Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall log, is this attack or?

    Firewalling
    3
    3
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stijndp
      last edited by

      Hello, i have a question about the security and my settings that i'm using in Pfsense.
      I'm only using it for 2 weeks, for now i think that i  understand most i'm doing but not for sure.

      When i look into my firewall log, i see like 100 different ip's trying to connect to my network in some hours time..
      At some point i see that in one minute various different hosts trying to connect on my ip using port 61504 UDP.
      When i lookup that hosts, i see they are from asia, but those are blocked by Pfblocker.

      Ports they trying to connect to:

      26782 UDP
      445 TCP:S
      1214 UDP <- also happens alot
      1214 TCP:S
      23 TCP:S
      1433 TCP:S
      137 UDP
      and some more

      One ip spammed the log also +- 50x from source port 37 to 169.254.255.255:137 UDP

      Since this night i got 400 logs like those above.

      I also have a mailserver in my network, all needed ports are open to that server, 25-143-993-465, also port 80 for webmail.
      I noticed that my mailserver blocked 6 hosts in the last weeks trying to login tho the webmail.

      I have no packets installed, only PFblocker with active lists:

      • top spammer
      • whole africa
      • whole Asia
      • I-blocklist spyware
      • I-blocklist hijacked
      • I-blocklist microsoft

      Do i need to do something?

      Sorry for bad english and thanks in advance.

      Stijn

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Hi,

        cannot say much about the other ports but 169.254.x.x looks like APIPA addresses for hosts which did not get an address by DHCP.
        http://en.wikipedia.org/wiki/Link-local_address

        And if you are running a server with open ports for mail and http I think it is very common that you get many tries from bots on the internet which check for available services.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          It's normally at random. If I pasted my blocked logged for just a couple minutes I'd have to use pastebin which even then their free limit might be reached. I normally do not monitor blocked traffic until I'm diagnosing an issue.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.