New User to pfSense - some doubts
-
Thanks for the reply.
Actually I don't want IP's outside the USA able to reach the server at all.
If they are allowed to make initial contact they could potentially have already sent over a malicious payload.I don't think it's enough to simply prevent a response. Shouldn't one be able to completely prevent connections if so desired? I could certainly do that with the WG Fireboxes.
What exactly in that set of rules is allowing Brazil connections to the WAN interface?
(unless it's a deficiency in the GeoIP database)I realize that there's a bit of "impossibility" to this scenario given spoofing and the use of proxies etc etc etc.
That's not really my concern. My concern is just having the firewall do what I ask of it and allowing IP addresses from Brazil and non US based IP address blocks is not it. -
No, you're not understanding the basic function of pfsense, no matter what it's installed on. Unless you SPECIFICALLY create a WAN pass rule for traffic from anywhere, doesn't matter where in the world the traffic comes from, the traffic doesn't get thru to the inside of your firewall. Period, end of story.
If you see addresses being denied on the firewall logs at the WAN connection, pfsense is doing exactly what it's programmed to do - block and deny traffic, letting none of that get through. You can look at the traffic logs all day, but basically it all boils down to just internet noise. Anything and everything out on the internet can touch your WAN interface. It's up to the firewall itself to keep all that out. It's doing the job just fine.
Reread @stephenw10 post, he said it all there already.
Jeff
-
@akuma1x said in New User to pfSense - some doubts:
No, you're not understanding the basic function of pfsense, no matter what it's installed on. Unless you SPECIFICALLY create a WAN pass rule for traffic from anywhere, doesn't matter where in the world the traffic comes from, the traffic doesn't get thru to the inside of your firewall. Period, end of story.
If you see addresses being denied on the firewall logs at the WAN connection, pfsense is doing exactly what it's programmed to do - block and deny traffic, letting none of that get through. You can look at the traffic logs all day, but basically it all boils down to just internet noise. Anything and everything out on the internet can touch your WAN interface. It's up to the firewall itself to keep all that out. It's doing the job just fine.
Reread @stephenw10 post, he said it all there already.
Jeff
I wish that was true. However, I have Modsecurity running behind pfSense on a server and I can not only tell they "touched" the server (going right past pfSense), I can see exactly what they did and what they sent.
As you may know, Modsecurity keeps a highly detailed record. So yes, even though there's absolutely no rule allowing it, I get "blocked" connections to my server.and this is why I started this thread. To find out why, because it should not be happening.
Keep in mind as mentioned, i've used WatchGuard and Cisco appliances for a long time and they do not allow ANY "touching" the server once blocks are in place.
So maybe, as I mentioned, it's a problem with the GeoIP database. Giving pfsense the benefit of the doubt, I'd bet a nickel that the foreign IP addresses making it through are in the USA database because those block do occasionally change the countries they are allocated to. ONE of the IP's that whistled right past pfsense is this one....45.65.128.250
Now, if I could actually check the USA IP list to see if THAT IP address actually exists in the GeoIP file.
That said, I posted the rules set for the WAN interface. What in that rule set could be allowing blocked connections past pfsense?
Finally, there is always the possibility I'm having a total breakdown of comprehension. So if you (or someone) could be so kind as to explain (given the rule set I posted) how Brazil and other foreign IP's are still reaching the server itself and going right past pfsense?
Thanks
-
Since that's your WAN interface, if I'm not mistaken and reading it correctly, you've opened up and allowed (with the green check marks) whatever is in the "pfB_NAmerica_v4" and "pfB_NAmerica_v6" alias sources to contact any internal network you've got configured on your pfsense box. That's most likely VERY BAD. And is probably why you're seeing traffic hitting an internal machine/host.
A general rule of thumb is you put absolutely NO pass rules on your WAN interface, unless you know exactly what you're doing.
Disable those 2 rules for now, reboot your pfsense box, and see what happens. Again, if nothing is set to pass or allow traffic on your WAN interface, nothing gets through.
@stephenw10 suggested to move these 2 rules to your LAN interface. Let's try that after you disable them on WAN and do some testing.
Jeff
-
@akuma1x said in New User to pfSense - some doubts:
Since that's your WAN interface, if I'm not mistaken and reading it correctly, you've opened up and allowed (with the green check marks) whatever is in the "pfB_NAmerica_v4" and "pfB_NAmerica_v6" alias sources to contact any internal network you've got configured on your pfsense box. That's most likely VERY BAD. And is probably why you're seeing traffic hitting an internal machine/host.
A general rule of thumb is you put absolutely NO pass rules on your WAN interface, unless you know exactly what you're doing.
Disable those 2 rules for now, reboot your pfsense box, and see what happens. Again, if nothing is set to pass or allow traffic on your WAN interface, nothing gets through.
@stephenw10 suggested to move these 2 rules to your LAN interface. Let's try that after you disable them on WAN and do some testing.
Jeff
Well Jeff,
There is a server behind the pfsense firewall. If I allow nothing through the WAN interface, how do you propose anyone reaches the server?And nothing in the configuration will allow traffic to "ANY" internal network, I have a NAT rule that ONLY allows traffic that passes the WAN interface to go to a specific IP address ONLY and ONLY on ports 80 or 443.
The first three rules you see are automatically configured by pfSenseBlockerNG.
I did not configure those and as I said, I'm new to pfsense so I figured that the rules were configured to proxy the connections back to the filter. As you see, the destination is not an interface but the pfSenseBlockerNG system itself.
What it does internally I'm not sure of but I was not able to connect to any Interfaces other than the correct one when I tested this with my cellphone from an external network.I'm more than willing to learn here. Anyone here familiar with pfSenseBlockerNG that can tell if those rules look kosher?
There really is no way to edit those rules to change the ports and if you change anything actually, it breaks.Please tell me how to have a public server behind a firewall without allowing traffic to pass through?
I may be new to pfsense, but certainly not new to networking and running a server. That said, I certainly don't consider myself any kind of expert either. -
Alright, now we’re getting somewhere. You didn’t mention, until a post or so ago, that you were running a server inside your network. What kind of server is this, web server for websites or something? You say ports 80 and 443, that’s typically that kind of traffic.
Jeff
-
@akuma1x said in New User to pfSense - some doubts:
Alright, now we’re getting somewhere. You didn’t mention, until a post or so ago, that you were running a server inside your network. What kind of server is this, web server for websites or something? You say ports 80 and 443, that’s typically that kind of traffic.
Jeff
Actually I found his first post very specific.
I'm having a very difficult time getting pfsense to filter inbound connections properly.
Im actually running pfsense on retired Watchguard equipment. Works better than the original Watchguard software ever did. (And its not artificially speed limited based on how much money I paid for it.)
But your mixing a few things up. pfsense is the (I call it firmware) and works spectacular when configured correctly.
pfblocker is a package that can be added on to pfsense and also works spectacularly when configured correctly. I have only a couple of countries allowed to access my servers here and it works as advertised. I check regularly.. My guess is your lists are not updating correctly or you have something configured wrong.
Since this appears to be a package question this thread should probably be moved to the "packages" part of this forum.. https://forum.netgate.com/category/62/pfblockerng
If they are allowed to make initial contact they could potentially have already sent over a malicious payload.
Your comment here made me laugh.. You will get those kinds of attempts from every country including the USA.. Some more than others obviously.. :) Its up to you to be on top of the security of your servers and don't assume.
-
@akuma1x said in New User to pfSense - some doubts:
Alright, now we’re getting somewhere. You didn’t mention, until a post or so ago, that you were running a server inside your network. What kind of server is this, web server for websites or something? You say ports 80 and 443, that’s typically that kind of traffic.
Jeff
Good point. I guess sometimes we see things based on "our own" perspective....forgetting that there are other perspectives. Yes, web server for websites.
-
@chpalmer said in New User to pfSense - some doubts:
@akuma1x said in New User to pfSense - some doubts:
Alright, now we’re getting somewhere. You didn’t mention, until a post or so ago, that you were running a server inside your network. What kind of server is this, web server for websites or something? You say ports 80 and 443, that’s typically that kind of traffic.
Jeff
Actually I found his first post very specific.
I'm having a very difficult time getting pfsense to filter inbound connections properly.
Im actually running pfsense on retired Watchguard equipment. Works better than the original Watchguard software ever did. (And its not artificially speed limited based on how much money I paid for it.)
But your mixing a few things up. pfsense is the (I call it firmware) and works spectacular when configured correctly.
pfblocker is a package that can be added on to pfsense and also works spectacularly when configured correctly. I have only a couple of countries allowed to access my servers here and it works as advertised. I check regularly.. My guess is your lists are not updating correctly or you have something configured wrong.
Since this appears to be a package question this thread should probably be moved to the "packages" part of this forum.. https://forum.netgate.com/category/62/pfblockerng
If they are allowed to make initial contact they could potentially have already sent over a malicious payload.
Your comment here made me laugh.. You will get those kinds of attempts from every country including the USA.. Some more than others obviously.. :) Its up to you to be on top of the security of your servers and don't assume.
Awesome that you installed pfSense on a Firebox. I read about that but my boxes are the older x700 / x1000 boxes and I think I read it's harder to install on those? So I just installed pfSense on a 2005 model, AMD 64 X2 4200 HP PC. Once I finally figured out the partitioning process in pfSense install all went smoothly.
As far as the country blocking, do you find that countries that are supposed to be blocked sometimes slip through?
So far in my experiments with pfsense, too many are "slipping" through and being so new to pfSense, I'm not sure why.
Do you know a way to examine the pfSenseBlockerNG files to see if a specific IP address is in it? I'd like to confirm just a few times that foreign IPs that are supposed to be blocked are NOT in the files just so I know why they're getting through because if they ARE in the file and still getting through, that's a whole different story.Did you block by blocking all countries you don't want....or by only allowing those you DO want? I tried both and still the unwanted IPs are slipping past pfsense somehow.
My thoughts on pfSense were that it's got to be too polished and refined at this point for this to be happening so my suspicion has turned towards a failure in the country IP files (or my configurations).
Another oddity....when I see that a foreign IP has hit the server, I usually cannot find it in the pfSense logs?
That's baffling me at the moment but is probably part of the answer to this situation.Hoping for the "light bulb" moment any time now.
-
@HansSolo said in New User to pfSense - some doubts:
Here are the WAN rules
From the image above I find it strangle that you have no activate states and there have only been 241B on the first pass rule, that is very little traffic.
Just something to bear in mind, when i first came to pfSense I didn't understand how pf treats a packet. I would add a rule trying to block an active TCP connection and nothing would happen, that was because Apply Rules doesn't clear the state table. When pf receives a packet it will create a state for it if it is passed. Then subsequent packets are first checked against the state table and if a state exists they continue through, the ruleset isn't re checked.
I find the best way to check a packet is to use the CLI and the command: pfctl -vvv -s states, this will give you the states with the ruleset number that the packet got passed on etc.
If your server is getting packets from other countries run that command and find the entry for that IP.
I hope this helps.
-
@HansSolo said in New User to pfSense - some doubts:
So far in my experiments with pfsense, too many are "slipping" through and being so new to pfSense, I'm not sure why.
Connections do not "slip" through a firewall, they are either allowed or not allowed.. If traffic was allowed, then your rules allowed it.. While the countries listing are pretty good - if you think the pfblocker list of countries is 100% accurate then your kidding yourself. There is no list that is going to be 100%... IP ranges get transferred all the time for starters. A netblock might be registered to company X in country Y, but being used in country Z etc..
We are in the process of transferring some IPs to another company in the EU, ie moving from arin to ripe.. How long do you think it will take for these "lists" to get updated, if they ever do? And when the listings do get updated - this new company we transferred to might be using the IPs in APAC, and not the EU, etc.
Are you logging all traffic that is allowed via your rules? Had your logged rolled over in pfsense, it only shows in the gui last X number of entries, you can adjust.. But again not going to be complete logs and depending on how much your logging can roll over.. You would have to look in the actual logs vs the gui.. Better yet your logs should be sent to your logging server.
But if pfsense allowed it, and you have set it to log - then it would log.
-
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
So far in my experiments with pfsense, too many are "slipping" through and being so new to pfSense, I'm not sure why.
Connections do not "slip" through a firewall, they are either allowed or not allowed.. If traffic was allowed, then your rules allowed it.. While the countries listing are pretty good - if you think the pfblocker list of countries is 100% accurate then your kidding yourself. There is no list that is going to be 100%... IP ranges get transferred all the time for starters. A netblock might be registered to company X in country Y, but being used in country Z etc..
We are in the process of transferring some IPs to another company in the EU, ie moving from arin to ripe.. How long do you think it will take for these "lists" to get updated, if they ever do? And when the listings do get updated - this new company we transferred to might be using the IPs in APAC, and not the EU, etc.
Are you logging all traffic that is allowed via your rules? Had your logged rolled over in pfsense, it only shows in the gui last X number of entries, you can adjust.. But again not going to be complete logs and depending on how much your logging can roll over.. You would have to look in the actual logs vs the gui.. Better yet your logs should be sent to your logging server.
But if pfsense allowed it, and you have set it to log - then it would log.
Thanks. Agreed. As mentioned several times above, I realize it's more likely a short-coming with the lists rather than the firewall.
I think your point about sending the logs to a logging server is a good one. I need to see all the logs sometimes, not just the last 50 entries.
Not wanting to invest in any more WG (or other) firewall appliances and so REALLY hoping I can adapt to pfSense. (My only concern is that they will eventually end the "freebie" program once they get where they want to be market-wise., and the price will be up there. (Happens all the time)
Thanks again
-
@HansSolo said in New User to pfSense - some doubts:
(My only concern is that they will eventually end the "freebie" program once they get where they want to be market-wise
Dude if your here to troll this FUD... This has be asked an answered many many times all over the freaking internet... Free version of pfsense isn't going anywhere..
-
If those WAN rules are allow traffic only to that one internal server you really should change them to have that destination IP and ports. Right now you are allowing access from any IP in the list to the pfSense GUI. And any other services running on pfSense....
I prefer to set pfBlocker to create Native aliases only and add the rules using them myself.
Also the x700/x1000 was 32bit hardware so won't run current pfSense in case you were considering it.
Steve
-
@stephenw10 said in New User to pfSense - some doubts:
If those WAN rules are allow traffic only to that one internal server you really should change them to have that destination IP and ports. Right now you are allowing access from any IP in the list to the pfSense GUI. And any other services running on pfSense....
I prefer to set pfBlocker to create Native aliases only and add the rules using them myself.
Also the x700/x1000 was 32bit hardware so won't run current pfSense in case you were considering it.
Steve
Steve,
I didn't create those rules.
They were AutoGenerated BY pfSenseBlockerNGThis rule does not give you the option to change the ports.
I do sincerely hope they are not creating rules that compromise security.
Like I said above, isn't there some kind of proxying going on here?If you look at the rules, they do not point to an IP address, alias or any location for that matter.
They simply point to the blocking file configuration itself.Can you let me know if you STILL believe these rules are in error?
Thanks -
@HansSolo said in New User to pfSense - some doubts:
Can you let me know if you STILL believe these rules are in error?
An any any rule on your wan is NEVER going to be a good thing to be honest.. be it you lock down the source in some way or not..
-
For anyone who comes to this thread later......
At least in pfsense 2.4.4, here is how you can look at your pfSenseBlockerNG files and see ALL the IP addresses in any given file....
In the WebConfiguration console, go to --> DIAGNOSTICS --> EDIT FILES
There you get a graphical Directory listing of the entire PfSense system (it's a Linux system)
The pfb_NAmerica file for example is located here.....(click on it and it will open in a text editor)
/var/db/pfblockerng/original/pfB_NAmerica_v4.orig
-
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
Can you let me know if you STILL believe these rules are in error?
An any any rule on your wan is NEVER going to be a good thing to be honest.. be it you lock down the source in some way or not..
I agree....
So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?
Because once again, what you see in the diagram above is created during the install of pfsenseblockNG and I did not configure those rules.
-
Yes, you should change those rules.
As I said, if I were doing it I would set pfBlocker to create aliases only, not add rules. Then add the rules I need separately using those aliases.
pfBlocker only does what you configure it to do and looks like you configured it so add inbound pass rules. That is almost certainly not what you wanted. At least not without a destination/port.
Steve
-
@HansSolo said in New User to pfSense - some doubts:
So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?
NO!!! I just ran through the wizard and it didn't create single rule on my WAN!!
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03
