Hacker got into my network? Strange access to my Google account?
-
According to the LAN rules image you posted clients can…
Access pfSense (LAN Address) on ports 468 and 80.
Access pfSense (LAN Address) on port 53 (DNS).
Access anything on ports 80 (HTTP), 443 (HTTPS), and 993 (IMAP/S).Of course you already know all of that.
What you seem to be unclear on is that all other ingress is blocked, by implicit default rules. So no need to add a deny rule at the end (it's already there, just not shown).
Another thing that may be unclear, or maybe it is, so just to be sure, the interface specific rules only apply to ingress.
For egress floating rules are used.
Also once a rule is matched and the connection established and placed in the state table then the rules are bypassed for that connection.Rules for services hosted on other LAN connected servers should not be needed as that traffic should be direct between the client and server.
-
What you seem to be unclear on is that all other ingress is blocked, by implicit default rules. So no need to add a deny rule at the end (it's already there, just not shown).
I know, like I said in my last post, I put it only for logging purposes.
Another thing that may be unclear, or maybe it is, so just to be sure, the interface specific rules only apply to ingress.
For egress floating rules are used.We never spoke about floating rules so far, except for pfblocker's rules where someone suggested to make them floating for uncluttering the LAN and SEG interfaces… Are you suggesting I use a floating rule to allow traffic between the LAN & SEG? Im asking because I screwed up enough so far, before I do something stupid (or stupider...)
Rules for services hosted on other LAN connected servers should not be needed as that traffic should be direct between the client and server.
So if I understand what you're saying, no need for a rule on a specific interface when communication is betwen 2 clients on the same interface? Analogous to 2 computers connected to a single switch? In that case, should I add a rule to allow traffic between LAN and SEG? -
Wasn't suggesting that you do anything particular. Just wanted to be sure you had the understanding.
-
Another tip for the logging, I know it is available in 2.3 but looks like your on 2.2.6 so you can check around the
Status/System Logs/ Settings and allow another column to show which rule fired the block log.
Anyway I posted a screenshot of my untrusted network rule set over here if it helps.
https://forum.pfsense.org/index.php?topic=109512.0 -
Are you sure it's not one of your smart devices accessing google for TV or Music being reported as a Windows Device with Firefox?
-
Are you sure it's not one of your smart devices accessing google for TV or Music being reported as a Windows Device with Firefox?
Pretty sure ;)
I thik im getting somewhere with the firewall config, but just out of curiosity, I noticed a LOT of traffic to port 8081 when browsing the web. Pages are timing out, etc…. Do I need to add a rule to allow traffic on 8081 on top of the existing rule for port 80 (http)?
Whats the difference between 80 and 8081?
-
@lpallard:
Whats the difference between 80 and 8081?
The difference is 8001, according to the Microsoft Windows 8 calculator.
-
Oh man you beat me too it ;) I was going to say same thing 8001…
8081 is a common proxy port, you talk to a lot of proxies? You do understand there is nothing in your firewall rules that stops someone from access your wifi and logging into your google account right ;)
-
Whats the difference between 80 and 8081?
Good list here.https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Some unwanted uses of port 8081
http://www.speedguide.net/port.php?port=8081
If you are serious about finding infections get more comfortable with Wireshark and try not to open ports willy nilly.
Who wants out and Why? PFSence can capture very easily.
You will gain a more rounded knowledge by doing your own research over the web than asking here. Web search is great for just this purpose. -
Thanks webtyro,
I agree with you, sometimes I should search on google…
For port 8081, I see a lot being blocked on forums (not this one), and on some other websites I visit. FYI, no I dont explicitly connect to proxies. If this happens, its by design not my intentions. For example, apt-get (ubuntu) uses 8081 as well to communicate with its mirrors.
Did you poke a hole in your FW to explicitly allow traffic to go to port 8081? I read the speedguide page you referred me to, and that makes me wonder even more about trust. If you dont have a rule allowing 8081, then it is getting blocked, and most likely it is interfering with your browsing experience.
Thew other thing I noticed, package managers are using all kind of ports. For example, trying to update a Linux mint machine failed because the package mgr was trying to connect to 134.153.48.2:37053. This morning, I saw a similar attempt being blocked but on a different port (48761). This is all over the place! Seems to be random ports every time.. Will I need to manually add a rule (or an alias) to allow services as I go? If so this is gonna be a major PITA and I would understand why people would simply use a default allow all on LAN! Any better way to deal with this?
Im NOT searching for specific instructions or on what exactly to do.. I am more looking forward to a "this is what I'd do" or better "this is what i've done". Nobody's setup is identical and its nearly impossible for someone in texas to guess precisely what someone else's setup is like. General direction is more rewarding to me than specific instructions.
-
Did you poke a hole in your FW to explicitly allow traffic to go to port 8081?
8081 is used by pfblockerng DNSBL only. I allow that port for only inner networks to the firewall itself. (screenshot I mentioned) that is all. Not for outbound traffic use.
I also try to select mirrors closer to home in my sources.list file. The first hit of a log file being blocked is usually the server IP address I will look into and do a lookup to see if it seems legit for updates. Any later log hits are usually just the machine trying different ports or servers to access its update service.
If you allow comms to one it will stop trying others and stick to what is working.
If it seems too random look at your sources.list. That screenshot is all the rules I have for that Debian machine including updates and for others to get their netflix fix. I do a lot of researching about many things lately and find port 80 and 443 more than enough. no browsing issues.
Mind you the "from" port of my machine is randomized by PFSense but the destination ports are all 80 or 443.
I also run "ufw" on my machines that allow only 443 and 80 (4/5 others too) out at each machine but they show random at the logs as from xxpc port xxxxx knowing full well their own firewall reject all but allowed ports.
I know there is maybe 3 servers my machines go for updates: 1 security, 2 main stable, 3 google browser stable. They are all in my sources.list
I do have all the machines at times trying to get to a cedia.mirror.ec in ecuador (except TV PC)but that is a blocked country so until I find out why, the blocks are of no concern. I think it may be triggered by browsing to a certain site but it is still a puzzle.
If you decide to go back to Default LAN settings you may want to start captures with firewall or just have wireshark listen on your network and see what you find interesting . -
If someone got on ur network and found out your admin pw and put a keylogger on you this can be plausible. That's a lot of work, who did you piss off???
I don't even setup up the wifi password wirelessly these days, I plug into the AP and set it up over the wire.
However, 2 factor auth has made a lot of this stuff irrelevant. Unless you rooted your phone and got spyware installed on that too.
If this stuff happened, you may not want to be running "highspeed" stuff that is "beyond your reasoning".
Format and reflash the firmware of everything you got and try again. Or better yet, throw everything away and buy new stuff someone may have put a chip in your computer board.
Pull out your wires too, someone may have bugged your ethernets.
See where this goes? Crazyville - pop. IT folks.