Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Auto Blocking / Threshold / Dynamic Rules

    Firewalling
    3
    4
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      windexh8er
      last edited by

      Hello…

      I've recently gotten back into the pfSense scene and am testing some different functionality in the 2.0 latest snapshots.  I've noticed that, out of the box, the system will start to block port scanning sources.  I have a number of automated scans that kick off at different intervals during the day from specific hosts, but have noticed in the firewall logs that they are being blocked after the scan initially starts.  I don't see any options in the system to control this and likewise don't see any whitelisting configuration.

      Any thoughts on this?

      Thanks much!!!  I appreciate how far pfSense has come along over the years and am going to once again start contributing to this fantastic project.

      Kind regards...

      1 Reply Last reply Reply Quote 0
      • D
        dhatz
        last edited by

        Hi,

        I'm also looking into pfSense firewall rules to throttle or mitigate various common undesirable situations:

        Scenario 1: Throttle SMTP
        A LAN/WLAN host becomes "zombie" (compromised by virus/malware) and initiates many outgoing SMTP connections directly to Internet hosts (not uncommon in a public Wifi hotspot). I want to throttle it with limits e.g. up to 2 concurrent established smtp connections and up to 4 per minute, and also redirect all subsequent web-traffic from the compromised PC to a webpage that informs the owner about it.

        So far I've been doing smtp throttling using Linux iptables, but I'm testing a pfsense rule that produces the following pf rule:

        $ pfctl -sr|fgrep smtp
pass in quick on em1 inet proto tcp from 192.168.100.0/24 to any port = smtp flags S/SA keep state (source-track rule, max-src-conn 2, max-src-conn-rate 4/60, overload <virusprot>flush global, src.track 60) label "USER_RULE: Throttle outgoing SMTP"</virusprot>

        Scenario 2: DHCP DoS attack
        Mitigate attacks to pfSense's own dhcpd from people using tools like Gobbler (sends many requests to the dhcpd server in order to exhaust its IP address pool).

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by

          Any suggestions about how to to throttle outgoing SMTP (25) connections and mitigate various denial-of-service attacks to basic services e.g. dhcpd?

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            whats about the package "spamd" ?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.