Maximum connections per host - empty virusprot table



  • Hi,
    When trying to use the advanced option ‘Maximum number of established connections per host’, users get blocked, but I see nothing on the ‘virusprot’ table or any other table.
    For testing, I set a ridiculous small number (5) and of course, I cannot get a single webpage… so it is working, but I want/need to see the list of trapped people.

    Even with the default hour of the cron to remove blocked users, I haven’t found a way of ‘monitoring’ this function.
    Am I missing something? is snort a requirement to see users in ‘virusprot’ table?

    I’m using the last stable PfSense (2.0.1) in a box with several VLANs.  I set the rule just in one Vlan for testing.
    Thanks in advance!



  • @roymayr:

    Even with the default hour of the cron to remove blocked users, I haven’t found a way of ‘monitoring’ this function.

    I use this funcion with cront running every two minutes to avoid exernal users being blocked for up to two hours.
    */2 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 60 virusprot

    @roymayr:

    Am I missing something? is snort a requirement to see users in ‘virusprot’ table?

    No, it’s a built in pfsense function



  • Thanks for the quick answer…

    I understand the use of the cron and I think your timing is fine.  I’ll get there after my testing and tuning.
    At this point, I just want to see the list of blocked users… That would be a great help to play with the “Maximum connections per host” setting and find the right numbers for my net.

    So contrary to other posts, I want to see people listed at the virusprot table… but even blocking people after 5 connections (which is happening), I don’t see them in any table… so I cannot manage this.
    I blindly trust on the cron that will “clean” whatever is there…  but I want to see that list.

    Thanks for the ideas.



  • Ok… let me try this way.

    For those who are using “Maximum connections per host” option in your rules.  Have you ever seen a user in the virusprot table or any other table?
    If so, which PF version are you running? Did you do anything “special” to make it work? or just as it is.

    thanks!



  • @roymayr:

    Ok… let me try this way.

    For those who are using “Maximum connections per host” option in your rules.  Have you ever seen a user in the virusprot table or any other table?
    If so, which PF version are you running? Did you do anything “special” to make it work? or just as it is.

    thanks!

    I do. I’m using version 2.0.1 amd64



  • @marcelloc:

    @roymayr:

    Ok… let me try this way.

    For those who are using “Maximum connections per host” option in your rules.  Have you ever seen a user in the virusprot table or any other table?
    If so, which PF version are you running? Did you do anything “special” to make it work? or just as it is.

    thanks!

    I do. I’m using version 2.0.1 amd64

    Thanks marcelloc… it seems you are very lucky! so far, the only one getting something in the virusprot table.  😉
    I’m using same version, but i386 in a VM - ESXi.  I’m not sure whether that could make any difference.  I’ve tried everything, but I have never seen a user listed in the virusprot table, even knowing there are blocked users.  Any further advise?  It is hard to know what is going on with your rules if you cannot see this.
    Thanks again.


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy