How to configure Netgate Pfsense Firewall Appliance to send Notification or Alert for Denied Port Access

Tom Lee

Hi:

How to configure Netgate Pfsense Firewall Appliance to send Notification or Alert when there unknown traffic to access forbidden ports in Firewall Rules ?

akuma1x

Pfsense doesn’t work like that. You don’t program it with “forbidden ports”, you program it for only the stuff (traffic) you want to pass. If pfsense alerted you to the stuff you don’t want, it would be sqwaking at you all day long.

Jeff

Tom Lee

I know default deny and pass action rules. But If do not want default port for SSH and Telnet and more importantly, I want to be alerted when some one is trying to do SSH and Telnet. Then what is the best practice should I configure ? (Please note, SSH and Telnet are just used as examples).

netblues

You could try a deny rule with logging. This would log what you are interested in.
Then you could configure external logging to a sysog server and run custom scripts there.
If there are a few it could be fired via cron.
And there are various syslog apps that allow mailing specific alerts.

of course, you could also use snort/suricata for more advanced signature detection and then syslog..

bmeeks

There are ways to do this by sending logs to a remote syslog server and using third-party tools to scan the firewall log entries. However, be forewarned this will get very old to you very fast (getting alerts/emails for every unwanted firewall access attempt). A normal firewall will see dozens to maybe a few hundred connection attempts per day on the WAN side. Even if you limit the alerts to just a handful of ports, you will soon grow very tired of your email app "dinging" with new mail messages ... .

I say this in a nice way, "you must be new to firewall administration"... . This is usually the first thing a newly minted firewall administrator thinks he wants until he has it, then he quickly turns it off.