LAN ip blocked but seems to be passing traffic
-
@Derelict Every time I try to post, the forum errors now:
ErrorPost content was flagged as spam by Akismet.com
how do I get around this?
-
Post things that don't look like spam. Sorry that's the best I can do. Maybe some others will click your thumbs up to get your reputation higher which should relax the rules.
-
@Derelict hahah wow. so how does code look like spam? kinda stupid.
Thanks anyway, @Derelict I appreciate the attempt!Sadly, I'm losing this dumb pasting game. It's not worth fighting this if it won't even tell me what characters it doesn't like. Not to mention, restricting chars is stupid in a place where people paste code, but I know you didn't design it. Then it tells me I can only post every 120 seconds... geeeeeeesh.
Have yerself a great day! -
@h1pp13p373 said in LAN ip blocked but seems to be passing traffic:
@Derelict hahah wow. so how does code look like spam? kinda stupid.
Thanks anyway, @Derelict I appreciate the attempt!Why code looks like spam? Just have a look at your log:
11:43:46.534771 IP DirecTV.lucky.org.44339 > underdog.lucky.org.domain: 39142+ A? bbvds.dtvbb.tv. (32)
11:43:46.718625 IP underdog.lucky.org.domain > DirecTV.lucky.org.44339: 39142 1/0/0 A 99.193.64.55 (48)There are already SO many links in there (as you didn't do a PCAP with -n / numeric only) that every spam-plugin and detection tool will run wild in having that posted ;) Bots LOVE to post a bunch of links, so it's no wonder, the plugin the forum uses is running hot while processing that.
How about (to test it) post a tcpdump with -n? When analyzing TCPdumps, domain names tend to get in your way anyways. :)
-
OK, so when the forum failed, I had used the -n flag. You don't see it becsuse the forum won't let me paste it. See http://hippiepete.org/netgate.forum.fail.txt
Why is that spam? And if that triggers the filter, what wouldn't?
-
OK, so when the forum failed, I had used the -n flag. You don't see it becsuse the forum won't let me paste it.
My bad, sorry. Just wanted to point it out, that the Spam detection doesn't like large amounts of links (or things that look like it).
@h1pp13p373 said in LAN ip blocked but seems to be passing traffic:
Why is that spam? And if that triggers the filter, what wouldn't?
Unfortunately I've no insight into the workings of the Akismet Plugin and it doesn't have some sort of whitelist :(
Besides that, just having a quick look at your text file, it still shows links from your rule descriptions (like voip.ms) that could perhaps (just guessing here) trigger the bot threshold.But besides that after a few posts and thumbs up I thought the plugin should take it a little lighter. But something seems to still trigger it hard. I also had a problem with a user and his post in the german subforums that could post it initially but couldn't edit it afterwards. Very strange :/
-
@JeGr I worked with an admin in another thread and it lets him post the exact same text, but not me. Time for gist/etherpad/something else. It'll be much easier in the long run.
-
Just found hastebin... pretty slick. Even a cli client so you can pipe stuff to it.
https://hastebin.com/about.mdSo, back to my original issue, here's my dump and rules:
https://hastebin.com/elamojuvaw.coffeescriptI'd found an old pfsense thread that suggested I place a specific allow for that alias before the block but that didn't work either. I still could see traffic being passed.
-
Please paste /tmp/rules.debug
Establish a connection that should be blocked. While connected or immediately thereafter get the output of this:
pfctl -vvss | grep -A 3 192.168.42.89 -
@Derelict Got it:
https://hastebin.com/pocurolagi.coffeescript -
Great. Now:
pfctl -vvsr | grep -A3 '^@24(' -
@Derelict Newest at the top:
https://hastebin.com/umedifopej.coffeescript
-
Great. Do you have a captive portal on that interface?
What are the various IP address and MAC address pass throughs there?
-
@Derelict Good thinking! I do have a captive portal active, but I only have a few ip's allowed and 192.168.42.89 is not on the allowed list. I don't have any allowed MAC addresses set.
https://hastebin.com/ifabayekin.coffeescript -
Well that's probably why you're seeing what you're seeing. I am not sure why yet but those sloppy rules are likely the culprit. Note that there is no state shown that passes traffic into LAN from 192.168.42.89:39163 -> 99.193.64.55:80. Only the reply traffic passed by sloppy rule 24.
Turn off the captive portal. Is the traffic blocked?
Move the specific block rule to the top of the rule set. Is the traffic blocked?
Most people would not stack a bunch of stuff on an interface with a portal on it. They'd create two different security zones (interfaces) and put the captive portal on one and the hosts that should be able to pass through on the other.
What is the output of
ipfw show -
@Derelict said in LAN ip blocked but seems to be passing traffic:
ipfw show
https://hastebin.com/isadazabew.coffeescript
Looks like that was the culprit! After turning the portal off, I didn't see any return traffic from the remote ip. I guess the portal returning the login page looked like a return from the remote ip in the dump...? Strange though. I sure appreciate your help, @Derelict !!
I'm also going to look into security zones like you suggested. Is the purpose of using the zones to have an abstract layer of trusted and untrusted hosts sort of like aliases for fw rules, or is it a performance thing?
I was a linux guy for years and know just enough networking to be dangerous. :) -
The purpose is to segment secure portions of your network from each other, each with the capabilities necessary for that segment (like captive portal).
Yes, the captive portal page being returned would look like that if you were capturing on LAN. I (and everyone else probably) assumed you were looking at a web browser when you were testing and seeing the portal page instead of the outside site would have seemed like an obvious clue to me.
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
Thanks again, and that makes sense about segmenting.
This all started when I saw traffic to that LAN ip on ntopng (installed on the pfsense box) and did a pcap download. That's where I saw the traffic from the remote ip to the LAN address and I got concerned. The 302 should have also gave me a clue about the portal.
The portal was only set up to rick roll guests and I guess I deserve it for that. lol
Have a great day! -
@Derelict I'm having trouble finding documentation on using interfaces to segment. Is it like creating virtual interfaces and assigning ip lists to one or both? Would you mind linking me an article?
-
This discusses network segmentation:
https://www.youtube.com/watch?v=QFk5jX-oeSo
