Blocked ip not in logs

atrocity

hi,

i had the same problem today… Was outside of the wan testing some web server behind PFSense in his lan.
I was also unable to find how to unblock our IP.
Used a other internet connection to reboot PFSense, but swe can't afford a reboot in a production ...
There must be something to find a blocked IP and unblock it.

I'm also looking for a Whitelist option, but this also seems not to be present in PFSense.
Thanks to let us know
Best regards

cmb

There is no circumstance where you have to reboot to "unblock" something. The only circumstances where something gets blocked like that are Snort alerts and you can get locked out from the firewall itself from one particular source IP if you try to log in with a bad username/password 15 times. Either of those can be cleared out under Diagnostics>Tables, or for Snort, within its configuration.

atrocity

i don't have snort installed, but Suricata is installed.
I don't activated it. Is Suricata working and filtering also if it's not active ?

lowprofile

I am having the same issue. SO strange. i know it may be the limits like maximum connection, states etc pr. rule which trigger this blacklist, but i can't find any places to un-block. I thought it was possible in "Diag–> "tables"--->"blacklist" but just found out it wasnt there.

Somehow it also unblock after certain time. Maybe in hours. Where to look?

knight-of-ni

@webroy:

After rebooting the firewall i saw that i had setup these in the wan rules which could cause the block :
Maximum number of established connections per host (TCP only)
Maximum state entries per host
Maximum new connections / per second(s) (TCP only)

When any of these rules are tripped, pfsense places the offending ip address in Diagnostics -> Tables -> virusprot

The firewall will not respond to the offending address for 1 hour.
A reboot will empty the table.

lowprofile

@abauer:

@webroy:

After rebooting the firewall i saw that i had setup these in the wan rules which could cause the block :
Maximum number of established connections per host (TCP only)
Maximum state entries per host
Maximum new connections / per second(s) (TCP only)

When any of these rules are tripped, pfsense places the offending ip address in Diagnostics -> Tables -> virusprot

The firewall will not respond to the offending address for 1 hour.
A reboot will empty the table.

that is a damn good information! I will test if its appears on this list. Someone who know where to adjust the time before it unblock it self?

doktornotor

Not configurable.

lowprofile

@doktornotor:

Not configurable.

Can we add this as a new feature? It must be possible somehow?

cmb

It is configurable by editing the cron job for "/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot", which can be done with the cron package. The 3600 is the timeout age in seconds.

lowprofile

@cmb:

It is configurable by editing the cron job for "/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot", which can be done with the cron package. The 3600 is the timeout age in seconds.

Awesome! thank you!