule to "allow any to !mgmt"….

Yes i know this, but id like to know can i map rules to interfaces. Eg. Packet flow
is something like this:

Packet in Int1 -> Check against int1 rules -> Packet routed to Int2 -> Check against Int2 rules.

If this is not posible i think i try to modify that Firewall: Rules page so that i cab see all my rules
in one page (like checkpoint). I think this way i can get more cleaner picture how my fw rules are checked.

Br,

Ville

Can't say that I have ever seen the need for this.  Can you explain why that option is only needed in you're case?