Max. src. conn. Rate not working
-
Hi
I am new to pfsense, thanks for any help i might receive.
So, the situation:
Small lan with nat after the firewall which is connected to the net by pppoe
all works ok, but i want to limit the rate at which someone might want to scan me. for example 10 new connections in 5 seconds
So i created a new rule on wan interface, pass action, src any, dst any (or firewal, or lan, doesn't work with any of them) advanced:
Max. src. conn. Rate 10
Max. src. conn. Rates 5
And that's about it, or that's what i think it should be?
Then i go and get scanned online, and the rule gets hit, it appears in the logs, but all the packets go through, in table virusprot the "attacker" doesnt get listed :(
what am i doing wrong?
thank you! -
@cobrax2
nobody has this issue or any idea?
thanks -
step1: don't put a pass any/any on your WAN
-
@heper
I dont, it was just for the test. I tried with all combinations, firewall, lan, anything
It doesnt limit. -
so what is the problem then?
by default all ports are blocked on wan ... -
@heper i want the ip that does the scan to go in the banlist (overload)
and it doesnt. the rule just ignores the limit -
as i said ... ALL ports are blocked by default ...
what is the point in adding an ip into a block-list when everything is already blocked? -
@cobrax2 said in Max. src. conn. Rate not working:
Max. src. conn. Rate
it doesn't populate the virusprot table,
see pf.conf(5):For stateful TCP connections, limits on established connections (connec- tions which have completed the TCP 3-way handshake) can also be enforced per source IP. max-src-conn <number> Limits the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make. max-src-conn-rate <number> / <seconds> Limit the rate of new connections over a time interval. The con- nection rate is an approximation calculated as a moving average.
-
@viktor_g said in Max. src. conn. Rate not working:
@cobrax2 said in Max. src. conn. Rate not working:
Max. src. conn. Rate
it doesn't populate the virusprot table,
see pf.conf(5):For stateful TCP connections, limits on established connections (connec- tions which have completed the TCP 3-way handshake) can also be enforced per source IP. max-src-conn <number> Limits the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make. max-src-conn-rate <number> / <seconds> Limit the rate of new connections over a time interval. The con- nection rate is an approximation calculated as a moving average.
Yes, why not?
-
@heper
For example, i might have an open port for a legitimate service
If one scans me, i want him to be already blocked before he gets to the open port -
@cobrax2
but they are already blocked on all ports except the open port to begin with?i honestly don't understand what you are trying to do ... blocking something that is already blocked doesn't make any sense
-
@heper
Ok, sorry if i didnt explain right
So. Let's say i have a open port 14000 for example. Which is forwarded to an internal server.
If one scans multple ports on my firewall, he will be banned by the time he reaches port 14000. If he is not banned, he can scan away as long as he wants, gets to see that port 14000 is open and can try to exploit it.
Thanks for taking your time to understand my point and helping me -
@cobrax2
i see. i think you are trying to solve a problem that doesn't exist. who cares that someone finds an open port? who says that they'll start scanning from port 1 -> 65k ? they could start at port 14000
anyhow ...you could probably do something complicated with snort or suricata on WAN to somehow catch this & add it to an alias. check the IDS subsections of the forum for insights
the "solution" above will allow you to waste a lot of time. enjoy
-
@heper
You might be right, but the problem remains. Why doesnt it work as specified? -
@cobrax2
what doesn't work exactly ?
you'd need to provide your entire rule-set, explain how you are testing this.That limit in your first post would set a limit to 10 states per 5 seconds on connections from the same host.... how can you be sure you are exceeding that ?
-
@heper
I dont have access now to the computer to show you the rules, but please consider there are no other rules, as it is a new fw
I am testing as follows:
I go to a scan site, lets say grc.com. i set some ports to be scanned, lets say 20 of them, hit start
It works, in logs the rule shows as being hit, green for all of the tries, the src is the same ip, but the virusprot file doesnt get written to. And the attacker doesnt get banned. If i try as the last port an open port, the scanner shows it open, as he doesnt get blocked.
This method works perfectly with my previous fw , which was based on iptables -
i took the time and effort to setup a test:
edited a firewall rule that passes to a working webserver on port 5080
settings:
Max. src. conn. Rate 5
Max. src. conn. Rates 60nmap scan port 5080 on a remote pfsense public ip
PORT STATE SERVICE 5080/tcp open onscreen
redo this a couple of times within the same minute:
PORT STATE SERVICE 5080/tcp filtered onscreen
viewing the <virusprot> table on last scan contains the ip performing the scan.
so it does exactly what it is supposed to do -however it is not what YOU want it to do:
the max src rates only apply when a connection gets established.
If i open a random port X, without any actual service running on that port, no connection gets established ==> max src rates does not get trippedas said a couple of hours ago: enjoy your time with snort or suricata
-
@heper
I understand now! Didnt know that the new connections need to be established. Thank you very much!
Is there a way (besides snort/suricata) to achieve what i did with iptables?
Thanks again!