Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Anything like the iptables "recent" feature?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      packetslinger
      last edited by

      I am a recent convert from a "home made" linux/iptables firewall to pfsense. One feature I am missing in pfsense is the iptables "recent" feature. Using the "recent" table in iptables, I can easily block portscans from reaching valid open ports.

      Instead of just "dropping" packets to closed port, IP addresses are added to a list of "recent" IP addresses. Then a second rule will block everything coming from IPs from this list, even if the port would be open otherwise. This feature is also useful to implement port knocking.

      Is there anything like that in pfsense? Something that would allow me to put source IPs automatically on a blacklist for lets say 30 minutes if they hit 3 closed port within one minute?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        not built in. Could do that via log analysis, or use Snort with the block offenders option.

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by

          Check a 10 year old discussion about portscans and pf at http://monkey.org/openbsd/archive/misc/0211/msg02491.html

          Since after 10yr they still haven't added an iptables' "recent"-like functionality in pf, they apparently still think you'd be better off writing something to monitor pflog0 to watch for blocked packets and blocking those hosts.

          To mitigate bruteforce attacks you can use pf's max-src-* directives, check http://home.nuug.no/~peter/pf/en/bruteforce.html

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Can you try to add a connection limit to your denied rules. Probably it will block 'offenders/portscanners' for about 2 hours.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.