Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    malware outgoing blocked - help to interpret firewall log entry

    Scheduled Pinned Locked Moved Firewalling
    23 Posts 4 Posters 1.6k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator @e4ch
      last edited by

      @e4ch said in malware outgoing blocked - help to interpret firewall log entry:

      But if such a blacklist now contains private IPs, that might be a problem when internal traffic must go through the firewall

      Put a rule that allows traffic to your other rfc1918 addresses on other networks if you want to allow that.

      Rules are evaluated in order top down, first rule to trigger wins - no other rules are evaluated. So if you have rule that allows 192.168.1.0/24 above a rule that blocks 192.168.0.0/16 doesn't matter because your rule above allows to your other network say to 192.168.1.42 or whatever.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

      1 Reply Last reply Reply Quote 0
      • Bob.DigB Offline
        Bob.Dig LAYER 8 @e4ch
        last edited by

        @e4ch said in malware outgoing blocked - help to interpret firewall log entry:

        I might need a better blacklist or just use the remaining two lists.

        Just use pfBlocker for all your blacklists, it will remove any private IPs for you but before learning pfBlocker you have to understand the fundamentals: Everything is always incoming/inbound to the firewall interface, not outbound.
        That means, if you want to block some bad IP from the internet, you have to create the rule on WAN with source bad IPs.

        If you want to block hosts on your LAN to reach bad IPs, you have to do it on your LAN interface with destination bad IPs.

        The reasons is that all traffic is only evaluated once by the firewall, when it first enters it. If it is not filtered there, the traffic can go everywhere.

        I hope this helps.

        e4chE 1 Reply Last reply Reply Quote 0
        • e4chE Offline
          e4ch @Bob.Dig
          last edited by

          @Bob-Dig Thanks and understood. I'll have a look at pfBlocker.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.