[HELP] Firewall Rule causes remote IP blockout

  • Hello,

    I am relatively new to this forum and we have been using PFSense for our servers mainly as a firewall. We have been affected with medium level DOS attacks on  our servers until recently when we moved on to PFSense to handle them.

    We are running PFSense in a virtual environment. We have 2 Linux VMs that are running mission critical applications for Stock and Forex tradings. These services listen on 2 different ports in the Virtual Machines which are port forwarded from the PFSense WAN.

    So the Setup is basically like WAN:8080 -> and WAN:8081 ->

    We require basic protection from port flooding, hence we have used the following setup for the Firewall Rules for each of the Port Forwarding entries.

    Maximum Connections Per IP Source: 5
    Maximum Connections: 3 Connections per 1 Second.

    The setup is working fine and we have tried to flood the ports with garbage by trying to open 1000 connections each second, but only 5 of the connections made through. However, there is a strange problem that we have been investigating with for days. When a connection is established from the WAN, the user has to provide his login credentials. If the credentials are wrong, the connection is dropped and the client re-establishes a new connection. But when the user happens to enter a wrong password 5 times or more in a row, the 6th time it doesn't connect even when the connections are being dropped by the server after each consecutive login attempt. Strangely after this happens, PFSense blocks all kind of communication from the Source IP of the User preventing him for pinging the server or using the Client Software. The Source IP couldn't communicate with the PFSense IP or IP Alias at all for a period of few hours or even days. The only way we could restore the connectivity and enable the client to use the services is to reboot the PFSense OS, which is not an ideal solution for our mission critical application. There are no logs reflecting in the System or Firewall Logs pertaining to the IP Block, However I have noticed that there are State Entries with TIME_WAIT flag, which is strange since I am 100% sure that the connections are being dropped on the server side itself. Even upon removing the states or having them timeout doesn't restore the connectivity. We either have to wait and pray for the connectivity to be restored or reboot the OS.

    The users who have actually managed to login are having NO problems whatsoever. I have tried removing the firewall advanced rules mentioned above and everything worked great, but this defeats the purpose of us having to use PFSense. I was assuming maybe PFSense has an inbuilt feature wherein it would blacklist the IPs that are not following the NAT Rules, but I haven't found any setting in PFSense that could control that. If there is one, I really wanted to bring the timeout down to about 4-5 minutes rather than hours which is currently the case here.

    Please help me with my issue.

    Thank you.

  • I guess I haven't googled well enough or used the correct keywords. Turned out to be virusprot that was blocking the accounts. Strangely enough, the New Connections per second is responsible for triggering it. The Maximum connections per host doesn't have any blockout issues.

  • You can also install cron package to edit how often virusprot table cleanup is run.

  • I have come across your post about the cron and how to configure it for 2 minute timeout. But, the problem is that the IP is entirely getting blocked that breaks existing legitimate connections, since what we are experiencing is not any DOS attempt. It's just people who are repeatedly entering wrong password either willingly or by mistake.

    So far I have got around this issue by removing the Maximum Connections per second limit, which seems to be triggering the virusprot and not the Maximum Connections per Source IP.