Max Connections / Second Not Showing Blocked



  • I'm running RC1a. I have a firewall rule setup to allow SSH connections and in the advanced options I set it for 4 new connections per 240 seconds. The rule works fine and after 4 connections it doesn't allow me to connect anymore. However in the firewall log they still have the accepted picture next to them. Shouldn't these show blocked? Heres a shot of the firewall log. You can see that various hackers try and connect. They will show up 6 or so times in less than a minute however after the 4th attempt it show have a red pic next to it.



  • RC2e is the latest.  Please search the forum, update your machine and test again.

    PS: RC2 requires a reflash on embedded.



  • @sullrich:

    RC2e is the latest.  Please search the forum, update your machine and test again.

    PS: RC2 requires a reflash on embedded.

    Yeah I know. I'm planning on doing that tomorrow. However I was told about 2 months ago that this problem was fixed already and I just thought about it and its still here. Well I'll take your word for it and update to RC2e.



  • Just updated to RC2. Ran all the updates to get to RC2e and then rebooted. Added my nat rules and firewall rules from scratch. Still have the same problem. Pfsense will block connections after the 4th but will not show that in the log. The connections after the 4th still have the green accepted icon next to them.



  • Just to understand this correctly: It does the desired block specified in the rule but it shows this as a pass in the log though it was blocked? This is more or less a cosmetic thing in the log viewer (which needs to be fixed)? What does the rule look like if you use raw filter logs? Is there a difference between one of the successful connections and a blocked one?



  • @hoba:

    Just to understand this correctly: It does the desired block specified in the rule but it shows this as a pass in the log though it was blocked? This is more or less a cosmetic thing in the log viewer (which needs to be fixed)? What does the rule look like if you use raw filter logs? Is there a difference between one of the successful connections and a blocked one?

    Yes its a cosmetic issue. If you make a firewall rule set to pass and then under advanced on that rule set the max connections per number of seconds it will block the connections after the max. However in the log viewer it still shows accepted next to them.

    So say I set it to 4 connections in 240 seconds. After the 4th connection it will not accept another connection. However in the log viewer it still shows them as accepted. Just an annonyance.

    The raw filter log is as follows. Its show as the newest entry on top. Shows pass eventhough its blocked by the max new connections / seconds option in the firewall rule.

    Aug 17 10:01:37 pf: 16. 656168 rule 83/0(match): pass in on fxp2: (tos 0x0, ttl 50, id 13499, offset 0, flags [DF], proto: TCP (6), length: 52) 129.174.1.13.48539 > 10.10.1.15.22: S 3297874314:3297874314(0) win 49640 <mss 1460,nop,wscale="" 0,[|tcp]="">Aug 17 10:01:21 pf: 18. 599760 rule 83/0(match): pass in on fxp2: (tos 0x0, ttl 50, id 23759, offset 0, flags [DF], proto: TCP (6), length: 52) 129.174.1.13.48536 > 10.10.1.15.22: S 3944036887:3944036887(0) win 49640 <mss 1460,nop,wscale="" 0,[|tcp]="">Aug 17 10:01:02 pf: 16. 695925 rule 83/0(match): pass in on fxp2: (tos 0x0, ttl 50, id 47352, offset 0, flags [DF], proto: TCP (6), length: 52) 129.174.1.13.48533 > 10.10.1.15.22: S 208895094:208895094(0) win 49640 <mss 1460,nop,wscale="" 0,[|tcp]="">Aug 17 10:00:45 pf: 17. 435719 rule 83/0(match): pass in on fxp2: (tos 0x0, ttl 50, id 47281, offset 0, flags [DF], proto: TCP (6), length: 52) 129.174.1.13.48519 > 10.10.1.15.22: S 2138479486:2138479486(0) win 49640 <mss 1460,nop,wscale="" 0,[|tcp]="">Aug 17 10:00:28 pf: 1017. 926864 rule 83/0(match): pass in on fxp2: (tos 0x0, ttl 50, id 53714, offset 0, flags [DF], proto: TCP (6), length: 52) 129.174.1.13.48516 > 10.10.1.15.22: S 3133380374:3133380374(0) win 49640 <mss 1460,nop,wscale="" 0,[|tcp]="">regular log view

    Aug 17 10:01:37 WAN 129.174.1.13:48539 10.10.1.15:22 TCP
    Aug 17 10:01:21 WAN 129.174.1.13:48536 10.10.1.15:22 TCP
    Aug 17 10:01:02 WAN 129.174.1.13:48533 10.10.1.15:22 TCP
    Aug 17 10:00:45 WAN 129.174.1.13:48519 10.10.1.15:22 TCP
    Aug 17 10:00:28 WAN 129.174.1.13:48516 10.10.1.15:22 TCP

    screenshot of rule with advanced options

    </mss></mss></mss></mss></mss>



  • hoba or sullrich

    I'm assuming you've read the above. If this could be corrected sometime down the road that would be great.



  • Sorry, I don't know much about this one.  Patches accepted.



  • I'm having a question that is related to the one above.
    [[b]edit: think I found it …...]
    I created a rule on my LAN network with:

    • Interface : LAN
    • Action : Pass
    • Protocol : TCP
    • Source & Ports : Any
    • Destination : Any
    • Destination port : SMTP(25)
    • Advanced Options : Maximum new connections / per second 1 for every 30 secondes

    I can 'prepare' 10 mails with OE and send them all at ones.
    I can see on the pfSense GUI Log (Firewall) that the rule is 'passed' (green dot).
    The syslog shows the same things.

    LAN is the 'incoming' interface from a pfSense point of view.
    The rule is parsed - and 'passed'…
    If I chose Reject or Block - then sending mail isn't possible at all….

    Do I misunderstand this "Advanced Function" - missing another option ?? Do I need to fill in all the fields under Advanced Options ?
    Are my 10 mail send from the same IP:port to the same IP(ISP !):25 and thus considererd as the same TCP connection ? (and then matching… !)

    If a second 'mail connection' connection comes in, in the 30 secondes time slot, is this rule blocking instead of passing - is it 'not applying' ?

    My goal is to port this rule to my OPT1 (Wifi) interface - Some say that one should forbid the possibility of sending mail from a public hotspot (I have 4 AP's behind ot to cover en entire hotel) - but I like to 'filter in time' so that real spamming isn't possible : aka 1 mail every 30 secondes seems ok to me.

    I don't get it. Hate to block port 25 on our 'public interface'..... Do not wana be a possible spam centre neither.

    I get it : Need also to use the value : Maximum state entries per host - I put in a '1' and … YES : a mail per 30 seconds can flow out.
    I'll leave y post here because I think this issue is an important security issue when maintaining a (semi)  Public Hotspot.
    We are using our compagny ADSL line to offer our clients Internet access - usage should be controlled or restricted - if needed.
    pFSense is just great in doing this.



  • New connections are new states. If you transfer 30 mails the mailserver will be contacted once, this generates a state. Then all 30 mails are transferred. After the mails are transferred the sender signs off which clears the state again. This connection only was 1 new connection, not 30 new connections. You can't filter/throttle Mail this way.

    This feature however is good for preventing or slowing down brutoforce password crackers or denial of service attacks for example.



  • Thanks for your time, Hoba - I just edited my posts (when you were typing your reply) when I found out ….. what you concluded also.
    It's quit logic  ;)

    Actually, using a 1 Maximum new connections / per second = 30 and iMaximum state entries per host = 1 does what I want : no more the 1 mail posted every 30 secondes.
    From one PC : I can't post a second mail within the 30 sec. time slot.
    Posting from one PC - and posting from another doesn't yields the same thing (perfect :) ).

    Are you sure that OE (or whatever other mail client in that case) 'batches' outgoing mail ?
    It might be more 'complicated' - in my case the outgoing mail is being captured by an Antivirus (Norton 2006) which transmits the mail on its (OE) behalf. My setup indicated me that a new connection is made for evey mail…. And so, the rule is working.

    pFsense just rocks.....



  • This depends on the way the application/sender is working. If it really opens up a new connection for every mail it will be blocked by this rule. This might be the case the way norton does it but other applications might behave different.


Locked