Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking constant attacks

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 5 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      @revengineer said in Blocking constant attacks:

      US I also use international sites quite a bit.

      Not blocking outbound... You never know were a site might be hosted.

      If I was going to travel to X, then I would open up my vpn from X... But I see little reason for some IP in xyz country to be talking to my plex or my vpn server.. There is zero point to it..

      But I don't block outbound other than ads via pihole.. and ublock in my browser..You never know where some site I want to go to is hosted..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • provelsP
        provels
        last edited by

        One way or the other, the FW has to make a call whether it's blocked by country or just blocked, so what's the point of country block? The FW still burns cycles. Curious. I just use pfB to block outbound.

        Peder

        MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
        BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Inbound blocking only makes sense when you have port forwards in place or access to services on the firewall open like OpenVPN in this case. Then you can restrict by source IP using pfBlocker rather than just open it to everywhere.

          Steve

          provelsP 1 Reply Last reply Reply Quote 1
          • provelsP
            provels @stephenw10
            last edited by provels

            @stephenw10 I see. I guess that may give support to using some rando upper port for VPN rather than something common like 443?

            Peder

            MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
            BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Yeah, you will always get way more hits on 443 than anything else. Port 1194 also gets probed as it's the default OpenVPN port. 11194 not so much. But really that only cleans your logs, security through obscurity is not real security. 😉

              provelsP R 2 Replies Last reply Reply Quote 0
              • provelsP
                provels @stephenw10
                last edited by

                @stephenw10 Yeah, the only real security is an air gap... But with 128K+ ports to choose from, I can be pretty obscure!

                Peder

                MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  I really need to use 443 to be able to get to the vpn from work... I would normally just lock it down to my work IPs for this use.. But you do run into issues where only thing out is 443 tcp, etc. So in that case I can still access my vpn.. So I do the best I can and restrict it to US.. But my vpn and ha proxy doesn't need to spin cycles dealing with nonsense - much easier to just not let them any farther up the stack then the firewall.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  provelsP 1 Reply Last reply Reply Quote 0
                  • provelsP
                    provels @johnpoz
                    last edited by provels

                    @johnpoz said in Blocking constant attacks:

                    I would normally just lock it down to my work IPs for this use.

                    That's what I did. And I managed the FW. Nowadays (retired) I just enable VPN when I'm out of town (or Lazyboy).

                    Peder

                    MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                    BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                    1 Reply Last reply Reply Quote 0
                    • R
                      revengineer @stephenw10
                      last edited by

                      @stephenw10 @provels I travel a lot and find that half the hotels block ports other than those used for web browsing, i.e., 80 and 443. While I have a UDP instance of OpenVPN running on port 1194, I frequently need to revert to the secondary instance on port 443 using TCP. So for usability, there is really no way around this.

                      1 Reply Last reply Reply Quote 1
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        @revengineer said in Blocking constant attacks:

                        hotels block ports other than those used for web browsing

                        Yup unless you pay for their "premium" wifi ;) quite common for them to do that - which is why running on 443 to get around those restrictions. But it can also see a lot of traffic that is not your vpn.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        provelsP 1 Reply Last reply Reply Quote 0
                        • provelsP
                          provels @johnpoz
                          last edited by

                          @revengineer @johnpoz Good to know, thanks.

                          Peder

                          MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                          BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.