Hacker got into my network? Strange access to my Google account?
-
"I added a default deny type rule but deactivated it for now since"
You do understand that every interface has a not shown default deny… As to your lan and seg interface being isolated.. Yeah from broadcast traffic that was it.. They both had any any rules on them.. So what is the point of locking down your LAN?? You worried they are going to come into your how and plug into your network and then get on your wifi network??
What is your wifi segment rules?
-
"You do understand that every interface has a not shown default deny"
I think he mentioned that above and the rule is to be able to show and hide the log traffic as needed from that webpage. Helps to seperate the wheat from the chaff when hunting down infections.
"They both had any any rules on them.."
In the screenshot they were disabled but not yet removed, he is getting there eventually.Another good practice is a Default Deny to the LAN Address just "BELOW" your inner network rules before you start the rules for Outbound traffic to the web.
So you eventually have your inner network rules above and seperated from the Outbound rules with that Default Deny to Lan Address and at the bottom below the Outbound you have the Default Deny to ALL.
You still need to figure out your Segregation of machines from trusted and untrusted and wireless access and Guests if any. -
"I added a default deny type rule but deactivated it for now since I did not want to lock everything down completely)."
He is not talking about logging.. This makes no mention of creating a rule to log and turning off default logging..
His any any rules from before when he was talking about his wifi being isolated - not with those original rules it wasn't, with any any all he had going was 2 different broadcast domains nothing more..
Who is taking book that his is all just BS plain and simple.. Some windows machine got on his wifi, somehow sniff/gleaned his gmail password… And then did what logged in a couple of times? Who is taking action that it was just one of his own devices?? He then changed it to 60+ character psk, and still happened? Come on really???
There is locking down your networks because its the right thing to do, and their is just plain I smoked too much dope paranoia ;)
-
"I added a default deny type rule but deactivated it for now since I did not want to lock everything down completely)."
He is not talking about logging.. This makes no mention of creating a rule to log and turning off default logging..
His any any rules from before when he was talking about his wifi being isolated - not with those original rules it wasn't, with any any all he had going was 2 different broadcast domains nothing more..
Who is taking book that his is all just BS plain and simple.. Some windows machine got on his wifi, somehow sniff/gleaned his gmail password… And then did what logged in a couple of times? Who is taking action that it was just one of his own devices?? He then changed it to 60+ character psk, and still happened? Come on really???
There is locking down your networks because its the right thing to do, and their is just plain I smoked too much dope paranoia ;)
Ahhh the good old days, never mind. I here you, just trying to lead this horse to the water. We both know it is not up to us if they drink.
-
. The important thing is you will be able to Log everything it blocks
I had a good feeling this was the case. I guess for housekeeping I will keep them on both LAN interfaces so I have logs should something happens..
You do understand that every interface has a not shown default deny..
I was not sure about this one. I figured there was a default block rule by observing the FW logs, but the rule not being showed, I was not sure…
Yeah from broadcast traffic that was it.. They both had any any rules on them.. So what is the point of locking down your LAN?? You worried they are going to come into your how and plug into your network and then get on your wifi network??
The point of LAN is for my well known machines and smart TV, appliances, etc. I have a ruleset and snort rules for those machines. For the other machines (wifi, cells, laptops) that are not totally under my control, I'd rather have them segregated on a different interface so troubleshooting can be done, and more granular control is achieved. I am not sure why this is so complicated. If I could, I'd just copy LAN and rename it SEG and be done with it!!!!
Attached are screenshots of my CURRENT setup. I observe major problems with this config and I am not sure why….
1. I cannot access one of the clients on SEG. I cannot ping it and I cannot SSH to it. Its completely isolated from LAN it seems... Strange thing though, I can finally access my idiotic AP on SEG (webpage and all)... So why the AP and not the client? (BTW to have the AP work on SEG, I had to configure it for static IP in its firmware)....
2. With the rulesets posted in attachment, clients on SEG have no internet connectivity although the rulesets are identical between LAN and SEG. Of course LAN clients have internet connectivity because I couldnt write this... ;) The only way to allow internet connectivity for clients on SEG, is to add a "Allow all" rule at the top of SEG's ruleset (it is disabled on the screenshot). So why do I need such a rule on SEG and not on LAN??? Is there somnething obscure on how pfsense treats non LAN interfaces? Kinda the deny all rule being there but hidden?
-
According to the LAN rules image you posted clients can…
Access pfSense (LAN Address) on ports 468 and 80.
Access pfSense (LAN Address) on port 53 (DNS).
Access anything on ports 80 (HTTP), 443 (HTTPS), and 993 (IMAP/S).Of course you already know all of that.
What you seem to be unclear on is that all other ingress is blocked, by implicit default rules. So no need to add a deny rule at the end (it's already there, just not shown).
Another thing that may be unclear, or maybe it is, so just to be sure, the interface specific rules only apply to ingress.
For egress floating rules are used.
Also once a rule is matched and the connection established and placed in the state table then the rules are bypassed for that connection.Rules for services hosted on other LAN connected servers should not be needed as that traffic should be direct between the client and server.
-
What you seem to be unclear on is that all other ingress is blocked, by implicit default rules. So no need to add a deny rule at the end (it's already there, just not shown).
I know, like I said in my last post, I put it only for logging purposes.
Another thing that may be unclear, or maybe it is, so just to be sure, the interface specific rules only apply to ingress.
For egress floating rules are used.We never spoke about floating rules so far, except for pfblocker's rules where someone suggested to make them floating for uncluttering the LAN and SEG interfaces… Are you suggesting I use a floating rule to allow traffic between the LAN & SEG? Im asking because I screwed up enough so far, before I do something stupid (or stupider...)
Rules for services hosted on other LAN connected servers should not be needed as that traffic should be direct between the client and server.
So if I understand what you're saying, no need for a rule on a specific interface when communication is betwen 2 clients on the same interface? Analogous to 2 computers connected to a single switch? In that case, should I add a rule to allow traffic between LAN and SEG? -
Wasn't suggesting that you do anything particular. Just wanted to be sure you had the understanding.
-
Another tip for the logging, I know it is available in 2.3 but looks like your on 2.2.6 so you can check around the
Status/System Logs/ Settings and allow another column to show which rule fired the block log.
Anyway I posted a screenshot of my untrusted network rule set over here if it helps.
https://forum.pfsense.org/index.php?topic=109512.0 -
Are you sure it's not one of your smart devices accessing google for TV or Music being reported as a Windows Device with Firefox?
-
Are you sure it's not one of your smart devices accessing google for TV or Music being reported as a Windows Device with Firefox?
Pretty sure ;)
I thik im getting somewhere with the firewall config, but just out of curiosity, I noticed a LOT of traffic to port 8081 when browsing the web. Pages are timing out, etc…. Do I need to add a rule to allow traffic on 8081 on top of the existing rule for port 80 (http)?
Whats the difference between 80 and 8081?
-
@lpallard:
Whats the difference between 80 and 8081?
The difference is 8001, according to the Microsoft Windows 8 calculator.
-
Oh man you beat me too it ;) I was going to say same thing 8001…
8081 is a common proxy port, you talk to a lot of proxies? You do understand there is nothing in your firewall rules that stops someone from access your wifi and logging into your google account right ;)
-
Whats the difference between 80 and 8081?
Good list here.https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Some unwanted uses of port 8081
http://www.speedguide.net/port.php?port=8081
If you are serious about finding infections get more comfortable with Wireshark and try not to open ports willy nilly.
Who wants out and Why? PFSence can capture very easily.
You will gain a more rounded knowledge by doing your own research over the web than asking here. Web search is great for just this purpose. -
Thanks webtyro,
I agree with you, sometimes I should search on google…
For port 8081, I see a lot being blocked on forums (not this one), and on some other websites I visit. FYI, no I dont explicitly connect to proxies. If this happens, its by design not my intentions. For example, apt-get (ubuntu) uses 8081 as well to communicate with its mirrors.
Did you poke a hole in your FW to explicitly allow traffic to go to port 8081? I read the speedguide page you referred me to, and that makes me wonder even more about trust. If you dont have a rule allowing 8081, then it is getting blocked, and most likely it is interfering with your browsing experience.
Thew other thing I noticed, package managers are using all kind of ports. For example, trying to update a Linux mint machine failed because the package mgr was trying to connect to 134.153.48.2:37053. This morning, I saw a similar attempt being blocked but on a different port (48761). This is all over the place! Seems to be random ports every time.. Will I need to manually add a rule (or an alias) to allow services as I go? If so this is gonna be a major PITA and I would understand why people would simply use a default allow all on LAN! Any better way to deal with this?
Im NOT searching for specific instructions or on what exactly to do.. I am more looking forward to a "this is what I'd do" or better "this is what i've done". Nobody's setup is identical and its nearly impossible for someone in texas to guess precisely what someone else's setup is like. General direction is more rewarding to me than specific instructions.
-
Did you poke a hole in your FW to explicitly allow traffic to go to port 8081?
8081 is used by pfblockerng DNSBL only. I allow that port for only inner networks to the firewall itself. (screenshot I mentioned) that is all. Not for outbound traffic use.
I also try to select mirrors closer to home in my sources.list file. The first hit of a log file being blocked is usually the server IP address I will look into and do a lookup to see if it seems legit for updates. Any later log hits are usually just the machine trying different ports or servers to access its update service.
If you allow comms to one it will stop trying others and stick to what is working.
If it seems too random look at your sources.list. That screenshot is all the rules I have for that Debian machine including updates and for others to get their netflix fix. I do a lot of researching about many things lately and find port 80 and 443 more than enough. no browsing issues.
Mind you the "from" port of my machine is randomized by PFSense but the destination ports are all 80 or 443.
I also run "ufw" on my machines that allow only 443 and 80 (4/5 others too) out at each machine but they show random at the logs as from xxpc port xxxxx knowing full well their own firewall reject all but allowed ports.
I know there is maybe 3 servers my machines go for updates: 1 security, 2 main stable, 3 google browser stable. They are all in my sources.list
I do have all the machines at times trying to get to a cedia.mirror.ec in ecuador (except TV PC)but that is a blocked country so until I find out why, the blocks are of no concern. I think it may be triggered by browsing to a certain site but it is still a puzzle.
If you decide to go back to Default LAN settings you may want to start captures with firewall or just have wireshark listen on your network and see what you find interesting . -
If someone got on ur network and found out your admin pw and put a keylogger on you this can be plausible. That's a lot of work, who did you piss off???
I don't even setup up the wifi password wirelessly these days, I plug into the AP and set it up over the wire.
However, 2 factor auth has made a lot of this stuff irrelevant. Unless you rooted your phone and got spyware installed on that too.
If this stuff happened, you may not want to be running "highspeed" stuff that is "beyond your reasoning".
Format and reflash the firmware of everything you got and try again. Or better yet, throw everything away and buy new stuff someone may have put a chip in your computer board.
Pull out your wires too, someone may have bugged your ethernets.
See where this goes? Crazyville - pop. IT folks.