Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block scanners / Custom list

    Scheduled Pinned Locked Moved pfBlockerNG
    9 Posts 2 Posters 508 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Hi, I'm wondering if there is a feature that adds the scanners on wan to a block list automaticly? Or is there another way to do it? Thanks

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        Try something like this:-

        Screenshot 2020-11-08 at 10.17.02.png

        Screenshot 2020-11-08 at 10.17.12.png

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Nice, looks good.
          Is there a way to record the scanners knocking on the wan and create my own list/contribute to a list?
          Thanks

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by

            Nope unless you were to also install snort on the wan interface.

            The idea is to use block lists that are updated from elsewhere.

            Do you do any port forwards on the wan to the lan?

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • ?
              A Former User
              last edited by

              Im not having anything open yet. Its just precaution. My idea was to block all outbound traffic to scanners. Im new in this, how does snort work?

              1 Reply Last reply Reply Quote 0
              • NogBadTheBadN
                NogBadTheBad
                last edited by NogBadTheBad

                You need to block inbound to the WAN interface, this is the default out the box.

                Snort does does a pattern match and then blocks even if you have a pass rule.

                The screen shots I posted are to create an alias that I use on a WAN interface block rule, next set of rules are allow rules for an IPsec VPN.

                Rules are read from the top down.

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User
                  last edited by

                  Ok, have it running on the wan now. I wanted to set it up on all interfaces but 2gb of memory seem to be not enough. Im wondering if snort is dropping outbound connection if there is a compromised host on the lan side, when it is running on the wan side?

                  NogBadTheBadN 1 Reply Last reply Reply Quote 0
                  • NogBadTheBadN
                    NogBadTheBad @A Former User
                    last edited by

                    @o51

                    It depends on the rules if it drops outbound or inbound connections.

                    If I had 2Gb of RAM I wouldn’t run Snort & pfBlocker, especially if I didn’t have any port forwards.

                    Andy

                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                    1 Reply Last reply Reply Quote 0
                    • ?
                      A Former User
                      last edited by

                      Yeah, probably not the best idea but it works. Im thinking to run a hotspot and dont want to find myself feeding bots.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.