Block IP
-
FYI, I have read the following:
https://forum.pfsense.org/index.php?topic=53790.0
http://superuser.com/questions/819492/how-to-block-an-ip-address-from-sending-or-receiving-traffic
https://forum.pfsense.org/index.php?topic=111420.0
https://forum.pfsense.org/index.php?topic=33218.0I am trying to stop an IP from sending UDP packets from a Synology NAS. For the likes of me I cannot determine exactly what service on the NAS side, however I just want this IP blocked which pfSense does not seem to be doing.
I have created a new rule:
-
Action: Block
-
Interface: WAN
-
Address: IPv4
-
Protocol: Any
-
Source: Single Host (27.93.201.229)
-
Destination: any
I have also done another rule with same except applied the Destination as the IP instead of the Source and both moved to top of list.
I have also tried the same for FLOATING rules and the result was the same - so I removed these and re-tried the above rule in WAN interface.
However when I am in the Traffic graph, my NAS is still sending UDP:443 out to that address.
EDIT: If I disconnect/reboot the NAS, or reset the "States" traffic also stops but just resumes about 1-2 minutes later
-
-
If you want to stop your NAS (which is in your LAN) to Talk to "some" IP on the "internet" you must create the "Block" Rule on your LAN. ;)
https://doc.pfsense.org/index.php/Firewall_Rule_Basics
https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
Thank you for your reply - I have tried the LAN for the exact same rule and the IP continues to stream at >1mbps to that IP unfortunately.
I have tried several times by deleting all and trying one by one for FLOATING, WAN and LAN and have setup the rules simultaneously and still the same
Here are some packet captures:
10:05:21.307004 IP 27.93.201.229.443 > 192.168.10.9.50300: UDP, length 1280
10:05:21.308478 IP 27.93.201.229.443 > 192.168.10.9.50300: UDP, length 1280
10:05:21.314158 IP 192.168.10.9.50300 > 27.93.201.229.443: UDP, length 66
10:05:21.322877 IP 192.168.10.9.50300 > 27.93.201.229.443: UDP, length 66
10:05:21.327687 IP 27.93.201.229.443 > 192.168.10.9.50300: UDP, length 1280
10:05:21.327910 IP 27.93.201.229.443 > 192.168.10.9.50300: UDP, length 1280
10:05:21.328135 IP 27.93.201.229.443 > 192.168.10.9.50300: UDP, length 1280
10:05:21.330638 IP 27.93.201.229.443 > 192.168.10.9.50300: UDP, length 1280
10:05:21.339616 IP 27.93.201.229.443 > 192.168.10.9.50300: UDP, length 1280
10:05:21.342092 IP 27.93.201.229.443 > 192.168.10.9.50300: UDP, length 1280
10:05:21.348320 IP 27.93.201.229.443 > 192.168.10.9.50300: UDP, length 1280
10:05:21.348704 IP 192.168.10.9.50300 > 27.93.201.229.443: UDP, length 66I have tried the following and no output was given:
pfctl -f /tmp/rules.debugAs for the logs, Im still learning how it works given I have only started using pfSense for about 5hours, of which 3 was trying to stop that IP. I cannot seem to find the IP in the logs despite me enabling logging for the filter within the rule. There is only 50 at a time, however in a summary I still cannot see the IP/UDP communications. What I mean is that Source/Destination ports 50300 or 443 or the IP are getting any counts. I will have to learn the logs more and how it interacts further.
-
You just need 1 Rule on LAN (no Floating / WAN rules required) to Block Traffic from 192.168.10.9 (LAN Host) to 27.93.201.229
Create The Rule
Clear States related to That IP
Thats All, traffic should be blocked….
-
Im such a NUB!!! Why didnt I think ti match it on a 1:1 basis with the source/destination!!!
It "seems" to be working so far – will see in the next 30 minutes
Thanks heaps mate.
EDIT: Mate you saved me heaps of head scratching... Thank you heaps and yes it has worked correctly, I thought by placing a global block on an IP with any source would work. Can't thank you again!