Rule not blocking traffic from IP like other IPs are

smackYYZ

Okay this one has baffled me.

I have a rule for blocked IP ranges (aliased), I've added the subnet for someone who is doing a register flood to my voip server which is behind pfsense. Normally we just add the IP or IP range to one of our aliases and they are blocked.

But this one is still passing through, and not showing in firewall log , but if I run network capture or pftop I can see the traffic.

Any ideas or additional info you may need ?

Here is an example packet:

10:32:06.031374 00:0e:84:6b:d6:00 > 00:30:48:b1:20:fa, ethertype IPv4 (0x0800), length 366: (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto UDP (17), length 352)
   216.144.240.196.6105 > 64.34.xxx.xxx.5060: [udp sum ok] SIP, length: 324
REGISTER sip:64.34.xxx.xxx SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:6105;branch=z9hG4bK-2196818679;rport
Content-Length: 0
From: "2" sip:2@64.34.xxx.xxxAccept: application/sdp
User-Agent: friendly-scanner
To: "2" sip:2@64.34.xxx.xxxContact: sip:123@1.1.1.1
CSeq: 1 REGISTER
Call-ID: 3708385640
Max-Forwards: 70

0x0000:  5245 4749 5354 4552 2073 6970 3a36 342e
0x0010:  3334 2e31 3538 2e31 3639 2053 4950 2f32
0x0020:  2e30 0d0a 5669 613a 2053 4950 2f32 2e30
0x0030:  2f55 4450 2031 3237 2e30 2e30 2e31 3a36
0x0040:  3130 353b 6272 616e 6368 3d7a 3968 4734
0x0050:  624b 2d32 3139 3638 3138 3637 393b 7270
0x0060:  6f72 740d 0a43 6f6e 7465 6e74 2d4c 656e
0x0070:  6774 683a 2030 0d0a 4672 6f6d 3a20 2232
0x0080:  2220 3c73 6970 3a32 4036 342e 3334 2e31
0x0090:  3538 2e31 3639 3e0d 0a41 6363 6570 743a
0x00a0:  2061 7070 6c69 6361 7469 6f6e 2f73 6470
0x00b0:  0d0a 5573 6572 2d41 6765 6e74 3a20 6672
0x00c0:  6965 6e64 6c79 2d73 6361 6e6e 6572 0d0a
0x00d0:  546f 3a20 2232 2220 3c73 6970 3a32 4036
0x00e0:  342e 3334 2e31 3538 2e31 3639 3e0d 0a43
0x00f0:  6f6e 7461 6374 3a20 7369 703a 3132 3340
0x0100:  312e 312e 312e 310d 0a43 5365 713a 2031
0x0110:  2052 4547 4953 5445 520d 0a43 616c 6c2d
0x0120:  4944 3a20 3337 3038 3338 3536 3430 0d0a
0x0130:  4d61 782d 466f 7277 6172 6473 3a20 3730
0x0140:  0d0a 0d0a</sip:2@64.34.xxx.xxx></sip:2@64.34.xxx.xxx>

smackYYZ

okay I still could not get pfsense to block these packets.

But discovered it was caused by malware called sipvicious. Found this resource http://kb.smartvox.co.uk/asterisk/friendlyscanner-gets-aggressive/ and followed it.

Worked like a charm, but still does not explain why pfsense could not block the udp packets.

GruensFroeschli

Most probably your rule didn't match the traffic.

To debug this you could enable logging for the allow rule you have on the interface.
Now look at the allowed packets and see what source/destination/port/whatever it has.

smackYYZ

@GruensFroeschli:

Most probably your rule didn't match the traffic.

To debug this you could enable logging for the allow rule you have on the interface.
Now look at the allowed packets and see what source/destination/port/whatever it has.

That was the strange part of it. I have logging turned on for all my rules, and these packets did not show up. I could see the traffic using pftop and with packet capture I could capture the packets.

I've been using blocking rules successfully for years, so I know my rules were correct. I have set rules for hosts  and a separate one using aliases.
I added both the ip and the subnet to both rules aliases and there are rules that are operational and have worked in the past.

Only thing I can think of is that the initial traffic which was allowed and possible hit a rule that at the time did not have logging turned on ( all do/did once I started researching), continued due to some matching rule that allowed in through and was not flushed when new rules were applied. This could have been caused by the constant 60 or more packets per second.

Mike