No internet on LAN after changing rules
-
Thanks Derelict,
When I first switched to pfsense my network was compromised shortly after an update was released. The attacker then used the router as a platform for attacking all networked machines which unfortunately had NetBIOS and/or other services running. The routers webGUI was on it's own empty interface and networked devices had no access to it.
Later I did some simple testing and discovered pfsense can be identified as the router OS by remote portscan. In 2.2.3 (at least); by default pfsense's WAN interface rejects two ports, SSH (TCP 22) and another I forget off the top of my head, rather then dropping them. This was fixed by simply adding rules to block drop everything ipv4 and ipv6 in the WAN.
I was worried the attack may have come from an infected machine on the network, thus I want to better isolate the router itself (block GUI, drop all, etc) and networked machines (isolate each machine on it's own interface). The network needs internet access of course.
Is it more prudent to delete all automatically generated interfaces and start from scratch?
-
by default pfsense's WAN interface rejects two ports, SSH (TCP 22) and another I forget off the top of my head
I believe that to be false. There are no rules on WAN by default.
I am not specifically blocking ssh on WAN and it's
rejectingblocking.I suggest you post some evidence for your wild accusations.
-
by default pfsense's WAN interface rejects two ports, SSH (TCP 22) and another I forget off the top of my head
I believe that to be false. There are no rules on WAN by default.
I am not specifically blocking ssh on WAN and it's rejecting.
I suggest you post some evidence for your wild accusations.
I misphrased that. I meant one must specifically block drop 22 or it will reject for some reason.
-
Doesn't do it here. I don't specifically block 22 and it's blocked, not rejected. Sounds like you had something hosed.
-
Damn..
I'm curious Derelict, what procedure do you use to restore a compromised router?
My use is residential and I lack any training in that area.I deleted all partitions and formated the primary storage fresh, then reinstalled the OS. I use SDCards with USB adapters to install from.
Maybe I should open a thread.
-
Doubt your router was compromised but if you really want to be sure, DBAN or otherwise wipe the disk or use a new SD, download fresh, check the signatures, and reinstall. Don't reload a backup - reconfigure the whole thing.
-
Thanks for the advice.
It's hard to miss when a router is port scanning a machine from 1-65535 from the dhcp address.. that's what happened before, that and the firewall log/syslog stopped running and wouldn't start.I imagine routers are a much bigger target today then normal computers are. For hackers it's like going for money train instead of the bank teller. Except in this case the train has no passengers or guards, just locks on the doors.
-
Post some evidence that was what was happening. Considering you say it was answering on tcp/22 when it doesn't makes me think you were not quite sure about what you were doing when you installed it and had it configured to do so without knowing it, or were forwarding port 22 inside and that device was rejecting the connection.
-
Windows doesn't use SSH, and each machine was configured to drop all. There were no other machines online.
SSH was off by default and no forwarding was configured in pfsense.
Long port scans were detected in windows firewall log and by antivirus-firewall logs.The router has since ceased that behavior after reinstall (with 2.2.4) on.
I think pfsense is a reasonably secure platform, and the web-interface is great, but i'm tempted to switch to openbsd because the documentation is far better. What it comes down to for me is being able to see all the rules on an interface vs ease of use.
-
Whatever floats your boat. You can always look at the raw pf rules outside the GUI.
Still say you're all wet saying pfSense by default responded NAK on TCP/22.