Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Max. src. conn. Rate not working

    Scheduled Pinned Locked Moved Firewalling
    18 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cobrax2
      last edited by

      Hi
      I am new to pfsense, thanks for any help i might receive.
      So, the situation:
      Small lan with nat after the firewall which is connected to the net by pppoe
      all works ok, but i want to limit the rate at which someone might want to scan me. for example 10 new connections in 5 seconds
      So i created a new rule on wan interface, pass action, src any, dst any (or firewal, or lan, doesn't work with any of them) advanced:
      Max. src. conn. Rate 10
      Max. src. conn. Rates 5
      And that's about it, or that's what i think it should be?
      Then i go and get scanned online, and the rule gets hit, it appears in the logs, but all the packets go through, in table virusprot the "attacker" doesnt get listed :(
      what am i doing wrong?
      thank you!

      C viktor_gV 2 Replies Last reply Reply Quote 0
      • C
        Cobrax2 @Cobrax2
        last edited by

        @cobrax2
        nobody has this issue or any idea?
        thanks

        H 1 Reply Last reply Reply Quote 0
        • H
          heper @Cobrax2
          last edited by

          @cobrax2

          step1: don't put a pass any/any on your WAN

          C 1 Reply Last reply Reply Quote 0
          • C
            Cobrax2 @heper
            last edited by

            @heper
            I dont, it was just for the test. I tried with all combinations, firewall, lan, anything
            It doesnt limit.

            H 1 Reply Last reply Reply Quote 0
            • H
              heper @Cobrax2
              last edited by

              @cobrax2

              so what is the problem then?
              by default all ports are blocked on wan ...

              C 1 Reply Last reply Reply Quote 0
              • C
                Cobrax2 @heper
                last edited by

                @heper i want the ip that does the scan to go in the banlist (overload)
                and it doesnt. the rule just ignores the limit

                H 1 Reply Last reply Reply Quote 0
                • H
                  heper @Cobrax2
                  last edited by

                  @cobrax2

                  as i said ... ALL ports are blocked by default ...
                  what is the point in adding an ip into a block-list when everything is already blocked?

                  1 Reply Last reply Reply Quote 0
                  • viktor_gV
                    viktor_g Netgate @Cobrax2
                    last edited by

                    @cobrax2 said in Max. src. conn. Rate not working:

                    Max. src. conn. Rate

                    it doesn't populate the virusprot table,
                    see pf.conf(5):

                    For stateful TCP connections, limits on established connections (connec-
                         tions which have completed	the TCP	3-way handshake) can also be enforced
                         per source	IP.
                    
                         max-src-conn <number>
                    	   Limits the maximum number of	simultaneous TCP connections which
                    	   have	completed the 3-way handshake that a single host can make.
                         max-src-conn-rate <number>	/ <seconds>
                    	   Limit the rate of new connections over a time interval.  The	con-
                    	   nection rate	is an approximation calculated as a moving average.
                    
                    C 1 Reply Last reply Reply Quote 0
                    • C
                      Cobrax2 @viktor_g
                      last edited by

                      @viktor_g said in Max. src. conn. Rate not working:

                      @cobrax2 said in Max. src. conn. Rate not working:

                      Max. src. conn. Rate

                      it doesn't populate the virusprot table,
                      see pf.conf(5):

                      For stateful TCP connections, limits on established connections (connec-
                           tions which have completed	the TCP	3-way handshake) can also be enforced
                           per source	IP.
                      
                           max-src-conn <number>
                      	   Limits the maximum number of	simultaneous TCP connections which
                      	   have	completed the 3-way handshake that a single host can make.
                           max-src-conn-rate <number>	/ <seconds>
                      	   Limit the rate of new connections over a time interval.  The	con-
                      	   nection rate	is an approximation calculated as a moving average.
                      

                      Yes, why not?

                      1 Reply Last reply Reply Quote 0
                      • C
                        Cobrax2
                        last edited by

                        @heper
                        For example, i might have an open port for a legitimate service
                        If one scans me, i want him to be already blocked before he gets to the open port

                        H 1 Reply Last reply Reply Quote 0
                        • H
                          heper @Cobrax2
                          last edited by

                          @cobrax2
                          but they are already blocked on all ports except the open port to begin with?

                          i honestly don't understand what you are trying to do ... blocking something that is already blocked doesn't make any sense

                          C 1 Reply Last reply Reply Quote 0
                          • C
                            Cobrax2 @heper
                            last edited by

                            @heper
                            Ok, sorry if i didnt explain right
                            So. Let's say i have a open port 14000 for example. Which is forwarded to an internal server.
                            If one scans multple ports on my firewall, he will be banned by the time he reaches port 14000. If he is not banned, he can scan away as long as he wants, gets to see that port 14000 is open and can try to exploit it.
                            Thanks for taking your time to understand my point and helping me

                            H 1 Reply Last reply Reply Quote 0
                            • H
                              heper @Cobrax2
                              last edited by

                              @cobrax2
                              i see. i think you are trying to solve a problem that doesn't exist. who cares that someone finds an open port? who says that they'll start scanning from port 1 -> 65k ? they could start at port 14000
                              anyhow ...

                              you could probably do something complicated with snort or suricata on WAN to somehow catch this & add it to an alias. check the IDS subsections of the forum for insights

                              the "solution" above will allow you to waste a lot of time. enjoy

                              C 1 Reply Last reply Reply Quote 0
                              • C
                                Cobrax2 @heper
                                last edited by

                                @heper
                                You might be right, but the problem remains. Why doesnt it work as specified?

                                H 1 Reply Last reply Reply Quote 0
                                • H
                                  heper @Cobrax2
                                  last edited by

                                  @cobrax2
                                  what doesn't work exactly ?
                                  you'd need to provide your entire rule-set, explain how you are testing this.

                                  That limit in your first post would set a limit to 10 states per 5 seconds on connections from the same host.... how can you be sure you are exceeding that ?

                                  C 1 Reply Last reply Reply Quote 0
                                  • C
                                    Cobrax2 @heper
                                    last edited by

                                    @heper
                                    I dont have access now to the computer to show you the rules, but please consider there are no other rules, as it is a new fw
                                    I am testing as follows:
                                    I go to a scan site, lets say grc.com. i set some ports to be scanned, lets say 20 of them, hit start
                                    It works, in logs the rule shows as being hit, green for all of the tries, the src is the same ip, but the virusprot file doesnt get written to. And the attacker doesnt get banned. If i try as the last port an open port, the scanner shows it open, as he doesnt get blocked.
                                    This method works perfectly with my previous fw , which was based on iptables

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      heper
                                      last edited by

                                      @cobrax2

                                      i took the time and effort to setup a test:

                                      edited a firewall rule that passes to a working webserver on port 5080
                                      settings:
                                      Max. src. conn. Rate 5
                                      Max. src. conn. Rates 60

                                      nmap scan port 5080 on a remote pfsense public ip

                                      PORT     STATE SERVICE
                                      5080/tcp open  onscreen
                                      
                                      

                                      redo this a couple of times within the same minute:

                                      PORT     STATE    SERVICE
                                      5080/tcp filtered onscreen
                                      
                                      

                                      viewing the <virusprot> table on last scan contains the ip performing the scan.
                                      so it does exactly what it is supposed to do -

                                      however it is not what YOU want it to do:
                                      the max src rates only apply when a connection gets established.
                                      If i open a random port X, without any actual service running on that port, no connection gets established ==> max src rates does not get tripped

                                      as said a couple of hours ago: enjoy your time with snort or suricata

                                      C 1 Reply Last reply Reply Quote 0
                                      • C
                                        Cobrax2 @heper
                                        last edited by

                                        @heper
                                        I understand now! Didnt know that the new connections need to be established. Thank you very much!
                                        Is there a way (besides snort/suricata) to achieve what i did with iptables?
                                        Thanks again!

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.