WAN Rules - Firewall log - vlan security - be invisible

A Former User

Hey, recently i checked my firewall log and i noticed that there are manny people interested on my wan connection. So i decided to try a block all rule, not sure if it is usefull but at least the logfile doesent show any new atempts. Im using a pppoe connection on a switch with vlans to a single port sbc device. Ah yeah, i have a question, is it save to untag the lan on a vlan trunk port? Its just because if my switch fails i want to be able to access the router without needs of setting up vlan, just by plugging in the cable. However, i would like to be invisible on the wan side in order to avoid all these scans. Not sure what to do.
Thanks

kiokoman

if you put a block rule you are just hiding stuff to yourself. the noise from the wan is arriving and silently discarded anyway.

A Former User

So the rule just doesent fill the logs or is there eny difference?

bmeeks

@o51 said in WAN Rules - Firewall log - vlan security - be invisible:

However, i would like to be invisible on the wan side in order to avoid all these scans.

This is only possible when you unplug the Ethernet cable from your WAN ... . Think about it, how can your public IP be "invisible"? If it were, no traffic from outside could ever find its way to your system, even traffic that you want.

The default configuration of pfSense out of the box is for all unsolicited traffic on the WAN to be dropped. There is nothing "open". No open ports and no rules to allow unsolicited inbound traffic. Your box will not even respond to pings (ICMP echo-requests). So from that point of view you could call it "invisible" if you wanted to.

What you are seeing in your firewall logs is the normal result of Internet noise. Various folks for varying reasons (some for research and some for malicious reasons) continually scan large segments of the IPv4 address space. Your firewall will see that traffic and drop it and and log it. If you don't want to see that noise in your logs (and few of us really do), then you create a block all rule with logging turned off. If I recall correctly, the default for new rules is for logging to be "off". Thus the rule will catch the traffic and prevent it from being logged. It was, and is still being blocked, though. It's just your new rule is preventing the logging of the dropped traffic, so now your log is cleaner.

What a lot of folks do is put a drop rule on their WAN to intercept and log TCP SYN attempts as those are actual connection attempts. Other stuff like ping requests are ignored. You can configure which TCP flags to trigger on under the Advanced section when creating or editing a rule.

A Former User

@bmeeks said in WAN Rules - Firewall log - vlan security - be invisible:

What you are seeing in your firewall logs is the normal result of Internet noise. Various folks for varying reasons (some for research and some for malicious reasons) continually scan large segments of the IPv4 address space. Your firewall will see that traffic and drop it and and log it. If you don't want to see that noise in your logs (and few of us really do), then you create a block all rule with logging turned off. If I recall correctly, the default for new rules is for logging to be "off". Thus the rule will catch the traffic and prevent it from being logged. It was, and is still being blocked, though. It's just your new rule is preventing the logging of the dropped traffic, so now your log is cleaner.

Good to know, I want to make sure that all incoming connections are droped and that only imporant things are logged. I probably need to review the documentation a bit better.