Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Frequent pfBlockerNG GeoIP Alerts?

    Scheduled Pinned Locked Moved pfBlockerNG
    8 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fernis
      last edited by

      I have a vanilla network at home using pfsense and pfBlockerNG with GeoIp turned on blocking about 10 different countries. I have no open ports and a basis default install of pfsense.

      My concern/question is that in the alert section of pfBlockerNG I get a new alert about every 1-20 seconds denying an inbound connection from mostly Russia looking at a variety of ports. Is this normal or to be expected? Do I even need to be running the GeoIp blocks if I opened no ports and have a default install of pfsense?

      BBcan177B 1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator @fernis
        last edited by

        @fernis
        Did you see the comments at the Top of the GeoIP pages :)

        No, it won't provide any benefit if there are no open WAN ports, unless of course you just want to see all the noise that is hitting the WAN.... Everyone just keeps forgetting that pfSense is a stateful firewall, so even tho you add rules to Block those IPs on the WAN.... It won't block you LAN from making an outbound connection to those IPs.... So best to add Outbound Rules.... GeoIP is a bit hit/miss, but its one layer.... would also suggest adding IP Feeds to block outbound also.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        F 1 Reply Last reply Reply Quote 0
        • F
          fernis
          last edited by

          Is it normal to see hits every 10 seconds or so?

          BBcan177B 1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator @fernis
            last edited by

            @fernis said in Frequent pfBlockerNG GeoIP Alerts?:

            Is it normal to see hits every 10 seconds or so?

            Ya there is a lot of scanning going around... Check the pfB Alerts Tab and it will show what ports were involved in those events.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • F
              fernis @BBcan177
              last edited by

              @bbcan177 said in Frequent pfBlockerNG GeoIP Alerts?:

              adding IP Feeds to block outbound

              How would suggest the best way for me to add IP feeds to block outbound also?

              BBcan177B 1 Reply Last reply Reply Quote 0
              • BBcan177B
                BBcan177 Moderator @fernis
                last edited by

                @fernis
                Install pfblockerNG-devel which has an integrated Feeds tab which you can review feeds that can be added. Then select the "action" setting for "Deny Outbound".

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                F 1 Reply Last reply Reply Quote 0
                • F
                  fernis @BBcan177
                  last edited by

                  @bbcan177

                  I installed pfblockerNG-devel and went through the wizard successfully. I see the feeds tab, but don't see your second set of instructions "Then select the "action" setting for "Deny Outbound"". Can you clarify, please?

                  BBcan177B 1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator @fernis
                    last edited by

                    @fernis

                    IP Tab
                    Edit the Alias name
                    Modify the "Action" setting.
                    Click on the blue infoblock icons for additional details.

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.