Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN Permit Inbound All Traffic

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 459 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      Ximulate
      last edited by

      In the system general log, I just noticed a number of items such as:

      • sshguard 11213 Attack from "165.227.214.163" on service SSH with danger 10
      • sshd 68770 Connection closed by 198.108.66.18 port 32546 [preauth]
      • sshd 50027 Did not receive identification string from 162.243.141.005 port 33114
      • sshd 68710 Received disconnect from 208.113.167.128
      • sshd 25744 Unable to negotiate with 198.98.60.145 port 55671: no matching key exchange method found.

      Looking at the firewall, it appears I inadvently set pfBlockerNG to create Permit Inbound rule for my region. I've disabled pfBlockerNG (for now) and manually deleted its auto rules.

      I have ssh set-up for pubic key, and my pfSense login passwords are very strong. I haven't found any evidence of my pfSense settings being changed. The only port forwards I have are configured with a Source Address, except for a minecraft server. I don't see any indication that anyone accessed the minecraft server.

      What else should I look for for any indication of a sucessful attack?
      How unprotected was my network? I'm hoping NAT kept hackers out of the network itself?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        It would only have opened access to services on the firewall itself. If anyone had been able to login, very unlikely, you would see a successful login logged in the system log.

        Steve

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by bmeeks

          There is a danger when you let pfBlockerNG create automatic inbound "allow" rules, especially on the WAN. There is a long thread from about a year ago about the issue posted here: https://forum.netgate.com/topic/143007/new-user-to-pfsense-some-doubts.

          I believe that as a result of that thread discussion and some offline back and forth among others, @BBcan177 made some changes to the pfBlockerNG package to address this issue. Not sure exactly what they were, though, as I don't use that package.

          The best way to use the package is to create your own aliases and let pfBlockerNG maintain the content of those aliases. Then you create your own firewall rules referencing those aliases.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Yes, I completely agree with that. Having pfBlocker create aliases only and assigning them yourself allows you to see exactly what's happening. That's how I use it.

            Steve

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.