Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Understanding the egress traffic on my network

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 6 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      NICKB
      last edited by

      Hi,

      I'm trying to understand the traffic leaving my network. I don't much care about 80 and 443. However I want to find out what else is leaving and whether any of it I should be blocking.

      Many many years ago I would just turn on logging for outbound connections and then filter to exclude the destination ports 80 and 443. But back then I was using ISA/TMG.

      How do I achieve insight into my traffic using pfsense?

      Examples of things I might be interested in: Telnet, SSH, DNS to odd places. Specific hosts doing things unusual compared to all the others.

      Thanks in advance,

      Nick

      1 Reply Last reply Reply Quote 0
      • T Offline
        tim.mcmanus
        last edited by

        Diagnostics->Packet Capture

        That's a great place to start.  Otherwise, if you have a switch that can do port mirroring, you can use Wireshark to capture packets on your internal network or that interface.

        1 Reply Last reply Reply Quote 0
        • F Offline
          fsansfil
          last edited by

          @NICKB:

          Hi,

          I'm trying to understand the traffic leaving my network. I don't much care about 80 and 443. However I want to find out what else is leaving and whether any of it I should be blocking.

          Many many years ago I would just turn on logging for outbound connections and then filter to exclude the destination ports 80 and 443. But back then I was using ISA/TMG.

          How do I achieve insight into my traffic using pfsense?

          Examples of things I might be interested in: Telnet, SSH, DNS to odd places. Specific hosts doing things unusual compared to all the others.

          Thanks in advance,

          Nick

          Well if you are looking for an option to be alerted when users use Telnet, SSH, DNS or other unusual ports/protocol, you might want to look at an IDS; Snort or Suricata. W/o having to manualy dissect pcap yourself, a few rules could alert you when unusual traffic goes out.

          F.

          1 Reply Last reply Reply Quote 0
          • N Offline
            NICKB
            last edited by

            Thanks, that is something of a firehose. I was hoping to 'pre-filter' it  by source/ip/port  and destination/ip/port and maybe the time/date.

            Capturing the raw feed would measure in 100's of Gigs per work day. I'm not particularly proficient at Wireshark, can it be configured to only write out a minimal data set? And what sort of grunt is required to do the necessary realtime analysis on a saturated 100MBit/sec pipe?

            Regards
            Nick

            1 Reply Last reply Reply Quote 0
            • N Offline
              NICKB
              last edited by

              @fsansfil:

              Well if you are looking for an option to be alerted when users use Telnet, SSH, DNS or other unusual ports/protocol, you might want to look at an IDS; Snort or Suricata. W/o having to manualy dissect pcap yourself, a few rules could alert you when unusual traffic goes out.

              Its more I'm interested in parsing all non-HTTP/s traffic from non-servers and then taking a view on how to tighten things up. I'm not looking for  something, I'm basically looking for everything!

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                If you want a breakdown of protocols in use and from where to where something like ntop or flows sent to a flow collector sounds more what your after.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • M Offline
                  mer
                  last edited by

                  "Examples of things I might be interested in: Telnet, SSH, DNS to odd places. Specific hosts doing things unusual compared to all the others."

                  Compared to all the others start to imply you need to capture everything, else how do you know it's unusual?  What about a rule that logs the first packet with proto !what you don't care about?  If the LAN side is supposed to be configured to known DNS servers, you could log DNS to !my desired servers, couldn't you?  That would be the equivalent of what you say in your second paragraph.

                  Or write deny rules for things you don't want and then when folks complain you can ask them.

                  1 Reply Last reply Reply Quote 0
                  • P Offline
                    phil.davis
                    last edited by

                    Like @mer says, you should be able to achieve this with rules on your LAN(s).
                    To keep it simple and avoid having to think hard about !this and !that I would put some pass rules first for the traffic you already say you want to let through unchecked:

                    Pass no logging source * destination * port 80 and 443
                    Pass no logging source "internal DNS servers" destination * port 53
                    …

                    Then:
                    Pass with logging source * destination *

                    and of course include block rules for anything you know you actually want to block from day 1.

                    Then see what comes in the firewall log.
                    Then add "pass no logging" rules for stuff you understand and want to let out. Add block rules for stuff you now understand and want to stop.

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.