4. Significant amount of incoming UDP traffic being blocked?

Significant amount of incoming UDP traffic being blocked?

  • T

    I'm seeing a large amount of incoming UDP traffic being blocked on my pfsense firewall. I'm currently assuming its DHT BitTorrent traffic.

    I've written a (possibly wrong) script to try and correlate the block logs against the actual traffic as captured from tcpdump. It seems to show that something behind my firewall is sending out a UDP packet at a given port, and a response comes later, sent to that port, which is blocked by the default block all rule.

    I personally would not have expected that behavior from BitTorrent clients as I have correctly set my DHT port to something that is forwarded to the machine running my BitTorrent client. I can't explain why I'm getting a large amount of UDP traffic, which just gets blocked.

    I actually have two WANs, but have a dedicated pfsense install for each, and only the pfsense that has a bittorrent client behind it has this issue (which is why I'm assuming its BT traffic), both sit behind the same cable modem, and 100mb ethernet switch.

    Is it just buggy bittorrent clients sending data to the wrong port? Is there anything I can do to resolve this?

    0
  • P

    If your seeing 'Blocked Log Spam'(high frequency of blocked addresses or ports) an easy way I found to keep it from filling the logs is to write a rule on the destination port in WAN. And since LAN is Default 'All Pass' I will put 'Reject' rules on Ports I know I wont use on the LAN interface, one rule for the source and one for destination. At the bottom of the rule:edit page is a tab for writing logs on that rule, make sure logging for that rule is disabled. This will keep you from getting frequent block logs on your 'System Logs'. To keep your rule page from becoming very long, make an alias for ports(Labeled:BlockPorts) and one for addresses(BlockAddress) that you are wanting to block. So later on when you want to add another port or address, all you have to do is edit the alias attached to the specific block rule.

    0
  • T

    @pdxer:

    If your seeing 'Blocked Log Spam'(high frequency of blocked addresses or ports) an easy way I found to keep it from filling the logs is to write a rule on the destination port in WAN. And since LAN is Default 'All Pass' I will put 'Reject' rules on Ports I know I wont use on the LAN interface, one rule for the source and one for destination. At the bottom of the rule:edit page is a tab for writing logs on that rule, make sure logging for that rule is disabled. This will keep you from getting frequent block logs on your 'System Logs'. To keep your rule page from becoming very long, make an alias for ports(Labeled:BlockPorts) and one for addresses(BlockAddress) that you are wanting to block. So later on when you want to add another port or address, all you have to do is edit the alias attached to the specific block rule.

    What it looks like is DHT traffic. I'd really rather not ignore it, but somehow get it to actually reach my BitTorrent client.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy