Max. src. conn. Rate not working

Cobrax2

@cobrax2
nobody has this issue or any idea?
thanks

heper

@cobrax2

step1: don't put a pass any/any on your WAN

Cobrax2

@heper
I dont, it was just for the test. I tried with all combinations, firewall, lan, anything
It doesnt limit.

heper

@cobrax2

so what is the problem then?
by default all ports are blocked on wan ...

Cobrax2

@heper i want the ip that does the scan to go in the banlist (overload)
and it doesnt. the rule just ignores the limit

heper

@cobrax2

as i said ... ALL ports are blocked by default ...
what is the point in adding an ip into a block-list when everything is already blocked?

viktor_g

@cobrax2 said in Max. src. conn. Rate not working:

Max. src. conn. Rate

it doesn't populate the virusprot table,
see pf.conf(5):

For stateful TCP connections, limits on established connections (connec-
     tions which have completed	the TCP	3-way handshake) can also be enforced
     per source	IP.

     max-src-conn <number>
	   Limits the maximum number of	simultaneous TCP connections which
	   have	completed the 3-way handshake that a single host can make.
     max-src-conn-rate <number>	/ <seconds>
	   Limit the rate of new connections over a time interval.  The	con-
	   nection rate	is an approximation calculated as a moving average.

Cobrax2

@viktor_g said in Max. src. conn. Rate not working:

@cobrax2 said in Max. src. conn. Rate not working:

Max. src. conn. Rate

it doesn't populate the virusprot table,
see pf.conf(5):

For stateful TCP connections, limits on established connections (connec-
     tions which have completed	the TCP	3-way handshake) can also be enforced
     per source	IP.

     max-src-conn <number>
	   Limits the maximum number of	simultaneous TCP connections which
	   have	completed the 3-way handshake that a single host can make.
     max-src-conn-rate <number>	/ <seconds>
	   Limit the rate of new connections over a time interval.  The	con-
	   nection rate	is an approximation calculated as a moving average.

Yes, why not?

Cobrax2

@heper
For example, i might have an open port for a legitimate service
If one scans me, i want him to be already blocked before he gets to the open port

heper

@cobrax2
but they are already blocked on all ports except the open port to begin with?

i honestly don't understand what you are trying to do ... blocking something that is already blocked doesn't make any sense

Cobrax2

@heper
Ok, sorry if i didnt explain right
So. Let's say i have a open port 14000 for example. Which is forwarded to an internal server.
If one scans multple ports on my firewall, he will be banned by the time he reaches port 14000. If he is not banned, he can scan away as long as he wants, gets to see that port 14000 is open and can try to exploit it.
Thanks for taking your time to understand my point and helping me

heper

@cobrax2
i see. i think you are trying to solve a problem that doesn't exist. who cares that someone finds an open port? who says that they'll start scanning from port 1 -> 65k ? they could start at port 14000
anyhow ...

you could probably do something complicated with snort or suricata on WAN to somehow catch this & add it to an alias. check the IDS subsections of the forum for insights

the "solution" above will allow you to waste a lot of time. enjoy

Cobrax2

@heper
You might be right, but the problem remains. Why doesnt it work as specified?

heper

@cobrax2
what doesn't work exactly ?
you'd need to provide your entire rule-set, explain how you are testing this.

That limit in your first post would set a limit to 10 states per 5 seconds on connections from the same host.... how can you be sure you are exceeding that ?

Cobrax2

@heper
I dont have access now to the computer to show you the rules, but please consider there are no other rules, as it is a new fw
I am testing as follows:
I go to a scan site, lets say grc.com. i set some ports to be scanned, lets say 20 of them, hit start
It works, in logs the rule shows as being hit, green for all of the tries, the src is the same ip, but the virusprot file doesnt get written to. And the attacker doesnt get banned. If i try as the last port an open port, the scanner shows it open, as he doesnt get blocked.
This method works perfectly with my previous fw , which was based on iptables

heper

@cobrax2

i took the time and effort to setup a test:

edited a firewall rule that passes to a working webserver on port 5080
settings:
Max. src. conn. Rate 5
Max. src. conn. Rates 60

nmap scan port 5080 on a remote pfsense public ip

PORT     STATE SERVICE
5080/tcp open  onscreen

redo this a couple of times within the same minute:

PORT     STATE    SERVICE
5080/tcp filtered onscreen

viewing the <virusprot> table on last scan contains the ip performing the scan.
so it does exactly what it is supposed to do -

however it is not what YOU want it to do:
the max src rates only apply when a connection gets established.
If i open a random port X, without any actual service running on that port, no connection gets established ==> max src rates does not get tripped

as said a couple of hours ago: enjoy your time with snort or suricata

Cobrax2

@heper
I understand now! Didnt know that the new connections need to be established. Thank you very much!
Is there a way (besides snort/suricata) to achieve what i did with iptables?
Thanks again!