Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Filtering 'unconventional' IPs

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 823 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      linuxha
      last edited by

      New to this level of pfSense but I was reading a story called:
      https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html

      Basically the criminals are using unconventional IP formats (the caret thing is a new one for me) to get around filters. Do we need to do anything with our rules to stop this?

      NogBadTheBadN johnpozJ 2 Replies Last reply Reply Quote 0
      • NogBadTheBadN Offline
        NogBadTheBad @linuxha
        last edited by NogBadTheBad

        @linuxha ip addresses as hex and octal have always been a thing.

        Nothing to worry about firewall wise.

        andyk@mac-pro ~ % ping 0xac10020a
        PING 0xac10020a (172.16.2.10): 56 data bytes
        64 bytes from 172.16.2.10: icmp_seq=0 ttl=64 time=5.888 ms
        64 bytes from 172.16.2.10: icmp_seq=1 ttl=64 time=2.099 ms
        64 bytes from 172.16.2.10: icmp_seq=2 ttl=64 time=2.524 ms
        ^C
        --- 0xac10020a ping statistics ---
        3 packets transmitted, 3 packets received, 0.0% packet loss
        round-trip min/avg/max/stddev = 2.099/3.504/5.888/1.695 ms
        andyk@mac-pro ~ %

        Its still partly in some operating systems.

        andyk@mac-pro ~ % ifconfig en0
        en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO>
        ether 00:3e:e1:c1:af:07
        inet6 fe80::1035:7c19:92f3:40e4%en0 prefixlen 64 secured scopeid 0x4
        inet 172.16.2.20 netmask 0xffffff00 broadcast 172.16.2.255
        inet6 xxxx:xxxx:xxxx:xxxx::14 prefixlen 64 dynamic
        nd6 options=201<PERFORMNUD,DAD>
        media: autoselect (1000baseT <full-duplex,energy-efficient-ethernet>)
        status: active
        andyk@mac-pro ~ %

        Peiople just need to be aware of the other formats an IP address can take.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • johnpozJ Online
          johnpoz LAYER 8 Global Moderator @linuxha
          last edited by

          @linuxha said in Filtering 'unconventional' IPs:

          to get around filters.

          that doesn't really get around firewall rule that is IP based, its still an IP no matter how its presented to the application or OS, when it goes over the network it would be in the typical 1.2.3.4 etc..

          That might confuse a user in seeing what the IP is, or from some software that limits based on some sort of rule that would trigger off your typical url sort of thing.. Obscuring or trying to obscure a url or uri from user knowing what it really is nothing new ;)

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

          L 1 Reply Last reply Reply Quote 0
          • L Offline
            linuxha @johnpoz
            last edited by

            @johnpoz , correct IP based is not a problem. But URL based might break. I'm not sure if there is a URL based filter on the base pfSense (still learning).

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Online
              johnpoz LAYER 8 Global Moderator @linuxha
              last edited by

              @linuxha said in Filtering 'unconventional' IPs:

              I'm not sure if there is a URL based filter on the base pfSense (still learning).

              There is no url filtering, unless you have setup a proxy it wouldn't come into play

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

              L 1 Reply Last reply Reply Quote 1
              • L Offline
                linuxha @johnpoz
                last edited by

                @johnpoz Thansk, no proxy yet. :-) Eventually I'll get there.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator @linuxha
                  last edited by

                  @linuxha said in Filtering 'unconventional' IPs:

                  Eventually I'll get there.

                  I wouldn't be in any rush - there is little use for it in how modern web works, etc. ;) Unless you have some teenage boys or something your trying to filter with a proxy from p0rn ;)

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                  L 1 Reply Last reply Reply Quote 0
                  • L Offline
                    linuxha @johnpoz
                    last edited by

                    @johnpoz hehe, only my friends and my home systems (Home Automation). My friends know better than go looking for Pron on my systems, they've been redirected to some of the more 'interesting' sites. ;-) They still can't unsee that.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.