Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access from PFSense itself is being blocked by Suricata.

    Scheduled Pinned Locked Moved
    IDS/IPS
    4
    5
    227
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Yet_learningPFSenseY
      Yet_learningPFSense
      last edited by

      Recently, there have been block logs for access from PFSense itself to destinations such as 208.123.73.207:443. PFSense is connected to only one PC, and I haven't installed any packages that would allow PFSense itself to access other servers... Could you at least determine if the blocked IP addresses are related to suspicious server access?

      Dobby_D 1 Reply Last reply Reply Quote 0
      • Dobby_D
        Dobby_ @Yet_learningPFSense
        last edited by

        @yet_learningpfsense

        https://208.123.73.207 = files.pfsense.org

        #~. @Dobby

        Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
        PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
        PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

        Yet_learningPFSenseY 1 Reply Last reply Reply Quote 1
        • Yet_learningPFSenseY
          Yet_learningPFSense @Dobby_
          last edited by Yet_learningPFSense

          @dobby_ Thank you for your response. It was indeed the IP address of PFSense, which I overlooked... I thought Suricata wouldn't block it, but it turns out it does unexpectedly. I've learned something from this.

          スクリーンショット 2023-05-17 151110.jpg

          NollipfSenseN S 2 Replies Last reply Reply Quote 0
          • NollipfSenseN
            NollipfSense @Yet_learningPFSense
            last edited by

            @yet_learningpfsense That usually happens when you enabled too much/many rules or implement blocking before your IPS/IDS had a chance to learn what's good from bad.

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            1 Reply Last reply Reply Quote 0
            • S
              SteveITS Rebel Alliance @Yet_learningPFSense
              last edited by

              @yet_learningpfsense Also if you’re running Suricata on WAN I’d recommend putting it on LAN. Otherwise it scans outside the firewall so scans all inbound to-be-blocked packets and can only see the NATted IP not LAN devices.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post