Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense not blocking attacker (FIXED)

    Scheduled Pinned Locked Moved General pfSense Questions
    35 Posts 10 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      staroflaw
      last edited by

      Hi

      I am running v2.1.5
      I have had some problems with an attacker. They keep running a Denial-of-service attack against my web server.
      I installed pfBlocker and configured it like the documents say. Added the IP address in the List CIDR 80.82.XX.XXX but still the attack continues.

      I have had a look under Rules/WAN > BLOCK ANY from WAN alias. All setup fine.

      I have blocked him at the web server for the moment. but it is filling my web server logs up.
      Would love some help to stop this attacker.

      Thanks

      Star.

      1 Reply Last reply Reply Quote 0
      • J
        jasonlitka
        last edited by

        We're going to need some pictures.

        I can break anything.

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          You have no control over traffic hitting your WAN interface, and a firewall will not stop a DDoS.  It's not a magic bullet.  If it could stop DDoS, then DDoS wouldn't be a problem for anyone anymore.  Just have your firewall drop their packets as you've already done.  If your interface is overwhelmed by the traffic then there isn't much you can do about it.  As for your web server logs, that's a question for an Apache/nginx forum.

          1 Reply Last reply Reply Quote 0
          • S
            staroflaw
            last edited by

            Just have your firewall drop their packets as you've already done.

            That's the problem, it is not dropping the packets! There traffic is still entering the WAN interface to the LAN > Webserver. despite adding the RULE.

            and a firewall will not stop a DDoS

            That's why I am trying to block the IP address the traffic is coming from.

            Thanks

            Star.

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              I thought you were trying to block them from hitting the WAN, which isn't possible.  The problem with using a country list is that the list is not perfect, and if it is really a DDoS then it's very likely that you will be hit by IP addresses from all over the world.  You could stick with pfblocker and also add an alias for IP addresses not being blocked, and block that alias too.

              1 Reply Last reply Reply Quote 0
              • S
                staroflaw
                last edited by

                Ok, As a test I have blocked my friends IP address.

                This is my settings. Under Rules > WAN I added this.

                But he can still access the web/FTP/Comms server's. What am I doing wrong?

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  Probably wrong rule order, block must come above any pass rules that'd match.

                  1 Reply Last reply Reply Quote 0
                  • S
                    staroflaw
                    last edited by

                    Should it not work here?  its Block Test

                    Thanks

                    star.

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by

                      Assuming traffic is coming in on WAN, and you have no interface groups or floating rules, yes. There is no rule allowing web access on WAN, so guessing that must be coming in via a VPN or some other Internet connection.

                      1 Reply Last reply Reply Quote 0
                      • S
                        staroflaw
                        last edited by

                        Yes traffic is coming in on WAN

                        Floating > No floating rules are currently defined.
                        WAN >

                        Torguard / PPTP VPN / OpenVPN > are all now disabled.

                        Still its not blocking my mates IP. I just don't get it.

                        If you wanted to block a IP from entering what would you do?

                        Star.

                        1 Reply Last reply Reply Quote 0
                        • K
                          kejianshi
                          last edited by

                          If the traffic is coming in through the WAN:

                          1.  You are allowing it, perhaps inadvertently

                          or

                          2.  The connection was established before you made the rule to block it and you never rebooted pfsense.

                          Or perhaps you are running uPNP on something on your lan that is forwarding ports?

                          1 Reply Last reply Reply Quote 0
                          • S
                            staroflaw
                            last edited by

                            If the traffic is coming in through the WAN:

                            1.  You are allowing it, perhaps inadvertently

                            Not sure were else to look.

                            2.  The connection was established before you made the rule to block it and you never rebooted pfsense.

                            I have rebooted after every change made.

                            Or perhaps you are running uPNP on something on your lan that is forwarding ports?

                            I have removed all other devices from the network, so I only have.
                            Modem -> pfsense box -> Server box. Nothing else is on the network.

                            Still able to gain access through firewall to server.

                            Your avatar says it all! lol

                            Star.

                            1 Reply Last reply Reply Quote 0
                            • K
                              kejianshi
                              last edited by

                              1.  Are you accessing the "WAN" from inside or outside your network to test blocking?  (I have to ask)

                              2.  Have you put a "pass" rule on the WAN as if its a LAN?  floating rule?  (Gotta ask)

                              I see you answered that before…  Sigh.

                              Makes me wonder if the IP accessing your WAN and the IP you put on your firewall block rule are in fact the same IP.

                              1 Reply Last reply Reply Quote 0
                              • S
                                staroflaw
                                last edited by

                                This is what I have in my webserver logs.

                                80.82.78.166 - - [08/Oct/2014:12:02:52 +0100] "POST /xmlrpc.php HTTP/1.0" 403 1122 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
                                This IP is making 6 requests a second.

                                Here is the Rule I added on the WAN

                                Is this correct? Am I missing something?

                                Thanks

                                Star.

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kejianshi
                                  last edited by

                                  This should make no difference, however, under "destination" put WAN address, then try.

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    staroflaw
                                    last edited by

                                    No it made no difference at all.
                                    I even added a Rule to Block everything coming in >

                                    Still able to access my services from outside of my network.

                                    Star.

                                    1 Reply Last reply Reply Quote 0
                                    • K
                                      kejianshi
                                      last edited by

                                      Do you have multiple WANs?

                                      See, you don't have to add "Block all" rules on the WAN.  Dropping inbound unsolicited packets is the default unless you allow them.

                                      So, is there another way into your network?

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        staroflaw
                                        last edited by

                                        No. only 1 WAN.
                                        The Block ALL was just a test.

                                        The only other way in was openVPN and PPTP. But I disabled them both.

                                        Thanks for your help btw. I do appreciate it.

                                        Star.

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          kejianshi
                                          last edited by

                                          I don't know.

                                          My feeling is that pfsense isn't the problem because simple allow/block rules work fine usually.

                                          In situations like this, I normally go with a wipe and reinstall.

                                          Also.  Has anyone added firewalls directly to packet filter in the command line of pfsense?

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            charliem
                                            last edited by

                                            Can you check that your rules are showing up in /tmp/rules.debug, especially that Torguard / OpenVPN / PPTP VPN really are disabled?

                                            Anything look strange in that file?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.