Blocked a Host but it still gets out??

doktornotor · Jul 31, 2013, 2:40 PM

In the RULES for the LAN, I said no outbound connection period; however, as you can see traffic still gets out.

OMG, where did you say that? Outgoing LAN is permit by default. You are trying to block outbound traffic FROM hosts that totally are NOT on your LAN to anywhere on your LAN interface, and are wondering why it does not work??? ::)

pinoyboy · Jul 31, 2013, 2:46 PM

Look at first screenshot and post, that ALLOW ALL Outbound Rule - it is disabled…look at the screenshot again. Stay off the topic if you can't follow or are slow. Look at very first post, it's grayed out...meaning it's not enabled.... ::) - I must repeat that for you dok or rez...

kejianshi · Jul 31, 2013, 2:49 PM

I'd be happier if you test first with the actual IP (check the IP on the machine you are trying to block with either ifconfig or ipconfig) to make sure you are trying to block the correct IP. Yes - I'm sure you know all this, but I want to check all the little things. Also, just to make everyone happy, move the rule right to the top, which is where it belongs anyway eventually. Also, probably no need to get worked up. No one profits.

pinoyboy · Jul 31, 2013, 2:57 PM

Thanks kejianshi, but in this test, it is the only host on this test subnet I created; pfSense and this one host. No other host - just so I can isolate it.

JUST FYI: When there are machines on the network we feel has malware, we completely remove it from the LAN and move it immediately to isolated subnet / test network. this is where we are now for this machine; by itself isolated. The pfSense in that subnet has exact rules from production.

doktornotor · Jul 31, 2013, 2:57 PM

@pinoyboy:

Stay off the topic if you can't follow or are slow.

No, I'm not as much slow as slightly colorblind. Now, maybe you could post something useful other than the "established" screenshot which does NOT show the originating IP at all… Have a nice day, I'm out of this thread anyway.

kejianshi · Jul 31, 2013, 2:59 PM

Just because its the only host doesn't mean the IP in your alias is correct. Thats what I'm asking you to check. And in case there is some bug I'm unaware of in the "deactivate rule" function, thats why I asked to move to top… And wanting the IP in the rule vs alias.

Trying to get as simple as possible incase of bug I'm not aware of... Not because I don't think your logic is sound.

And, as doktornator says, it would be nice to see the originating IP also, just to be absolutely clear.

pinoyboy · Jul 31, 2013, 3:18 PM

Ok, I removed ALIAS and just using straight IP and moved above the disabled ALLOW ALL OUT rule - above any and all rules. Let's see what happens.

I should repeat that it is the only host with that IP of 192.168.1.151; and only host on that test subnet…also shown in above screenshot.

UPDATE: pfSense was rebooted and the results are the same with the changes I just mentioned. I am looking at NTOP to see what connections are established.

kejianshi · Jul 31, 2013, 3:20 PM

OK - Cool.

Try this. Go to the machine that you say is making all those connections and ping all those IPs its apparently connecting to.
Then also ping some other IPs that should normally be contactable, like 8.8.8.8 and others like that.

I'm interested to see if it actually connects to any of them.

kejianshi · Jul 31, 2013, 3:39 PM

I have this theory that what you are seeing isn't actual connections, but connection attempts and that they are not getting through your firewall. Is this the machine that is infected from earlier?

pinoyboy · Jul 31, 2013, 3:48 PM

Yes, the infected machine. Also thought that this would be the case, connection attempts; however, after leaving it on the other evening on the test network, the next day there was near 1 GB of traffic. It is initiating outside contact; I use COUNTRY BLOCK filters. There are a lot of files (not important) on this PC, but it could also be something masquerading through HTTPS but HTOP doesn't see it or count it. I know the quick fix which we do apply every time, re-image; however, I was just interested how this particular malware issue is functioning.

doktornotor · Jul 31, 2013, 3:50 PM

@pinoyboy:

Yes, the infected machine. Also thought that this would be the case, connection attempts; however, after leaving it on the other evening on the test network, the next day there was near 1 GB of traffic.

Traffic where? On LAN? On WAN? Where are you detecting these connections? You are running something on the compromised machine's OS and trusting the output? Wow, that's a piece of useless exercise.

kejianshi · Jul 31, 2013, 3:55 PM

If you have blocked this machine’s IP explicitly and it has somehow cut through anyway its beyond me how that could happen. That would be "BAD". Is it possible that this machine is generating these files "empty files" or perhaps big files full of screen grabs and keyboard hook grabs and not actually downloading them but generating them its self? I wouldn't worry too much about traffic on the LAN between that computer and pfsense. I'd be really worried if I saw this traffic on the WAN.

pinoyboy · Jul 31, 2013, 4:29 PM

dok / rez, I knew you couldn't keep off. Not only are you color blind, but you are schitzo with no sense of useful responses. Lay off thread since you provide no useful information. If you read the thread carefully, you would know the why for the test, and how error filled your comments were. You are useless to this thread and overall community.

kejianshi, thanks for trying to assist. Like I said, we always re-image anyow, but it was just an academic exercise.

kejianshi · Jul 31, 2013, 4:04 PM

Well - If I remember correctly this machine and perhaps others were ruining the reputation of your IP and using up your bandwidth, so I'd be analysing the hell out of also to make sure I didn't fall victim again. Did you ever figure out what exactly trojan/virus or intentional sabotage you were inflicted with?

pinoyboy · Jul 31, 2013, 4:29 PM

Running Symantec AV Enterprise did not see anything, offline/livecd of Dr. Web, AVG, and Avast did not turn anything up. Could be 0day that's not detectable yet by AV companies. As far as ruining IP, that's why we try and have proactive review of the network making sure there's no jump in traffic, or abnormal outbound/inbound traffic. Soon as we do, we isolate to review on test network.

kejianshi · Jul 31, 2013, 4:08 PM

Could be zero day - could be one of your employees trying to use your IP to make a little money on the side. Either is possible.

pinoyboy · Jul 31, 2013, 4:11 PM

Ha, this old lady doesn't even know where the Control Panel is in Windows.

kejianshi · Jul 31, 2013, 4:19 PM

So you think… But she is probably the notorious hacker "BlackWidow". (I totally made that up)
Yeah - I'd wipe it - I'm pretty sure pfsense is doing its job, but why take risks.

podilarius · Jul 31, 2013, 10:07 PM

I don't know if it was asked or if I missed it, but, did you check your state table to see if there are states being opened by this machine?

pinoyboy · Aug 1, 2013, 3:17 PM

Yes, it coincided with HTOP. At this point, it is closed issue since it has been reimaged. Thank you.