Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Raw IP traffic

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • belleraB
      bellera
      last edited by

      Hello!

      I have an snort machine sniffing traffic at the LAN side of my pfSense.

      snort log says there are port scanning using Raw IP protocol. The source addresses are generally from Internet. So, these attacks are bypassing my pfSense (?).

      I don't understand why …

      One of my machines is a webserver on the Internet. So, it has 80 & 443 ports opened to the Internet. I has also Samba services on the LAN side, but this service can be viewed from Internet (not NAT, not firewall rules for Samba).

      However, some of the raw IP attacks can see that ports 139 and 445 are opened for this machine (?).

      Example:

      #(1 - 42473) [2007-05-14 14:59:53] [snort/122:27]  (portscan) Open Port
      IPv4: AAA.AAA.AAA.AAA -> XXX.XXX.XXX.XXXX
          hlen=5 TOS=0 dlen=35 ID=50276 flags=0 offset=0 TTL=0 chksum=20299
      Payload:  length = 15

      000 : 4F 70 65 6E 20 50 6F 72 74 3A 20 31 33 39 0A      Open Port: 139.

      AAA.AAA.AAA.AAA (source address from Internet)
      XXX.XXX.XXX.XXX (private address, my machine at the LAN side of pfSense)

      Any idea?

      Thanks,

      Josep Pujadas

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.