Beginner minimal pfBlockerNG setup
-
We have some exposed WAN IP/port combinations into servers on our DMZ and (gulp) LAN. The LAN are internal OpenVPN servers, accessible only via key exchange. DMZ are mail, web, DNS.
The OpenVPN ports are getting hammered fairly steadily, as are the bind ports. I'd like to block non-US access to the VPN ports only on their specific VIPs. Am somewhat interested in blocking the DNS ports from non-US access. Am also intrigued by the "reputation" option. Want to leave email, web accessible for now. For now, I am not concerned about outbound traffic. One thing at a time. So I believe I want to set up inbound blocking on the WAN.
I see an option is to set inbound blocking on the LAN. What does that even mean? Do the generated rules block traffic coming into an interface or being presented out of one? I strongly suspect it's the first?
Under "GeoIP", there are options to set "Custom DST Port" and "Custom Destination". I think these will get me the granular blocking I am interested in. Do these only apply to GeoIP generated rules, or to all inbound rules...for example, those generated by the Reputation section?
I can see Reputation meeting most of our needs, if I can nail it down to specific VIPs and ports...and maybe even if I can't. Legitimate requests to DNS, VPN will be infrequent. Mail shouldn't pour in from an IP or adjacent subnet. Web bots are a slightly different matter...we have one photo website with 1000s of images, and those get groped pretty frequently. WRT Reputation: the GUI speaks of Blocklists. So those aren't something it generates based on traffic, but rather something it curates based on traffic, right? What is the interval for the MAX, pMAX, dMAX settings? In other words, are they limits per day, per week, forever?
A lot of questions, some of which are probably dumb, as I am not only new to pfBlockNG, but to pfSense. I appreciate any input the community can provide.
--Richard
-
@rlmalisz said in Beginner minimal pfBlockerNG setup:
The OpenVPN ports are getting hammered fairly steadily
Is was created to do just that :
Receving boatloads of2022-04-13 23:28:49.512923+02:00 openvpn 35853 TLS Error: tls-crypt unwrapping failed from [AF_INET]183.136.225.42:28796
You can lower the icmoi,g traffic by using a source IP, or source network, or an alais with source networks, if you know upfront from what IP your are connecting to your OpenVPN server.
@rlmalisz said in Beginner minimal pfBlockerNG setup:
I'd like to block
The default - last - WAN firewall rule is "block everything, don't log". This is the fasted way to deal with unwanted incoming traffic.
If you are curious, and want to know 'where' every incoming non solicited packets came from, you've lost the game. As now, every packet gets logged, pfBlockerNG starts to create nice charts etc. And what will happen if "more and more" comes in ? Your system dies.
You've just entred the DDOS trap.
Golden rule : spend as less CPU cycles on non solicited packets.This is my opinion, of course. Just, be warned.
You'll discover that there is something that is called the "Internet background noise".
Thousands are running scripts that scan every possible IPv4 address, so also yours.
You can't stop them from reaching you.edit : actually : you can : remove the WAN cable.
-
@rlmalisz said in Beginner minimal pfBlockerNG setup:
I'd like to block non-US access
The value of this approach probably depends on how much you know about legitimate traffic.
I use pfBlockerNG-devel to to do something similar. My use case is there are very few users who should be accessing my network, I know
- Which IP they normally access my network from
- They are not on reputable internet bock lists
- Which ISP with dynamic IP they sometimes use to access my server
- Which country valid access is from
- Every thing else is from invalid countries
How I use this information:
- Create a Nat port forward to my server without specifying the source IP address but including an auto-generated firewall rule.
- Create and alias in pfsense for 1. then duplicate the above firewall rule, and add the alias as the source IP
- In pfBlockerNG-devel create an alias for 2-4, then duplicate the firewall rule 3 times, adding one of these alias to each rules source filter.
- Order the rules in chronological order then change rules 2, 4 & 5 to Block not pass. Note 4 & 5 can readily be changed to pass should broader access temporarily be required.
Doing so
- results in over a 100x reduction in invalid access to my server
- provides visibility of where the potential attacks are coming from (pfBlockerNG-devel block report).
- Dynamic IP access (rule 3.) is listed separately in pfBlockerNG-devel in the pass report.
- I'm not in the USA and over 50% of the scans are from USA, so your yield many not be as good.
btw this guide my help for initial set up https://nguvu.org/pfsense/pfSense-pfblockerng-configuration-guide/
@gertjan said in Beginner minimal pfBlockerNG setup:
You've just entred the DDOS trap.
My risk assessment is malicious access to my network is more likely and would cost me far more than DDOS, so that is a trade off I have accepted. My pfsense hardware has much greater capacity than my internet connection, so the internet connection will limit performance should I have a DDOS attack.
-
@rlmalisz YMMV but what I find most readable and flexible is to create feeds as Alias Native. That creates an alias but does nothing with it. Then you can use that alias, for example as the Source for a NAT rule, and/or in firewall rules in whatever order you wish (allow from US, block all).
-
@patch said in Beginner minimal pfBlockerNG setup:
They are not on reputable internet bock lists
In the current climate blocking VPN end points is currenlty very useful. It appears at the moment about 50% of the scanners are from VPN sites. So from pfBlockerNG-devel using this feed in a block list is useful https://raw.githubusercontent.com/ejrv/VPNs/master/vpn-ipv4.txt
-
This post is deleted! -
This post is deleted! -
This post is deleted! -
This post is deleted!