<![CDATA[Firewall log, is this attack or?]]>Hello, i have a question about the security and my settings that i'm using in Pfsense.
I'm only using it for 2 weeks, for now i think that i  understand most i'm doing but not for sure.

When i look into my firewall log, i see like 100 different ip's trying to connect to my network in some hours time..
At some point i see that in one minute various different hosts trying to connect on my ip using port 61504 UDP.
When i lookup that hosts, i see they are from asia, but those are blocked by Pfblocker.

Ports they trying to connect to:

26782 UDP
445 TCP:S
1214 UDP <- also happens alot
1214 TCP:S
23 TCP:S
1433 TCP:S
137 UDP
and some more

One ip spammed the log also +- 50x from source port 37 to 169.254.255.255:137 UDP

Since this night i got 400 logs like those above.

I also have a mailserver in my network, all needed ports are open to that server, 25-143-993-465, also port 80 for webmail.
I noticed that my mailserver blocked 6 hosts in the last weeks trying to login tho the webmail.

I have no packets installed, only PFblocker with active lists:

  • top spammer
  • whole africa
  • whole Asia
  • I-blocklist spyware
  • I-blocklist hijacked
  • I-blocklist microsoft

Do i need to do something?

Sorry for bad english and thanks in advance.

Stijn

]]>https://forum.netgate.com/topic/54698/firewall-log-is-this-attack-orRSS for NodeSun, 08 Mar 2026 09:49:49 GMTFri, 29 Mar 2013 09:38:25 GMT60<![CDATA[Reply to Firewall log, is this attack or? on Fri, 29 Mar 2013 14:15:26 GMT]]>It's normally at random. If I pasted my blocked logged for just a couple minutes I'd have to use pastebin which even then their free limit might be reached. I normally do not monitor blocked traffic until I'm diagnosing an issue.

]]>https://forum.netgate.com/post/387228https://forum.netgate.com/post/387228Fri, 29 Mar 2013 14:15:26 GMT<![CDATA[Reply to Firewall log, is this attack or? on Fri, 29 Mar 2013 12:39:55 GMT]]>Hi,

cannot say much about the other ports but 169.254.x.x looks like APIPA addresses for hosts which did not get an address by DHCP.
http://en.wikipedia.org/wiki/Link-local_address

And if you are running a server with open ports for mail and http I think it is very common that you get many tries from bots on the internet which check for available services.

]]>https://forum.netgate.com/post/387214https://forum.netgate.com/post/387214Fri, 29 Mar 2013 12:39:55 GMT