Auto Blocking / Threshold / Dynamic Rules

  • Hello…

    I've recently gotten back into the pfSense scene and am testing some different functionality in the 2.0 latest snapshots.  I've noticed that, out of the box, the system will start to block port scanning sources.  I have a number of automated scans that kick off at different intervals during the day from specific hosts, but have noticed in the firewall logs that they are being blocked after the scan initially starts.  I don't see any options in the system to control this and likewise don't see any whitelisting configuration.

    Any thoughts on this?

    Thanks much!!!  I appreciate how far pfSense has come along over the years and am going to once again start contributing to this fantastic project.

    Kind regards...

  • Hi,

    I'm also looking into pfSense firewall rules to throttle or mitigate various common undesirable situations:

    Scenario 1: Throttle SMTP
    A LAN/WLAN host becomes "zombie" (compromised by virus/malware) and initiates many outgoing SMTP connections directly to Internet hosts (not uncommon in a public Wifi hotspot). I want to throttle it with limits e.g. up to 2 concurrent established smtp connections and up to 4 per minute, and also redirect all subsequent web-traffic from the compromised PC to a webpage that informs the owner about it.

    So far I've been doing smtp throttling using Linux iptables, but I'm testing a pfsense rule that produces the following pf rule:

    $ pfctl -sr|fgrep smtp
    pass in quick on em1 inet proto tcp from to any port = smtp flags S/SA keep state (source-track rule, max-src-conn 2, max-src-conn-rate 4/60, overload <virusprot>flush global, src.track 60) label "USER_RULE: Throttle outgoing SMTP"</virusprot> 

    Scenario 2: DHCP DoS attack
    Mitigate attacks to pfSense's own dhcpd from people using tools like Gobbler (sends many requests to the dhcpd server in order to exhaust its IP address pool).

  • Any suggestions about how to to throttle outgoing SMTP (25) connections and mitigate various denial-of-service attacks to basic services e.g. dhcpd?

  • whats about the package "spamd" ?