New User to pfSense - some doubts
-
Alright, now we’re getting somewhere. You didn’t mention, until a post or so ago, that you were running a server inside your network. What kind of server is this, web server for websites or something? You say ports 80 and 443, that’s typically that kind of traffic.
Jeff
-
@akuma1x said in New User to pfSense - some doubts:
Alright, now we’re getting somewhere. You didn’t mention, until a post or so ago, that you were running a server inside your network. What kind of server is this, web server for websites or something? You say ports 80 and 443, that’s typically that kind of traffic.
Jeff
Actually I found his first post very specific.
I'm having a very difficult time getting pfsense to filter inbound connections properly.
Im actually running pfsense on retired Watchguard equipment. Works better than the original Watchguard software ever did. (And its not artificially speed limited based on how much money I paid for it.)
But your mixing a few things up. pfsense is the (I call it firmware) and works spectacular when configured correctly.
pfblocker is a package that can be added on to pfsense and also works spectacularly when configured correctly. I have only a couple of countries allowed to access my servers here and it works as advertised. I check regularly.. My guess is your lists are not updating correctly or you have something configured wrong.
Since this appears to be a package question this thread should probably be moved to the "packages" part of this forum.. https://forum.netgate.com/category/62/pfblockerng
If they are allowed to make initial contact they could potentially have already sent over a malicious payload.
Your comment here made me laugh.. You will get those kinds of attempts from every country including the USA.. Some more than others obviously.. :) Its up to you to be on top of the security of your servers and don't assume.
-
@akuma1x said in New User to pfSense - some doubts:
Alright, now we’re getting somewhere. You didn’t mention, until a post or so ago, that you were running a server inside your network. What kind of server is this, web server for websites or something? You say ports 80 and 443, that’s typically that kind of traffic.
Jeff
Good point. I guess sometimes we see things based on "our own" perspective....forgetting that there are other perspectives. Yes, web server for websites.
-
@chpalmer said in New User to pfSense - some doubts:
@akuma1x said in New User to pfSense - some doubts:
Alright, now we’re getting somewhere. You didn’t mention, until a post or so ago, that you were running a server inside your network. What kind of server is this, web server for websites or something? You say ports 80 and 443, that’s typically that kind of traffic.
Jeff
Actually I found his first post very specific.
I'm having a very difficult time getting pfsense to filter inbound connections properly.
Im actually running pfsense on retired Watchguard equipment. Works better than the original Watchguard software ever did. (And its not artificially speed limited based on how much money I paid for it.)
But your mixing a few things up. pfsense is the (I call it firmware) and works spectacular when configured correctly.
pfblocker is a package that can be added on to pfsense and also works spectacularly when configured correctly. I have only a couple of countries allowed to access my servers here and it works as advertised. I check regularly.. My guess is your lists are not updating correctly or you have something configured wrong.
Since this appears to be a package question this thread should probably be moved to the "packages" part of this forum.. https://forum.netgate.com/category/62/pfblockerng
If they are allowed to make initial contact they could potentially have already sent over a malicious payload.
Your comment here made me laugh.. You will get those kinds of attempts from every country including the USA.. Some more than others obviously.. :) Its up to you to be on top of the security of your servers and don't assume.
Awesome that you installed pfSense on a Firebox. I read about that but my boxes are the older x700 / x1000 boxes and I think I read it's harder to install on those? So I just installed pfSense on a 2005 model, AMD 64 X2 4200 HP PC. Once I finally figured out the partitioning process in pfSense install all went smoothly.
As far as the country blocking, do you find that countries that are supposed to be blocked sometimes slip through?
So far in my experiments with pfsense, too many are "slipping" through and being so new to pfSense, I'm not sure why.
Do you know a way to examine the pfSenseBlockerNG files to see if a specific IP address is in it? I'd like to confirm just a few times that foreign IPs that are supposed to be blocked are NOT in the files just so I know why they're getting through because if they ARE in the file and still getting through, that's a whole different story.Did you block by blocking all countries you don't want....or by only allowing those you DO want? I tried both and still the unwanted IPs are slipping past pfsense somehow.
My thoughts on pfSense were that it's got to be too polished and refined at this point for this to be happening so my suspicion has turned towards a failure in the country IP files (or my configurations).
Another oddity....when I see that a foreign IP has hit the server, I usually cannot find it in the pfSense logs?
That's baffling me at the moment but is probably part of the answer to this situation.Hoping for the "light bulb" moment any time now.
-
@HansSolo said in New User to pfSense - some doubts:
Here are the WAN rules
From the image above I find it strangle that you have no activate states and there have only been 241B on the first pass rule, that is very little traffic.
Just something to bear in mind, when i first came to pfSense I didn't understand how pf treats a packet. I would add a rule trying to block an active TCP connection and nothing would happen, that was because Apply Rules doesn't clear the state table. When pf receives a packet it will create a state for it if it is passed. Then subsequent packets are first checked against the state table and if a state exists they continue through, the ruleset isn't re checked.
I find the best way to check a packet is to use the CLI and the command: pfctl -vvv -s states, this will give you the states with the ruleset number that the packet got passed on etc.
If your server is getting packets from other countries run that command and find the entry for that IP.
I hope this helps.
-
@HansSolo said in New User to pfSense - some doubts:
So far in my experiments with pfsense, too many are "slipping" through and being so new to pfSense, I'm not sure why.
Connections do not "slip" through a firewall, they are either allowed or not allowed.. If traffic was allowed, then your rules allowed it.. While the countries listing are pretty good - if you think the pfblocker list of countries is 100% accurate then your kidding yourself. There is no list that is going to be 100%... IP ranges get transferred all the time for starters. A netblock might be registered to company X in country Y, but being used in country Z etc..
We are in the process of transferring some IPs to another company in the EU, ie moving from arin to ripe.. How long do you think it will take for these "lists" to get updated, if they ever do? And when the listings do get updated - this new company we transferred to might be using the IPs in APAC, and not the EU, etc.
Are you logging all traffic that is allowed via your rules? Had your logged rolled over in pfsense, it only shows in the gui last X number of entries, you can adjust.. But again not going to be complete logs and depending on how much your logging can roll over.. You would have to look in the actual logs vs the gui.. Better yet your logs should be sent to your logging server.
But if pfsense allowed it, and you have set it to log - then it would log.
-
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
So far in my experiments with pfsense, too many are "slipping" through and being so new to pfSense, I'm not sure why.
Connections do not "slip" through a firewall, they are either allowed or not allowed.. If traffic was allowed, then your rules allowed it.. While the countries listing are pretty good - if you think the pfblocker list of countries is 100% accurate then your kidding yourself. There is no list that is going to be 100%... IP ranges get transferred all the time for starters. A netblock might be registered to company X in country Y, but being used in country Z etc..
We are in the process of transferring some IPs to another company in the EU, ie moving from arin to ripe.. How long do you think it will take for these "lists" to get updated, if they ever do? And when the listings do get updated - this new company we transferred to might be using the IPs in APAC, and not the EU, etc.
Are you logging all traffic that is allowed via your rules? Had your logged rolled over in pfsense, it only shows in the gui last X number of entries, you can adjust.. But again not going to be complete logs and depending on how much your logging can roll over.. You would have to look in the actual logs vs the gui.. Better yet your logs should be sent to your logging server.
But if pfsense allowed it, and you have set it to log - then it would log.
Thanks. Agreed. As mentioned several times above, I realize it's more likely a short-coming with the lists rather than the firewall.
I think your point about sending the logs to a logging server is a good one. I need to see all the logs sometimes, not just the last 50 entries.
Not wanting to invest in any more WG (or other) firewall appliances and so REALLY hoping I can adapt to pfSense. (My only concern is that they will eventually end the "freebie" program once they get where they want to be market-wise., and the price will be up there. (Happens all the time)
Thanks again
-
@HansSolo said in New User to pfSense - some doubts:
(My only concern is that they will eventually end the "freebie" program once they get where they want to be market-wise
Dude if your here to troll this FUD... This has be asked an answered many many times all over the freaking internet... Free version of pfsense isn't going anywhere..
-
If those WAN rules are allow traffic only to that one internal server you really should change them to have that destination IP and ports. Right now you are allowing access from any IP in the list to the pfSense GUI. And any other services running on pfSense....
I prefer to set pfBlocker to create Native aliases only and add the rules using them myself.
Also the x700/x1000 was 32bit hardware so won't run current pfSense in case you were considering it.
Steve
-
@stephenw10 said in New User to pfSense - some doubts:
If those WAN rules are allow traffic only to that one internal server you really should change them to have that destination IP and ports. Right now you are allowing access from any IP in the list to the pfSense GUI. And any other services running on pfSense....
I prefer to set pfBlocker to create Native aliases only and add the rules using them myself.
Also the x700/x1000 was 32bit hardware so won't run current pfSense in case you were considering it.
Steve
Steve,
I didn't create those rules.
They were AutoGenerated BY pfSenseBlockerNGThis rule does not give you the option to change the ports.
I do sincerely hope they are not creating rules that compromise security.
Like I said above, isn't there some kind of proxying going on here?If you look at the rules, they do not point to an IP address, alias or any location for that matter.
They simply point to the blocking file configuration itself.Can you let me know if you STILL believe these rules are in error?
Thanks -
@HansSolo said in New User to pfSense - some doubts:
Can you let me know if you STILL believe these rules are in error?
An any any rule on your wan is NEVER going to be a good thing to be honest.. be it you lock down the source in some way or not..
-
For anyone who comes to this thread later......
At least in pfsense 2.4.4, here is how you can look at your pfSenseBlockerNG files and see ALL the IP addresses in any given file....
In the WebConfiguration console, go to --> DIAGNOSTICS --> EDIT FILES
There you get a graphical Directory listing of the entire PfSense system (it's a Linux system)
The pfb_NAmerica file for example is located here.....(click on it and it will open in a text editor)
/var/db/pfblockerng/original/pfB_NAmerica_v4.orig
-
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
Can you let me know if you STILL believe these rules are in error?
An any any rule on your wan is NEVER going to be a good thing to be honest.. be it you lock down the source in some way or not..
I agree....
So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?
Because once again, what you see in the diagram above is created during the install of pfsenseblockNG and I did not configure those rules.
-
Yes, you should change those rules.
As I said, if I were doing it I would set pfBlocker to create aliases only, not add rules. Then add the rules I need separately using those aliases.
pfBlocker only does what you configure it to do and looks like you configured it so add inbound pass rules. That is almost certainly not what you wanted. At least not without a destination/port.
Steve
-
@HansSolo said in New User to pfSense - some doubts:
So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?
NO!!! I just ran through the wizard and it didn't create single rule on my WAN!!
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03 -
There seems to be some confusion floating here, so I'm posting a screen shot of the rule that everal keep saying I need to change.
Here is the configuration for the rule in question for pfSenseBlockerNG.
As you can see, it is not like a regular rule configuration screen and does not allow for the changes being suggested.....
There is nowhere to change PORTS....and the destination could be changed to the IP of the server but I get an error when I make that change.
-
There is no ports option as you have Protocol set to Any, that needs to be set to TCP/UDP or one of them to see ports. For example ESP, ICMP and AH protocols do not have ports.
-
@johnpoz said in New User to pfSense - some doubts:
@HansSolo said in New User to pfSense - some doubts:
So are you also agreeing that pfSenseBlockerNG has incorrectly configured their settings?
NO!!! I just ran through the wizard and it didn't create single rule on my WAN!!
Really ????
I didn't create those rules. Honest.
I wonder if it's because our configurations are different? Are you running a server behind your pfSense?
What version pfsense are you running? -
@conor said in New User to pfSense - some doubts:
There is no ports option as you have Protocol set to Any, that needs to be set to TCP/UDP or one of them to see ports. For example ESP, ICMP and AH protocols do not have ports.
Ah!
ok.It's a mystery then why those rules were created like that?
I DID NOT create those rules and thought they were just part of the pfSenseBlockerNG setup.
Good thing my server is still behind my WG Firebox at the moment and not the pfSense firewall.
-
@HansSolo said in New User to pfSense - some doubts:
I wonder if it's because our configurations are different? Are you running a server behind your pfSense?
What version pfsense are you running?Yes I have ports forwarded, I run ntp server to the world via ntp pool.. I have friends and family access to my plex server.
As to what version of pfsense I run - its in my signature.. And yes I would be running current, as any sane person should be.
That you think an any any rule is ok on your wan - even IF some tool created it.. Is just beyond nuts...
