Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netgate shared root with ISP? ¯\_(❞⦈)_/¯

    Scheduled Pinned Locked Moved General pfSense Questions
    46 Posts 13 Posters 8.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      So the logs you are seeing are like, for example?:

      Aug 16 12:14:22 	syslogd 		kernel boot file is /boot/kernel/kernel
      Aug 16 12:14:22 	kernel 		done.
      Aug 16 12:14:23 	php-fpm 	343 	/rc.start_packages: Restarting/Starting all packages.
      Aug 16 12:14:24 	login 		login on ttyv0 as root
      Aug 16 12:15:34 	check_reload_status 		rc.newwanip starting igb0
      Aug 16 12:15:35 	php-fpm 	343 	/rc.newwanip: rc.newwanip: Info: starting on igb0. 
      

      That is expected and not an indication some bad actor is connected to your firewall as that link shows.

      Steve

      TheHowToT 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        I don't know - if your first thought after seeing some log entries you don't understand is that what is pretty much the most well known and used opensource firewall distro on the planet is that they have colluded with the man to allow back doors into their project.. And for that matter if doing such a thing, too stupid or lazy to even not log said entries..

        Hmmmm,

        I think maybe its time to lay off the paranoia inducing recreational drugs ;)

        But maybe that's just me ;) hehehehe

        I also don't think they faked the moon landing... Or believe that our Reptilian overlords pull the strings, etc. So maybe not really the best one to ask ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • A
          akuma1x @TheHowTo
          last edited by akuma1x

          @TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

          After that they changed my PfSense settings (e.g. disabling some firewall rules, changing DNS, DHCP and so on).

          Well that's complete nonsense, and doesn't happen with a NORMAL install of pfsense. And when I say normal, I mean, you didn't turn off the top 2 deny rules for the WAN interface:

          • Block private networks
          • Block bogon networks

          Show us a screenshot of your WAN rules, and mask out any sensitive information.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            ttyv0 is the physical video console. Nobody can login to that remotely. It can only be accessed via keyboard and monitor. Similarly, ttyu0 is a serial (uart) console and cannot be logged into remotely, only via local serial connection.

            Seeing a login on ttyv0 just means the menu redrew itself. If you see it a lot, something is probably corrupted on your filesystem leading to a problem with the tty itself.

            Nobody has shared root access with your ISP or anyone else. There are no backdoors.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 2
            • TheHowToT
              TheHowTo @stephenw10
              last edited by

              @stephenw10 said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

              So the logs you are seeing are like, for example?:

              Aug 16 12:14:22 	syslogd 		kernel boot file is /boot/kernel/kernel
              Aug 16 12:14:22 	kernel 		done.
              Aug 16 12:14:23 	php-fpm 	343 	/rc.start_packages: Restarting/Starting all packages.
              Aug 16 12:14:24 	login 		login on ttyv0 as root
              Aug 16 12:15:34 	check_reload_status 		rc.newwanip starting igb0
              Aug 16 12:15:35 	php-fpm 	343 	/rc.newwanip: rc.newwanip: Info: starting on igb0. 
              

              That is expected and not an indication some bad actor is connected to your firewall as that link shows.

              Steve

              Thanks Steve, but that is not what I see. Your log indicated services restarting because wan dhcp lease renewal process.
              Ok, let just say there are no bad actors.

              Would you please explain to me the Unexplained Phenomena, like why I see my floating firewall rules being changed, some were edited and some deleted (e.g. AmazonAWS IP Range) with log messages: "Syncing firewall, Reloading filter"?

              johnpozJ jimpJ 2 Replies Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                When logging in to the GUI, you'll see this :
                9aa20756-cf17-4627-9539-3c63e9d67da5-image.png

                Logging in using a ssh client :

                3d0c4934-56ed-4634-8b89-6a8df534f7e9-image.png

                The IP's "192.168.1.120" and "2001:470:1f13:5c0:2::84" are both the ones from my LAN network.
                Let's say : it's an inside job. It's me using a device on my LAN.

                Btw : great : your ISP is helping you administrating your pfSense ?!!
                What are your WAN firewall rules ? Or did you install a KVM module for them so they can remotely using a keyboard / VGA ? ( @jimp : people often omit to mention the most incredible details about their installation ) They have a OpenVPN access for remote administration ?

                For me, it just an inside job. Or the (one of) the other you(s).

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @TheHowTo
                  last edited by

                  @TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                  I see my floating firewall rules being changed, some were edited and some deleted

                  And what does your config history show.. example

                  log.png

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate @TheHowTo
                    last edited by

                    @TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                    Would you please explain to me the Unexplained Phenomena, like why I see my floating firewall rules being changed, some were edited and some deleted (e.g. AmazonAWS IP Range) with log messages: "Syncing firewall, Reloading filter"?

                    Maybe you have something like pfBlockerNG which is automatically managing your rules? It does exactly those kinds of things.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      I was thinking the same thing... While pfblocker is a great package, I am not a fan of anything that auto manipulates rules.. I use it really as just fancy aliases management - I have it create the aliases, and then I use those in my rules as I want.

                      But I would have to assume any changes to rules would be listed in the configuration history, but since I don't have pfblocker manipulating my rules, not sure how that would look in the log?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • TheHowToT
                        TheHowTo
                        last edited by

                        What I know and experienced, pfBlockerNG only prioritizes their rules in floating rules order, but it never deleted any custom rules.

                        If you do not believe me, try to install pfBlockerNG, make custom rules to block AmazonAWS (hackers virtual machines) and then do a cron update.
                        Here is AmazonAWS’s IP range: AWS IP address ranges

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          And did you bother to look in your config history... Anything that changes the config should be listed there..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          TheHowToT 1 Reply Last reply Reply Quote 0
                          • TheHowToT
                            TheHowTo @johnpoz
                            last edited by

                            @johnpoz said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                            And did you bother to look in your config history... Anything that changes the config should be listed there..

                            Config history says "Edited a firewall alias, made unkown change" However I did not login to SSH or GUI at that specific time.

                            It does not matter anymore because even after factory reset, everytime the hackers knew how to bypass the password protection.
                            I still give Netgate the benefit of doubt. Maybe there are some bugs or loopholes (e.g. superuser's backdoor) in PfSense version 2.4.5-p1.

                            I really wish that I can hardening PfSense with Firejail and Apparmor.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by johnpoz

                              @TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                              "Edited a firewall alias, made unkown change"

                              And what did it say did that that unknown change.. Post a screenshot of your config history showing these changes..

                              OMG - I've been hacker3d

                              beenhacked.png

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              TheHowToT 1 Reply Last reply Reply Quote 0
                              • TheHowToT
                                TheHowTo @johnpoz
                                last edited by

                                @johnpoz said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                                And what did it say did that that unknown change.. Post a screenshot of your config history showing these changes..

                                OMG - I've been hacker3d

                                beenhacked.png

                                Gotcha!

                                1 Reply Last reply Reply Quote 0
                                • TheHowToT
                                  TheHowTo @stephenw10
                                  last edited by

                                  @stephenw10 Would you please tell Dev to fix these loophole (superuser's backdoor) and bug (openvpn over tcp) on the next PfSense version.
                                  Thank you.

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    OMG dude - there is not a "superuser" backdoor.. And what bug in openvpn over tcp... It work it just fine. Where is the redmine link to this "bug"??

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    AKEGECA 1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      If you think you have found a bug (you almost certainly haven't) then you should open a redmine ticket with the details and how to replicate.

                                      You are going to have to present some evidence though. There is no reason you can't post screenshots of your config history or system log text with your public IPs removed. That gives away nothing that you should care about.
                                      Otherwise it just looks like you're trolling. We will have to lock the thread.

                                      Steve

                                      1 Reply Last reply Reply Quote 0
                                      • AKEGECA
                                        AKEGEC @johnpoz
                                        last edited by

                                        Hi all, I had similar problem with (2.4.5-p1) openvpn running over TCP specifically the client site. You need to edit your openvpn.inc file to fix this.

                                        @johnpoz said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                                        OMG dude - there is not a "superuser" backdoor.. And what bug in openvpn over tcp... It work it just fine. Where is the redmine link to this "bug"??

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by johnpoz

                                          @C3G3K4 said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                                          You need to edit your openvpn.inc file to fix this.

                                          And where is the link to this bug report? Or even the thread discussing this issue, or what exactly did you change.

                                          And lets be specific.. Stating there is a "bug" in openvpn tcp, as a client to to some vpn service? With site 2 site? I run tcp client to pfsense from my phone, from my pc at work over tcp and have not seen any "bugs" or issues at all.

                                          Saying there is a "bug" doesn't help anyone nor is going to get anything fixed if there is an actual issue.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • kiokomanK
                                            kiokoman LAYER 8
                                            last edited by

                                            i don't intend to feed the troll, reported him for 3 post without any meaning, registered 27 minutes ago,I start collecting bets, 5$ .. he's a spammer

                                            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                            Please do not use chat/PM to ask for help
                                            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.