Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Had my pfSense been compromised?

    Scheduled Pinned Locked Moved Firewalling
    79 Posts 11 Posters 13.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NogBadTheBadN
      NogBadTheBad
      last edited by

      Just thought I'd check as some people think Hong Kong is China ☺

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      1 Reply Last reply Reply Quote 0
      • H
        hulleyrob
        last edited by

        Its also interesting that we all saw clear DDOS technologies as passed in our logs and no-one else.

        Ive not seen any other IP addresses associated with this problem.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          I've looked through the pf source code and any place I see where PFRES_SHORT (short) reason gets set is only associated with the PF_DROP (block) action. So I'm not quite sure why it is being logged as a pass. The only difference is that when scrub is enabled, the code path that does packet normalization sets things slightly differently, so maybe that affects how the log entry is interpreted, but the packet is still dropped on that code path.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 1
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Is there anyway to make sure they are logged as blocked vs pass?

            Yeah everything I was reading is short should be blocked, so not sure why they are logged as pass either.. Odd.. While I do have some hits in the counter for short via the info command.. I can not find anything in the logs on my syslog showing them... But then again those might of been before sending to syslog, and the counter has not gone up in the week since last did, still showing only 2.

            If someone is seeing a lot of them, possible they could turn off scrub for testing to see if they are now logged blocked.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            H 1 Reply Last reply Reply Quote 0
            • H
              hulleyrob @johnpoz
              last edited by

              @johnpoz ive not seen anymore since the day three of us all saw them.

              B 1 Reply Last reply Reply Quote 0
              • B
                bchan @hulleyrob
                last edited by

                @hulleyrob said in Had my pfSense been compromised?:

                @johnpoz ive not seen anymore since the day three of us all saw them.

                I saw them on 11 & 14Oct and then not anymore.

                H 1 Reply Last reply Reply Quote 0
                • kiokomanK
                  kiokoman LAYER 8
                  last edited by kiokoman

                  maybe there is an explanation here @johnpoz
                  http://openbsd-archive.7691.n7.nabble.com/pf-logs-def-short-pass-in-but-should-say-block-td192809.html

                  ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                  Please do not use chat/PM to ask for help
                  we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                  Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                  johnpozJ provelsP 2 Replies Last reply Reply Quote 0
                  • H
                    hulleyrob @bchan
                    last edited by

                    @bchan was only on the 13th for me. But reading the link below from 2012 it looks like it is just a issue that it is being displayed as a pass and was actually blocked which is the best scenario for what we are seeing.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @kiokoman
                      last edited by

                      @kiokoman

                      That clearly seems some how related for sure, but no responses and its quite old from 2012.. But yeah good find..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • provelsP
                        provels @kiokoman
                        last edited by

                        @kiokoman Poor Leonardo. Unappreciated in his own time.

                        Peder

                        MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                        BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ johnpoz referenced this topic on
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.