Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense not blocking attacker (FIXED)

    Scheduled Pinned Locked Moved General pfSense Questions
    35 Posts 10 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kejianshi
      last edited by

      I don't know.

      My feeling is that pfsense isn't the problem because simple allow/block rules work fine usually.

      In situations like this, I normally go with a wipe and reinstall.

      Also.  Has anyone added firewalls directly to packet filter in the command line of pfsense?

      1 Reply Last reply Reply Quote 0
      • C
        charliem
        last edited by

        Can you check that your rules are showing up in /tmp/rules.debug, especially that Torguard / OpenVPN / PPTP VPN really are disabled?

        Anything look strange in that file?

        1 Reply Last reply Reply Quote 0
        • M
          MilesDeep
          last edited by

          Mine is doing the same thing in an attempt to block 1452.  It simply will not.

          1 Reply Last reply Reply Quote 0
          • S
            sect
            last edited by

            I'm interested in this problem and will look into this setup myself as soon as I get the time to experiment in my test environment.
            @staroflaw Will you post when you find a solution to your problem? Often after solving the problem, nothing is heard thereafter ;-)

            1 Reply Last reply Reply Quote 0
            • S
              staroflaw
              last edited by

              Hi charliem

              Can you check that your rules are showing up in /tmp/rules.debug, especially that Torguard / OpenVPN / PPTP VPN really are disabled? 
              Anything look strange in that file?

              After looking in the rules.debug file I don't see anything relating to Torguard or PPTP VPN. I do see some reference to OpenVPN

              #System aliases
              loopback = "{ lo0 }"
              WAN = "{ re1 }"
              LAN = "{ re0 }"
              WIFI = "{ em0 }"
              OpenVPN = "{ openvpn }"
              
              anchor "relayd/*"
              anchor "openvpn/*"
              anchor "ipsec/*"
              

              I do see the blocked rule.

              # User-defined rules follow
              
              anchor "userrules/*"
              block  in  quick  on $WAN reply-to ( re1 XX.XX.XXX.1 ) inet from 80.82.78.166 to any  label "USER_RULE: Block Attack"
              

              The IP re1 XX.XX.XXX.1 is not my IP. All the X are correct but mine ends in 204 not 1?

              This is all the Rules I have set.

              I also have my 4G mobile IP and my mates IP blocked but both can still access my services.

              Thank you

              Star.

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                Whatever you do, don't wipe it and reinstall it…

                If you did that, it might fix it without ever satisfying the curiosity of the masses.

                1 Reply Last reply Reply Quote 0
                • S
                  staroflaw
                  last edited by

                  staroflaw Will you post when you find a solution to your problem? Often after solving the problem, nothing is heard thereafter ;-)

                  I know what you mean, I will deferential post if I fix it.

                  Whatever you do, don't wipe it and reinstall it…
                  If you did that, it might fix it without ever satisfying the curiosity of the masses.

                  I also want to understand why its not working correctly, just in case I see the happen again.

                  This attack has now been going for 5 days, they have made over 1,728000 requests.
                  I have reported it to my ISP and Ecatel LTD the owner of that IP.

                  My ISP says they cannot do anything about it unless they have a large amount of complaints relating to that IP. I totally understand that.
                  Ecatel LTD say….... "Nothing" I have had no response from them at all. I have contacted them two times now with LOG's and nothing.

                  Star.

                  1 Reply Last reply Reply Quote 0
                  • chpalmerC
                    chpalmer
                    last edited by

                    Star:

                    On your WAN rule to block this guy-

                    Make sure that Logging is checked…

                    On the pass/block/recject option at the top of the rule- set to reject (just to test) and see what the firewall logs show...

                    Set "Destination" to your server LAN IP address.

                    Triggering snowflakes one by one..
                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      so how exactly is he getting in and hitting your webserver.  I don't see any rules that would be there from a port forward - your wan rules don't show any allows other than icmp from one IP.

                      So only inbound traffic would be from a state that client on lan created the connection.

                      look at your state table and filter for his IP and what do you see for states?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • S
                        staroflaw
                        last edited by

                        I don't see any rules that would be there from a port forward

                        johnpoz you are absolutely correct. I assumed the wan rule was created automatically for you but as it is clearly not there, obviously not. The answer was in front of me all along. My HTTP Filter rule association was set to PASS. That’s why it just ignored my Block WAN rule.
                        I don’t know how I missed this!

                        I can now confirm it is blocking.
                        A BIG thank you to all who participated in the discussion and for all help offered.

                        Star.

                        1 Reply Last reply Reply Quote 0
                        • S
                          staroflaw
                          last edited by

                          Here is how I setup my HTTP NAT correctly.

                          Filter rule association > Create new associated filter rule.

                          Apply changes.

                          Then under Rules add your block rule.

                          Make sure the block rule is above everything else.

                          You can also see the new rule added NAT HTTP_Server

                          Star.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            jimp?  I don't see anywhere where jimp pointed out anything ;)

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 0
                            • S
                              staroflaw
                              last edited by

                              lol. typo.  ;D

                              1 Reply Last reply Reply Quote 0
                              • K
                                kejianshi
                                last edited by

                                I don't remember any mention of a HTTP pass rule…  (-:
                                Which gets me back to my original theory of there must be a pass rule somewhere.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  he had has port forward set to pass vs creating a rule… I never understand why people change it from the default of create new rule if you they don't fully understand what they are doing ;)

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kejianshi
                                    last edited by

                                    Simple mistake, I'm sure.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      staroflaw
                                      last edited by

                                      Simple mistake, I'm sure.

                                      Yes it was.  :)

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.