Had my pfSense been compromised?
-
Just thought I'd check as some people think Hong Kong is China
-
Its also interesting that we all saw clear DDOS technologies as passed in our logs and no-one else.
Ive not seen any other IP addresses associated with this problem.
-
I've looked through the pf source code and any place I see where
PFRES_SHORT
(short
) reason gets set is only associated with thePF_DROP
(block
) action. So I'm not quite sure why it is being logged as a pass. The only difference is that whenscrub
is enabled, the code path that does packet normalization sets things slightly differently, so maybe that affects how the log entry is interpreted, but the packet is still dropped on that code path. -
Is there anyway to make sure they are logged as blocked vs pass?
Yeah everything I was reading is short should be blocked, so not sure why they are logged as pass either.. Odd.. While I do have some hits in the counter for short via the info command.. I can not find anything in the logs on my syslog showing them... But then again those might of been before sending to syslog, and the counter has not gone up in the week since last did, still showing only 2.
If someone is seeing a lot of them, possible they could turn off scrub for testing to see if they are now logged blocked.
-
@johnpoz ive not seen anymore since the day three of us all saw them.
-
@hulleyrob said in Had my pfSense been compromised?:
@johnpoz ive not seen anymore since the day three of us all saw them.
I saw them on 11 & 14Oct and then not anymore.
-
maybe there is an explanation here @johnpoz
http://openbsd-archive.7691.n7.nabble.com/pf-logs-def-short-pass-in-but-should-say-block-td192809.html -
@bchan was only on the 13th for me. But reading the link below from 2012 it looks like it is just a issue that it is being displayed as a pass and was actually blocked which is the best scenario for what we are seeing.
-
That clearly seems some how related for sure, but no responses and its quite old from 2012.. But yeah good find..
-
@kiokoman Poor Leonardo. Unappreciated in his own time.
-