Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking Incoming Requests

    Firewalling
    6
    14
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jvelez88J
      jvelez88
      last edited by

      Hi, i have been searching all night how to block incoming requests from certain ips/networks/domains from outside my network and cant find anything that can help me!!

      There are a lot of bots, spamers, hackers or whatever trying to guess vnc, ssh and other auths inside my servers, some of them comming from finland, china, brazil, africa and others… I created a floting rule, a wan rule and a lan rule BLOCKING traffic from alias MALICIUS containing diferent IPS like 114.4.68.177, domain like delta.ip-colo.net and others, from ANY PROTOCOL, ANY PORT, ANY an none of them seems to work... If I disable the nat rule related to X service I can see in my server the inmediate end of requests so I know its not been redirected from inside my network (ej infected computer). I even instaled pfBlockerNG to block entire countries and the service wont start.

      Im running a freshly upgraded:

      2.3.3-RELEASE-p1 (i386)
      built on Thu Mar 09 07:17:43 CST 2017
      FreeBSD 10.3-RELEASE-p9

      Can someone show me the right way to do this?

      ![Captura de pantalla de 2017-04-30 03-26-40.png](/public/imported_attachments/1/Captura de pantalla de 2017-04-30 03-26-40.png)
      ![Captura de pantalla de 2017-04-30 03-26-40.png_thumb](/public/imported_attachments/1/Captura de pantalla de 2017-04-30 03-26-40.png_thumb)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        You do understand out of the box all inbound are blocked?  So you forwarded these ports to something inside.. VNC??  Really - that is not every secure..

        If you want to block specific countries from using your port forwards, then block them via pfblocker

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • jvelez88J
          jvelez88
          last edited by

          Yes man, thats no the issue here,  I need this fordwards, and Im not a bank server or some spy agency that holds universe secrets, but those bots that keep testing passwords on internal servers are a pain in the… So, when I want to block an internal user outgoing requests (ejem whole internet) I just create a rule in the LAN tab that rejects or blocks any any any any from source "my problematic client" destination any.

          My logic is that if I want to block the bot from "91.100.59.211.generic-hostname.arrownet.dk" I should be able to create the same rule in the WAN tab blocking 91.100.59.211 (or 211.59.100.91) or maybe arrownet.dk entire domain or entire 211.59.100.0/24 or whatever I can throw in an ALIAS to just drop or reject those IPs networks or whatever from reaching the forwards inside my network. But this doesnt happen!

          And the other issue is that effectively I installed pfBlockerNG but it cant start the system process and the only log I get is something like this:

          "There were error(s) loading the rules: /tmp/rules.debug:34: cannot load "/var/db/aliastables/pfB_Africa_v4.txt": Invalid argument - The line in question reads [34]: table <pfB_Africa_v4> persist file "/var/db/aliastables/pfB_Africa_v4.txt"
          @ 2017-04-30 03:04:33"

          I didnt created any weird rule, only selected ALMOST ALL countries in ALL continents but service its still down. There wouldnt be the need for pfBlocker but It was easier to just block entire countries like RUSIA or BRAZIL, or whole AFRICA that may have tons of infected computers and I just really dont have any need to receive requests from those countries, or maybe any other country rather than Mex and EUA, and maybe those that I or my "clients" visit.

          So, the problem is not having forwarded the vnc, ssh, https or even age of empires net play (haha), those are intentional, the only thing I need its to drop requests that I KNOW I dont need. And why is this not happening in the more logical way? Its my config wrong or its my pf box being a rebel that does what ever it wants?

          1 Reply Last reply Reply Quote 0
          • pttP
            ptt Rebel Alliance
            last edited by

            @jvelez88:

            So, the problem is not having forwarded the vnc, ssh, https or even age of empires net play (haha), those are intentional, the only thing I need its to drop requests that I KNOW I dont need. And why is this not happening in the more logical way? Its my config wrong or its my pf box being a rebel that does what ever it wants?

            Post a screenshot of your WAN FW rules

            1 Reply Last reply Reply Quote 0
            • jvelez88J
              jvelez88
              last edited by

              Here they are…

              Thanx...

              ![Captura de pantalla de 2017-04-30 12-31-19.png](/public/imported_attachments/1/Captura de pantalla de 2017-04-30 12-31-19.png)
              ![Captura de pantalla de 2017-04-30 12-31-19.png_thumb](/public/imported_attachments/1/Captura de pantalla de 2017-04-30 12-31-19.png_thumb)
              ![Captura de pantalla de 2017-04-30 12-33-42.png](/public/imported_attachments/1/Captura de pantalla de 2017-04-30 12-33-42.png)
              ![Captura de pantalla de 2017-04-30 12-33-42.png_thumb](/public/imported_attachments/1/Captura de pantalla de 2017-04-30 12-33-42.png_thumb)

              1 Reply Last reply Reply Quote 0
              • pttP
                ptt Rebel Alliance
                last edited by

                Try this

                • Use "IPv4"  instead "v4+v6"

                • Use "server / gateway / cctv" as destination (instead * )

                • Use "server ports / gateway ports / cctv ports" as port  (instead * )

                Also make sure that your "Alias" are correct.

                "captura de pantalla" that sounds "Spanish" to me…. Sabes que existe una Sección del Foro en Español ;)

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Well you rules on your wan would block any access from stuff in your malicious alias before it hits your forward.  So if your using pfblocker to include all the countries you do not like in that alias then they would be blocked.

                  Keep in mind there is a shitton of noise on the net, if you open ports - especially standard ports to common stuff they will see traffic.  And yes they will try to login with stuff like vnc, ssh, telnet, ftp, rdp, etc.  To be honest if you want to access this stuff remote you should vpn into your network.

                  What is funny if don't see any hits on your first block - so maybe there is something wrong with your alias?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • jvelez88J
                    jvelez88
                    last edited by

                    @ptt:

                    Try this

                    • Use "IPv4"  instead "v4+v6"

                    • Use "server / gateway / cctv" as destination (instead * )

                    • Use "server ports / gateway ports / cctv ports" as port  (instead * )

                    Also make sure that your "Alias" are correct.

                    "captura de pantalla" that sounds "Spanish" to me…. Sabes que existe una Sección del Foro en Español ;)

                    Thanx, ive just tested this way aaaaand… Nothing changed... Ive actually thought everything was ready cause I havent seen weird traffic, but then it came to me that it was to good to be true so I blocked the IP for another network I control, I went to that network and tried to connect to mine, and... well, there it was, everything available... So, maybe the suggestion about the aliases? Ill attach a scap.

                    And about the spanish thing, "here in my pueblo is pretty much lo mismo", beeing the south neighbor forces you to use both languages as one... Its just globalization...  :-\

                    ![Captura de pantalla de 2017-05-01 10-33-19.png](/public/imported_attachments/1/Captura de pantalla de 2017-05-01 10-33-19.png)
                    ![Captura de pantalla de 2017-05-01 10-33-19.png_thumb](/public/imported_attachments/1/Captura de pantalla de 2017-05-01 10-33-19.png_thumb)

                    1 Reply Last reply Reply Quote 0
                    • N
                      nelioromao
                      last edited by

                      @johnpoz:

                      You do understand out of the box all inbound are blocked?  So you forwarded these ports to something inside.. VNC??  Really - that is not every secure..

                      If you want to block specific countries from using your port forwards, then block them via pfblocker

                      Symple way: Redirect all request from outSide to the  default port from vnc "5900" to a BlackHole
                      Change the default port from VNC to samething else.

                      And tested…...

                      1 Reply Last reply Reply Quote 0
                      • R
                        rpotter28
                        last edited by

                        johnpoz gave you the answer in comment #6. Use a vpn. The real bad guys won't resolve to a domain, ip lists can't possibly be up to date by the minute so you will always be left with a hole. I know you are not the CIA, but use a vpn and then you can forget all this other nonsense keeping you busy but still leaving a hole :-)

                        Richard

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          The only services open to the public are those that you want open to the public.. If you do not like the noise, and sure its not secure.. VNC for example.. Do not open it to the public - vpn in..

                          Security through Obscurity is NOT security!!!  Changing the port to something other than its standard might remove some log noise, but it does not in the least change the security issue of it being open to the public in the first place.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          • K
                            kpa
                            last edited by

                            Absolutely seconded. Forget the idea of blocking half of the world just because there might be some bad guys out there somewhere, you'll end up doing an infinite rat race that is completely pointless. Use a VPN instead that offers you a trusted channel that you can yourself control to a very fine degree. VPNs are a bread and butter solution of this modern day and they should be always used where possible.

                            1 Reply Last reply Reply Quote 0
                            • jvelez88J
                              jvelez88
                              last edited by

                              Well, after reading all your generous comments, yeap, I DO have a VPN for personal use and all the important things, ive actually disabled vnc and all non critic services, so I only can use then via vpn, but, the thing is, actually is this impossible? It should be like an standar feature.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                "actually is this impossible? It should be like an standar feature."

                                what is impossible?

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.