• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Auto Blocking / Threshold / Dynamic Rules

Scheduled Pinned Locked Moved Firewalling
4 Posts 3 Posters 3.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    windexh8er
    last edited by Jul 31, 2011, 4:46 PM

    Hello…

    I've recently gotten back into the pfSense scene and am testing some different functionality in the 2.0 latest snapshots.  I've noticed that, out of the box, the system will start to block port scanning sources.  I have a number of automated scans that kick off at different intervals during the day from specific hosts, but have noticed in the firewall logs that they are being blocked after the scan initially starts.  I don't see any options in the system to control this and likewise don't see any whitelisting configuration.

    Any thoughts on this?

    Thanks much!!!  I appreciate how far pfSense has come along over the years and am going to once again start contributing to this fantastic project.

    Kind regards...

    1 Reply Last reply Reply Quote 0
    • D
      dhatz
      last edited by Aug 14, 2011, 12:38 AM

      Hi,

      I'm also looking into pfSense firewall rules to throttle or mitigate various common undesirable situations:

      Scenario 1: Throttle SMTP
      A LAN/WLAN host becomes "zombie" (compromised by virus/malware) and initiates many outgoing SMTP connections directly to Internet hosts (not uncommon in a public Wifi hotspot). I want to throttle it with limits e.g. up to 2 concurrent established smtp connections and up to 4 per minute, and also redirect all subsequent web-traffic from the compromised PC to a webpage that informs the owner about it.

      So far I've been doing smtp throttling using Linux iptables, but I'm testing a pfsense rule that produces the following pf rule:

      $ pfctl -sr|fgrep smtp
pass in quick on em1 inet proto tcp from 192.168.100.0/24 to any port = smtp flags S/SA keep state (source-track rule, max-src-conn 2, max-src-conn-rate 4/60, overload <virusprot>flush global, src.track 60) label "USER_RULE: Throttle outgoing SMTP"</virusprot>

      Scenario 2: DHCP DoS attack
      Mitigate attacks to pfSense's own dhcpd from people using tools like Gobbler (sends many requests to the dhcpd server in order to exhaust its IP address pool).

      1 Reply Last reply Reply Quote 0
      • D
        dhatz
        last edited by Aug 15, 2011, 10:07 PM

        Any suggestions about how to to throttle outgoing SMTP (25) connections and mitigate various denial-of-service attacks to basic services e.g. dhcpd?

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by Aug 15, 2011, 10:11 PM

          whats about the package "spamd" ?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            [[user:consent.lead]]
            [[user:consent.not_received]]