Blocked a Host but it still gets out??
-
Can someone clarify why this host is still able to connect outbound?
I have rules below that has LANNet outboud, but this host being blocked is at the top of those RULES. This still occurs even after I rebooted pfSense.
-
Shouldn't the BlockedInternal alias be listed for the destination?
-
No, because the origination is from the LAN as the screenshot shows. Anything on the LAN that is within BlockedInternal ALIAS, it's traffic should be blocked.
-
Huh, what? cds109.sat9.msecn.net and the bunch of IP addresses from totally different public network ranges is your LAN? I guess not. As said above, it's completely wrong, you got it the other way round.
-
Do you understand what I am asking? I have isolated a single host on the network and no other PC or hosts are on this test subnet in this example. In the RULES for the LAN, I said no outbound connection period; however, as you can see traffic still gets out. This particular PC had other connection to BR, AE, SG, and other domains. What you see there is right after a reboot so it didn't show all of what I was initially seeing. Try again with helpful response instead of nonsense. As you said above? What, do you have multiple ALIAS DOK or are you schitzo - doktornotor-Rezin?
Here are the other addresses I was seeing, and what I was referring to.
-
Do you have any rules in the floating that might allow the traffic? Also, check to see if you have state handling set to none.
-
Podilarius, here are the rules I have currently for this network. I am thinking it is completely ignoring the rules at times because of the rules below it. On this network I am on 1.2.3 thus Floating rules is not applicable.
Here's the blocked ALIAS
-
I'd have to see a few things to know why this is getting by.
For instance, If you have created an alias for it, I'd have to see the alias.
I'd have to then see the rule.I'd be happier if you blocked it explicitly by IP vs alias for simplicity during testing.
-
In the RULES for the LAN, I said no outbound connection period; however, as you can see traffic still gets out.
OMG, where did you say that? Outgoing LAN is permit by default. You are trying to block outbound traffic FROM hosts that totally are NOT on your LAN to anywhere on your LAN interface, and are wondering why it does not work??? ::)
-
Look at first screenshot and post, that ALLOW ALL Outbound Rule - it is disabled…look at the screenshot again. Stay off the topic if you can't follow or are slow. Look at very first post, it's grayed out...meaning it's not enabled.... ::) - I must repeat that for you dok or rez...
-
I'd be happier if you test first with the actual IP (check the IP on the machine you are trying to block with either ifconfig or ipconfig) to make sure you are trying to block the correct IP. Yes - I'm sure you know all this, but I want to check all the little things. Also, just to make everyone happy, move the rule right to the top, which is where it belongs anyway eventually. Also, probably no need to get worked up. No one profits.
-
Thanks kejianshi, but in this test, it is the only host on this test subnet I created; pfSense and this one host. No other host - just so I can isolate it.
JUST FYI: When there are machines on the network we feel has malware, we completely remove it from the LAN and move it immediately to isolated subnet / test network. this is where we are now for this machine; by itself isolated. The pfSense in that subnet has exact rules from production.
-
Stay off the topic if you can't follow or are slow.
No, I'm not as much slow as slightly colorblind. Now, maybe you could post something useful other than the "established" screenshot which does NOT show the originating IP at all… Have a nice day, I'm out of this thread anyway.
-
Just because its the only host doesn't mean the IP in your alias is correct. Thats what I'm asking you to check. And in case there is some bug I'm unaware of in the "deactivate rule" function, thats why I asked to move to top… And wanting the IP in the rule vs alias.
Trying to get as simple as possible incase of bug I'm not aware of... Not because I don't think your logic is sound.
And, as doktornator says, it would be nice to see the originating IP also, just to be absolutely clear.
-
Ok, I removed ALIAS and just using straight IP and moved above the disabled ALLOW ALL OUT rule - above any and all rules. Let's see what happens.
I should repeat that it is the only host with that IP of 192.168.1.151; and only host on that test subnet…also shown in above screenshot.
UPDATE: pfSense was rebooted and the results are the same with the changes I just mentioned. I am looking at NTOP to see what connections are established.
-
OK - Cool.
Try this. Go to the machine that you say is making all those connections and ping all those IPs its apparently connecting to.
Then also ping some other IPs that should normally be contactable, like 8.8.8.8 and others like that.I'm interested to see if it actually connects to any of them.
-
I have this theory that what you are seeing isn't actual connections, but connection attempts and that they are not getting through your firewall. Is this the machine that is infected from earlier?
-
Yes, the infected machine. Also thought that this would be the case, connection attempts; however, after leaving it on the other evening on the test network, the next day there was near 1 GB of traffic. It is initiating outside contact; I use COUNTRY BLOCK filters. There are a lot of files (not important) on this PC, but it could also be something masquerading through HTTPS but HTOP doesn't see it or count it. I know the quick fix which we do apply every time, re-image; however, I was just interested how this particular malware issue is functioning.
-
Yes, the infected machine. Also thought that this would be the case, connection attempts; however, after leaving it on the other evening on the test network, the next day there was near 1 GB of traffic.
Traffic where? On LAN? On WAN? Where are you detecting these connections? You are running something on the compromised machine's OS and trusting the output? Wow, that's a piece of useless exercise.
-
If you have blocked this machine’s IP explicitly and it has somehow cut through anyway its beyond me how that could happen. That would be "BAD". Is it possible that this machine is generating these files "empty files" or perhaps big files full of screen grabs and keyboard hook grabs and not actually downloading them but generating them its self? I wouldn't worry too much about traffic on the LAN between that computer and pfsense. I'd be really worried if I saw this traffic on the WAN.