Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tracking down syn,ack sessions

    Scheduled Pinned Locked Moved
    General pfSense Questions
    2
    4
    76
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      I am taking over a business and reviewing the firewall rules. There is a permit any/any on the WAN. There are more specific rules within the WAN rule set above the any/any, but of course, I need to start cleaning the very permissive security policy.
      For those curious, the WAN needs ports open as hosting services are sitting behind the firewall. Financial trading systems where some customers target their session on TCP Port 1870 (for example). This is quite common in the fintech space so bear with me.

      My question for cleaning up the permit any/any rule is this.
      Does pfsense have a way of tracking SYN,ACK sessions and getting that information logged? The goal is to see what ports over the last 30 days have bi-directional traffic and start creating rules on that. For example, if i see port 1870 with numerous SYN,ACK sessions then i can reasonably conclude that is a valid port that should be allowed. If i see port 1871 with a bunch of SYNs but no ACKs i can conclude that is a port that will not be opened on the WAN.
      All logging goes to a remote logging server so i can do analysis there but tracking just based on a TCP SYN flag is not helpful at all.

      On Palo Alto firewalls you can review the traffic logs and filter by 'Bytes Sent and Bytes Received' which gives an admin a good sense of whats communicating within a firewall rule.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      K 1 Reply Last reply Reply Quote 0
      • K
        kprovost @michmoor
        last edited by

        It sounds like you're looking for netflow: https://docs.netgate.com/pfsense/en/latest/firewall/pflow.html#firewall-pflow

        You can get a snapshot of the currently active connections on the Diagnostics -> States page too, but that won't show you historical states.

        M 1 Reply Last reply Reply Quote 1
        • M
          michmoor LAYER 8 Rebel Alliance @kprovost
          last edited by

          @kprovost Fair.
          Is there any netflow collector that you or anyone can recommend? nfsen seems unsupported now.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          M 1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @michmoor
            last edited by

            Graylog has taken care of this for me. Creating reports for top dst IP and ports

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            1 Reply Last reply Reply Quote 1
            • First post
              Last post