Unusual activity… with firewall



  • I'm a novice with pfsense, linux, etc.  I installed the pfsense box about 1 month ago.
    I basically blocked all incoming to the wan address and the other two default bogon/unaddressed block setting.  I also did blocking on the inbound lan subnet leaving dns open for the gateway and limited some outbound ports.

    I noticed some unusual activity on my firewall recently.  Looking at the logs… (I didn't even set up a syslog server yet --) I noticed a couple pass rules for incoming for the wan.  Only I have access to the router and I never allowed any inbound, no ssh enabled.   I went back to the firewall rules and saw that there were no incoming rules.  What happened?  Did someone access the router?someone had allowed



  • post the log entries?



  • Sorry I don't have them.  As soon as I saw the 2 pass rule in the logs, i immediately formatted and reinstalled pfsense.  I also did the same for the laptop I was using.  I've had some history with botnets being on my system/network.  I thought someone may have gained access while I was browsing the web while configuring pfsense.  I don't know how protected the system is with cross site exploits/scripting.  Addtionally I was using an older version of open ssl, and I don't know how secure that may have been.

    I'm posting what happened because I'm curious how that happened.  I don't need help with the problem since a reinstallation should have fixed it.  Do I need anything additional rules to the wan other than blocking incoming to the wan address and the two default blocks?



  • you shouldn't need a block all inbound to the WAN - that is the default already.



  • Most likely it's just the FTP helper logging the FTP data connections when using active mode FTP, I wouldn't worry about them.



  • I think entries are created in the firewall log if you install a package, too.


  • Rebel Alliance Developer Netgate

    You will also see log entries for traffic which is allowed in from UPnP if you turned that on, but as others said, it's probably the FTP helper.


Log in to reply