How to secure and monitor pfsense

  • Hi,

    I installed BandwidthD and Darkstat to monitor traffic going through my pfsense firewall, I want to know how to use both tools to be able to analyze if someone trying to hack our system from external source. I check the Darkstat and there are bunch of IP address from external and when I open some IP address that I did not know to open what port is trying to access and I saw port 47741 and some other ports that I know it was being blocked in my WAN rules.

    Is this means that they are already pass through to my firewall rules? although my first line rules is blacked RFC 1918 Network.

    Hope for your help.


  • Rebel Alliance Developer Netgate

    Those utilities report bandwidth used, so they will only show traffic from IPs that have made connections. This does not mean they have "hacked" you, it most likely means someone inside your network has made a connection outbound to that server and requested something (e.g. web content). The port you don't recognize is probably the random client port of the connection, and the other port it shows for that same connection is likely the meaningful one.

    Nothing can get in unless you let it. If you have no firewall rules on WAN, nothing can get in unsolicited. Someone on a local PC could still download something bad, but it would have to be a locally initiated connection.

    If you want to know if someone is trying to get in, snort is probably a better choice to install.

  • Thanks Jimmp,

    I already installed snort and I don't know how to use and configure it well. Is there an in depth documentation on how to use it to know if someone trying to get through to your firewall?

  • Rebel Alliance Developer Netgate

    If there is any doc for it, it would be a sticky in the packages forum or on the doc wiki (see the link in my sig). I can't remember offhand if there is a guide.

  • I found this on my snort log, please see screenshot. How do I know if they are successfully get in or not on my system and how do I prevent it to make sure they will not be able to gain again. Do I have to out them on the blacklist in snort?

  • Also when I tried to update snort it gives me this error message.

    Directory so_rules does not exist…
    Error copying so_rules...

    I have this version Snort pkg v. 1.6

    Hope for your help.


Log in to reply