Unstoppable mIRC

GruensFroeschli

You did clear the state-table between your tests, didn't you?

LiquiD_85

Yes :(

jimp

I've tried with no results!!!

Also with only "block all" rules (in attachment) mIRC still connect, i can't belive!

Please post the output of:

pfctl -vvsr

And maybe the contents of /tmp/rules.debug for good measure.

Something must be adding a pass rule dynamically for it to be getting through. pfSense is default-deny, so unless you (or a package, or service) have added a rule to allow certain traffic, it won't get through.

It would also help to know what packages you have installed, and what version of pfSense you are using. If it's a snapshot, the time/date on the snapshot will be needed.

jigpe

Restarting you pf could help too.
jigp
Davao City

LiquiD_85

This is the pfctl -vvsr output:

webConfigurator
karonte.local

*
System
o Advanced
o Firmware
o General Setup
o Packages
o Setup wizard
o Static routes
*
Interfaces
o (assign)
o WAN
o LAN
*
Firewall
o Aliases
o NAT
o Rules
o Schedules
o Traffic Shaper
o Virtual IPs
*
Services
o Captive portal
o DNS forwarder
o DHCP relay
o DHCP server
o Dynamic DNS
o Load Balancer
o OLSR
o PPPoE Server
o RIP
o SNMP
o UPnP
o OpenNTPD
o Wake on LAN
o IMSpector
*
VPN
o IPsec
o OpenVPN
o PPTP
*
Status
o CARP (failover)
o DHCP leases
o Filter Reload Status
o Interfaces
o IPsec
o Load Balancer
o Package logs
o Queues
o RRD Graphs
o Services
o System
o System logs
o Traffic graph
o UPnP
*
Diagnostics
o ARP Tables
o Backup/Restore
o Command Prompt
o Edit File
o Factory defaults
o Halt system
o Ping
o Reboot system
o Routes
o States
o Traceroute
o Packet Capture

Diagnostics: Execute command

$ pfctl -vvsr
@0 scrub all random-id fragment reassemble
[ Evaluations: 10494 Packets: 10494 Bytes: 3110565 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@0 anchor "ftpsesame/" all
[ Evaluations: 254 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@1 anchor "firewallrules" all
[ Evaluations: 254 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@2 block drop quick proto tcp from any port = 0 to any
[ Evaluations: 254 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@3 block drop quick proto tcp from any to any port = 0
[ Evaluations: 187 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@4 block drop quick proto udp from any port = 0 to any
[ Evaluations: 254 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@5 block drop quick proto udp from any to any port = 0
[ Evaluations: 65 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@6 block drop quick from snort2c:0to any label "Block snort2c hosts"
[ Evaluations: 254 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@7 block drop quick from any to snort2c:0label "Block snort2c hosts"
[ Evaluations: 254 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@8 anchor "loopback" all
[ Evaluations: 254 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@9 pass in quick on lo0 all flags S/SA keep state label "pass loopback"
[ Evaluations: 254 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@10 pass out quick on lo0 all flags S/SA keep state label "pass loopback"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@11 anchor "packageearly" all
[ Evaluations: 254 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@12 anchor "carp" all
[ Evaluations: 254 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@13 pass quick inet proto icmp from 192.168.1.2 to any keep state
[ Evaluations: 254 Packets: 5 Bytes: 420 States: 1 ]
[ Inserted: uid 0 pid 48891 ]
@14 anchor "dhcpserverlan" all
[ Evaluations: 253 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@15 pass in quick on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server on LAN"
[ Evaluations: 253 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@16 pass in quick on em0 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps keep state label "allow access to DHCP server on LAN"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@17 pass out quick on em0 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server on LAN"
[ Evaluations: 55 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@18 block drop in quick on fxp0 inet proto udp from any port = bootps to 192.168.0.0/24 port = bootpc label "block dhcp client out wan"
[ Evaluations: 162 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@19 block drop in on ! em0 inet from 192.168.0.0/24 to any
[ Evaluations: 154 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@20 block drop in inet from 192.168.0.1 to any
[ Evaluations: 154 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@21 block drop in on em0 inet6 from fe80::219:99ff:fe49:2a6e to any
[ Evaluations: 150 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@22 anchor "spoofing" all
[ Evaluations: 253 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@23 anchor "limitingesr" all
[ Evaluations: 253 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@24 block drop in quick from virusprot:0to any label "virusprot overload table"
[ Evaluations: 253 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@25 pass out quick on em0 proto icmp all keep state label "let out anything from firewall host itself"
[ Evaluations: 253 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@26 pass out quick on fxp0 proto icmp all keep state label "let out anything from firewall host itself"
[ Evaluations: 111 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@27 pass out quick on fxp0 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself"
[ Evaluations: 103 Packets: 1329 Bytes: 637044 States: 36 ]
[ Inserted: uid 0 pid 48891 ]
@28 anchor "firewallout" all
[ Evaluations: 154 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@29 pass out quick on fxp0 all flags S/SA keep state label "let out anything from firewall host itself"
[ Evaluations: 154 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@30 pass out quick on em0 all flags S/SA keep state label "let out anything from firewall host itself"
[ Evaluations: 142 Packets: 96 Bytes: 36494 States: 4 ]
[ Inserted: uid 0 pid 48891 ]
@31 pass out quick on enc0 all flags S/SA keep state label "IPSEC internal host to host"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@32 anchor "anti-lockout" all
[ Evaluations: 150 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@33 pass in quick on em0 inet from any to 192.168.0.1 flags S/SA keep state label "anti-lockout web rule"
[ Evaluations: 150 Packets: 28 Bytes: 4234 States: 8 ]
[ Inserted: uid 0 pid 48891 ]
@34 block drop in log quick proto tcp from sshlockout:0to any port = ssh label "sshlockout"
[ Evaluations: 136 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@35 anchor "ftpproxy" all
[ Evaluations: 136 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@36 anchor "pftpx/" all
[ Evaluations: 136 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@37 pass in quick on fxp0 reply-to (fxp0 192.168.1.1) inet proto tcp from any to 192.168.0.120 port = http flags S/SA keep state label "USER_RULE: NAT 80"
[ Evaluations: 136 Packets: 96 Bytes: 36494 States: 4 ]
[ Inserted: uid 0 pid 48891 ]
@38 pass in quick on fxp0 reply-to (fxp0 192.168.1.1) inet proto udp from any to 192.168.0.120 port = http keep state label "USER_RULE: NAT 80"
[ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@39 pass in quick on fxp0 reply-to (fxp0 192.168.1.1) inet proto tcp from any to 192.168.0.120 port = https flags S/SA keep state label "USER_RULE: NAT 443"
[ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@40 pass in quick on fxp0 reply-to (fxp0 192.168.1.1) inet proto tcp from any to 192.168.0.1 port = creativepartnr flags S/SA keep state label "USER_RULE: WEBCONFIGURATOR"
[ Evaluations: 7 Packets: 168 Bytes: 58699 States: 7 ]
[ Inserted: uid 0 pid 48891 ]
@41 block drop in quick on fxp0 reply-to (fxp0 192.168.1.1) inet all label "USER_RULE: Blocca tutto"
[ Evaluations: 1 Packets: 1 Bytes: 28 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@42 pass in quick on em0 inet proto tcp from 192.168.0.0/24 to any port = http flags S/SA keep state label "USER_RULE: HTTP"
[ Evaluations: 124 Packets: 1301 Bytes: 632810 States: 85 ]
[ Inserted: uid 0 pid 48891 ]
@43 pass in quick on em0 inet proto tcp from 192.168.0.0/24 to any port = https flags S/SA keep state label "USER_RULE: HTTPS"
[ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@44 pass in quick on em0 inet proto tcp from 192.168.0.0/24 to any port = domain flags S/SA keep state label "USER_RULE: DNS"
[ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@45 pass in quick on em0 inet proto udp from 192.168.0.0/24 to any port = domain keep state label "USER_RULE: DNS"
[ Evaluations: 37 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@46 pass in quick on em0 inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep state label "USER_RULE: SMTP"
[ Evaluations: 39 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@47 pass in quick on em0 inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA keep state label "USER_RULE: POP3/S"
[ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@48 pass in quick on em0 inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep state label "USER_RULE: POP"
[ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@49 block drop in quick on em0 all label "USER_RULE: Blocca tutto LAN"
[ Evaluations: 39 Packets: 39 Bytes: 6661 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@50 pass in quick on em0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@51 pass in quick on em0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@52 pass in quick on fxp0 inet proto tcp from any port = ftp-data to (fxp0:1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@53 anchor "imspector" all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@54 anchor "miniupnpd" all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@55 block drop in quick all label "Default deny rule"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]
@56 block drop out quick all label "Default deny rule"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 48891 ]

Execute Shell command
Command:

Download
File to download:

Upload
File to upload:

PHP Execute
Command:

Example: interfaces_carp_bring_up_final();
pfSense is 2004-2008 BSD Perimeter LLC. All Rights Reserved. [view license]
[Commercial Support Available]</sshlockout:0></virusprot:0></snort2c:0></snort2c:0>

LiquiD_85

And this is the /tmp/rules.debug, thanks a lot:

System Aliases

loopback = "{ lo0 }"
lan = "{ em0 }"
wan = "{ fxp0 }"
enc0 = "{ enc0 }"

User Aliases

set loginterface fxp0
set loginterface em0
set optimization normal

scrub all random-id fragment reassemble

nat-anchor "pftpx/"
nat-anchor "natearly/"
nat-anchor "natrules/*"

FTP proxy

rdr-anchor "pftpx/*"

Outbound NAT rules

nat on $wan from 192.168.0.0/24 port 500 to any port 500 -> (fxp0) port 500
nat on $wan from 192.168.0.0/24 port 5060 to any port 5060 -> (fxp0) port 5060
nat on $wan from 192.168.0.0/24 to any -> (fxp0)

#SSH Lockout Table
table <sshlockout>persist

Load balancing anchor - slbd updates

rdr-anchor "slb"

FTP Proxy/helper

table <vpns>{ }
no rdr on em0 proto tcp from any to <vpns>port 21
rdr on em0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021

NAT Inbound Redirects

rdr on fxp0 proto { tcp udp } from any to 192.168.1.2 port { 80 } -> 192.168.0.120
rdr on fxp0 proto tcp from any to 192.168.1.2 port { 443 } -> 192.168.0.120
rdr on fxp0 proto tcp from any to 192.168.1.2 port { 455 } -> 192.168.0.1

IMSpector rdr anchor

rdr-anchor "imspector"

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "ftpsesame/*"
anchor "firewallrules"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

snort2c

table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

loopback

anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"

package manager early specific hook

anchor "packageearly"

carp

anchor "carp"

permit wan interface to ping out (ping_hosts.sh)

pass quick proto icmp from 192.168.1.2 to any keep state

NAT Reflection rules

allow access to DHCP server on LAN

anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to 192.168.0.1 port = 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from 192.168.0.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN"
block in quick on $wan proto udp from any port = 67 to 192.168.0.0/24 port = 68 label "block dhcp client out wan"

LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)

antispoof for em0

anchor "spoofing"

Support for allow limiting of TCP connections by establishment rate

anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out quick on $lan proto icmp keep state label "let out anything from firewall host itself"
pass out quick on $wan proto icmp keep state label "let out anything from firewall host itself"

tcp.closed 5 is a workaround for load balancing, squid and a few other issues.

ticket (FEN-857512) in centipede tracker.

pass out quick on fxp0 all keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"

pass traffic from firewall -> out

anchor "firewallout"
pass out quick on fxp0 all keep state label "let out anything from firewall host itself"
pass out quick on em0 all keep state label "let out anything from firewall host itself"
pass out quick on $enc0 keep state label "IPSEC internal host to host"

make sure the user cannot lock himself out of the webGUI or SSH

anchor "anti-lockout"
pass in quick on em0 from any to 192.168.0.1 keep state label "anti-lockout web rule"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

anchor "ftpproxy"
anchor "pftpx/*"

User-defined aliases follow

User-defined rules follow

pass in quick on $wan reply-to (fxp0 192.168.1.1) proto { tcp udp } from any to { 192.168.0.120 } port = 80 keep state label "USER_RULE: NAT 80"
pass in quick on $wan reply-to (fxp0 192.168.1.1) proto tcp from any to { 192.168.0.120 } port = 443 keep state label "USER_RULE: NAT 443"
pass in quick on $wan reply-to (fxp0 192.168.1.1) proto tcp from any to { 192.168.0.1 } port = 455 keep state label "USER_RULE: WEBCONFIGURATOR"
block in quick on $wan reply-to (fxp0 192.168.1.1) from any to any label "USER_RULE: Blocca tutto"
pass in quick on $lan proto tcp from 192.168.0.0/24 to any port = 80 keep state label "USER_RULE: HTTP"
pass in quick on $lan proto tcp from 192.168.0.0/24 to any port = 443 keep state label "USER_RULE: HTTPS"
pass in quick on $lan proto { tcp udp } from 192.168.0.0/24 to any port = 53 keep state label "USER_RULE: DNS"
pass in quick on $lan proto tcp from 192.168.0.0/24 to any port = 25 keep state label "USER_RULE: SMTP"
pass in quick on $lan proto tcp from 192.168.0.0/24 to any port = 995 keep state label "USER_RULE: POP3/S"
pass in quick on $lan proto tcp from 192.168.0.0/24 to any port = 110 keep state label "USER_RULE: POP"
block in quick on $lan from any to any label "USER_RULE: Blocca tutto LAN"

VPN Rules

pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em0 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on fxp0 inet proto tcp from port 20 to (fxp0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"

enable ftp-proxy

IMSpector

anchor "imspector"

uPnPd

anchor "miniupnpd"

#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in quick all label "Default deny rule"
block out quick all label "Default deny rule"</sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></sshlockout>

jimp

A couple notes: Your "block all" rules on LAN and WAN are not needed, as pfSense is default deny. They don't hurt anything, they're just redundant.

It should be blocking the traffic, unless I'm misreading something.

I don't see anything in there that would allow it to bypass, unless it's connecting via some sort of proxy on a port you're allowing.

You could try temporarily turning on logging on every rule, and then connect, and see if it shows up in the log. When it does, click the green ">" next to the rule on the log view and it will tell you which rule passed it.

LiquiD_85

@jimp:

A couple notes: Your "block all" rules on LAN and WAN are not needed, as pfSense is default deny. They don't hurt anything, they're just redundant.

It should be blocking the traffic, unless I'm misreading something.

I don't see anything in there that would allow it to bypass, unless it's connecting via some sort of proxy on a port you're allowing.

You could try temporarily turning on logging on every rule, and then connect, and see if it shows up in the log. When it does, click the green ">" next to the rule on the log view and it will tell you which rule passed it.

Yes i know that the "black all rules" are useless but with the log option i can solve a lot of problems seeing what pfsense is blocking or not!
I'll try logging my all rules, thanks a lot!

LiquiD_85

No rules logs the computer with the ip address that execute mIRC and i think that this user download illegal material from mIRC (divx games etc.) and i can't stop him, it's absurd!

GruensFroeschli

Did you wireshark to see where the traffic is destined to?
Are you certain, that there is no other gateway than the pfSense?

LiquiD_85

Yes the net is:

MCLINK Router (zxell prestige 600 series)
|
V
PFSENSE
|
V
SWITCH
|
V
ALL USERS

The router redirect all the traffic to pfsense, any protocol any ports etc. and pfsense manage all the traffic!

jimp

What happens if you do a traceroute from that machine to the server that it is connecting to? Does it really go through your pfSense box?

And have you tried a packet capture yet as GruensFroeschli suggested?

If nothing logged – even a pass -- then the most likely scenario is that it is not, in fact, routing through the pfSense box but some other way.

LiquiD_85

I'will do theese tries as soon as possible, and update this thread, thanks a lot to all!

LiquiD_85

I think that all traffic is destinated to pfsense because IMSPECTOR can detect if anyone use IRC protocols!!!

jigpe

you but not the gtalk..gtalk wont log in imspector :( anyone?

jigp
Davao City
1.2.2