Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Had my pfSense been compromised?

    Scheduled Pinned Locked Moved Firewalling
    79 Posts 11 Posters 15.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • KOMK
      KOM
      last edited by

      Post a pic of your WAN2 rules and your floating rules.

      B 1 Reply Last reply Reply Quote 0
      • B
        bchan @KOM
        last edited by bchan

        @KOM
        Screenshot_2019-10-11 asus kleaders - Firewall Rules WAN2.png
        Screenshot_2019-10-11 asus kleaders - Firewall Rules Floating.png

        Thanks in advance for your assistances.

        NogBadTheBadN 1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad @bchan
          last edited by

          @bchan

          You've posted the same screenshot twice

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          B 1 Reply Last reply Reply Quote 0
          • B
            bchan @NogBadTheBad
            last edited by

            @NogBadTheBad Thank u for pointing out. Pic corrected.

            1 Reply Last reply Reply Quote 0
            • A
              akuma1x
              last edited by akuma1x

              Nothing is coming in on WAN2, you have no pass rules there.

              What have you defined for that "Desktop" alias you've got in your Source column on the Floating Rules tab?

              Jeff

              B 1 Reply Last reply Reply Quote 0
              • B
                bchan @akuma1x
                last edited by

                @akuma1x
                Desktop contains list of desktop computers:
                Screenshot_2019-10-11 asus kleaders - Firewall Aliases Edit.png

                For sure it does not have the offending 103.240.140.10 in my first post.

                JeGrJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  And what is that rule - just look it up via
                  https://docs.netgate.com/pfsense/en/latest/firewall/viewing-the-full-pf-ruleset.html

                  pfctl -vvsr

                  Will show you rule ID numbers so you can match up rules with what your seeing.. Unless the rule has been deleted.. You can look in your config change history.

                  changes.jpg

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  B 2 Replies Last reply Reply Quote 0
                  • B
                    bchan
                    last edited by

                    I have gathered additional info on the port numbers:
                    Ports.jpg

                    These ports seem to be related to hostname, nameserver, smtp.

                    1 Reply Last reply Reply Quote 0
                    • JeGrJ
                      JeGr LAYER 8 Moderator @bchan
                      last edited by

                      @bchan said in Had my pfSense been compromised?:

                      For sure it does not have the offending 103.240.140.10 in my first post.

                      Yes but it has your local FQDN. You sure that resolves correctly and not to some strange web IP? I'd never use local hostnames in Aliases.

                      Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                      B 1 Reply Last reply Reply Quote 0
                      • B
                        bchan @johnpoz
                        last edited by

                        @johnpoz
                        Nothing logged around that time (05:29):
                        Screenshot_2019-10-11 asus kleaders - Diagnostics Backup Restore Config History.png

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          look in your full rule set for what that ID number matches up with.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • B
                            bchan @JeGr
                            last edited by

                            @JeGr

                            whois 103.240.140.10
                            inetnum: 103.240.140.1 - 103.240.142.255
                            netname: CTCL-HK
                            descr: ClearDDoS Technologies
                            country: HK

                            It sounds like a web security company.

                            1 Reply Last reply Reply Quote 0
                            • JeGrJ
                              JeGr LAYER 8 Moderator
                              last edited by

                              I'm talking about your alias. Not the IP.

                              Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                              B 1 Reply Last reply Reply Quote 0
                              • B
                                bchan @JeGr
                                last edited by

                                @JeGr

                                I have checked the table values for this alias and they all resolve correctly to 192.168.x.x

                                1 Reply Last reply Reply Quote 0
                                • JeGrJ
                                  JeGr LAYER 8 Moderator
                                  last edited by

                                  @bchan said in Had my pfSense been compromised?:

                                  all resolve correctly to 192.168.x.x

                                  LAPTOP-1CGD66U4 resolves to 192.168.x.x? Even on pfsense itself? Its resolvers?

                                  Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                                  If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                  B 1 Reply Last reply Reply Quote 0
                                  • B
                                    bchan @JeGr
                                    last edited by

                                    @JeGr
                                    Screenshot_2019-10-11 asus kleaders - Diagnostics Tables.png

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      bchan @johnpoz
                                      last edited by

                                      @johnpoz said in Had my pfSense been compromised?:

                                      pfctl -vvsr

                                      pfctl -vvsr | grep 4294967295
                                      return nothing.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        Then the rule was deleted, make sure your grep is working by using a ID in your command that you see when just looking at the output.

                                        Are you currently seeing logs for this?

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        B 1 Reply Last reply Reply Quote 0
                                        • B
                                          bchan @johnpoz
                                          last edited by

                                          @johnpoz said in Had my pfSense been compromised?:

                                          Then the rule was deleted, make sure your grep is working by using a ID in your command that you see when just looking at the output.

                                          Are you currently seeing logs for this?

                                          grep works for other id e.g. the teamviewer logger.
                                          I have 2 WANs for months. This incident was the first time I saw incoming traffic to WAN2 and were logged.
                                          As you can see from my rules, I don't have anything that will log incoming traffic for WAN2.

                                          1 Reply Last reply Reply Quote 0
                                          • jimpJ
                                            jimp Rebel Alliance Developer Netgate
                                            last edited by

                                            Do you have UPnP enabled? Do you have it set to use WAN2, and to log connections?

                                            That's the most likely explanation.

                                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            B 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.