Pfblocker problem

  • My setup is:

    Verizon Actiontec router – this DHCP's an IP to my pfsense box, a couple laptops, Iphone and 3 set top boxes.

    Through troubleshooting recently, I found that when I use pfblocker and deny inbound for every country, we have an Iphone that will not connect to the Verizon router. However, that iphone is getting an ip from the Verizon router so I don't understand how what I do on the pfsense box would affect that or any other devices. Is pfsense really that powerful that it can put itself in front of another firewall router that it's getting it's ip address from?

    This is incredible to me.  That was just with incoming and If I let the phone on by removing my blocks by making it just incoming the iphone gets a connection although it is a slow one and then when I finally blocked both the iphone was totally blocked. Maybe I don't need a wireless card after all if pfsense works like this.

    I guess the main question is:

    okay there's a coax coming from the ONT box coming from the Verizon ISP going to a Verizon router/firewall(if you can call it that). Then I have just one Ethernet cable coming out of that router, going to my pfsense box to protect just my pc because I love to experiment and I'd rather leave the other computers out of it until I feel competent enough to have them on.  Is this possible or is pfsense really that dominant?

  • Banned


    I found that when I use pfblocker and deny inbound for every country, we have an Iphone that will not connect to the Verizon router. … This is incredible to me.

    Dude, why don't you just use the ultimate HW firewall?

    ::) ::) ::)

  • Picture number two is hardware mod SNORT equivalent ;)?

  • Banned


    Picture number two is hardware mod SNORT equivalent ;)?

    Can be used as such. You just need to leave the green wire. Only good traffic comes on the green one.  ;D :D 8)

  • I cut the green ones also - Just to be sure.
    Never been hacked yet.

    But I suppose blocking all countries also works also just so long as you keep your servers and clients on the moon.

  • Cmellons - We are teasing abit because the entire point of internet is connectivity.  If you block literally everything, you have no internet.  I would block little if anything.  Its much easier to just close unused ports, un-install software on computers that cause security problems and use strong passwords or certs for any services / servers you have running on your IPs.

    If you have a pretty good firewall and don't make a habit of installing all kinds of "cool stuff" you find at sketchy sites on the web, you probably won't be getting hacked or anything.

    Being too blocky is counter-productive.

  • Banned

    Just wondering what is the memory usage with the "block every country". :D

  • haha I kind of figured that you were teasing but it was entertaining.

    I am no longer blocking every country. Instead I look at the logs in my Verizon router for remote administration attempts and then block accordingly in pfsense. Quite a few come from China so they are pretty much done. Same with Russian Federation and Brazil. Only a few from Japan. What could they all be trying to do anyways? The port that I see the most often is 6000 on their end going to port 23 on my end and I don't have telnet so what is it?

    My turn:)

    How much memory usage for blocking every country? This is embarrassing okay. On my pfsense box it's totally overkill because the parts are from a previous gaming machine. Don't laugh!!

    750 watt TT evo Blue psu

    AMD Phenom II 965 BE running at 3600Mhz (using powerD keeps it at 800Mhz most of the time so it cuts down on the power usage)

    Kingston DDR3 1333Mhz ram 8Gb

    HD Radeon 6850 1gb (doesn't even matter but I didn't have an integrated gpu so it had to do.)

    So it's around 5% usage. With Snort running full blast I had it up to 90% usage one time but then I cut back my rules and it hovered around 50%.

    I had to get rid of snort anyways. For now because I sort of told one of the admins at a game server(wolfenstein et) that I play at what snort had found and he didn't want me leaking that information so I got banned lol. Let's just say I put a little salt on the worm and it's not feeling too good right now.

    I'm sure that Snort does have false positives, however I did look up what it had found and it wasn't just one thing(everything that it found was a perfect match for all the symptoms of Storm). The first thing it starts with is kademelia handshake, then Conficker-C, some more bogus handshakes with Kademelia and then some request from the edonkey network and I don't use p2p file sharing so I found it to be very odd. Then the next day I came back to play again(this is way before I got banned) .

    So anyways,  since I was doing a little tracing I just added suppression filters for everything and then this thing called storm comes through. I'm like storm? what is this? Then I looked it up and apparently it was something to do with bad emails and it was very serious. So then I was like how did this get on the game sever and then I thought back to edonkey(don't have edonkey but somehow it was wanting handshakes).  That would be the only explanation because it would have to be an email attachment otherwise or not even that probably. I bet it was one that just had to be in your inbox to go off. What sparked my curiosity? Well my mouse started acting weird. A few times the Y axis(up and down) would be the only one working. Then I blocked the conficker C + storm and the mouse was fine again. After about five minutes of playing I would get 999(timing out) kicked from the server(for blocking the malware!!) so in order to play I had to leave myself vulnerable. It's what I get for playing free games. I should have left that game when punkbuster support left it. They left for a reason and I'm sure that was part of it because it's just a hackers haven now. Saddening for me because I have been playing for quite a few years and now it is coming to an end.

    On a brighter note though. I have to say that my inspiration came from suspicion of what I did find and it's actually helping me to learn pfsense with extra determination.

  • You can do alot with that computer with 4 discrete cores and 8GB.  You probably don't need more than 4GB and 2 cores for PFsense, so you could install esxi hypervisor, run pfsense as VM and use the remaining two cores and 4GB for 1 or 2 servers for yourself.  Its not a monster machine, but you could easily get double or triple duty out of it.

  • I would do that but there is something wrong with the motherboard that has to do with the graphics going from 2d to 3d. So I'm assuming that it's the pcie 16x slot. The 6850 does work on another motherboard that I have and it worked on the previous one for a very long time so it has served it's time with many call of duty and battlefield games. It's seen a lot of heat in other words. I'm saving up for an Asus board for my main gaming system and then I'll give my gigabyte 970a to my pfsense box. Gigabyte just never showed that board any love. They stopped updates on a beta update so that alone tells me that the board is probably missing something that they will not disclose. The biggest issue that I have with the 970a is the load line calibration and all the extra voltages that were not on my 770t. It just makes it a big complicated mess and I did spend a whole day just fooling with voltages, trying to get it to pass a few prime 95 tests but no. It would not pass unless I turned on Loadline Calibration. Which meant that everything is going to be overvolted further than it needs to be and components lifespan will shortened as a result. I want to build a system like a professional so I'm actually going to start researching how they do it at cyberpower and ibuypower. What makes a pc ready for a customer? That kind of thing.

  • If you have some enormous power gobbling heat generating graphics card in there, feel free to pull it and replace it with the cheapest, oldest, most low power NVIDIA card you can lay your hands on that will give you a VGA console.  PFsense doesn't need 3D graphics and neither does a file server, for example.  You can also under-clock that CPU down to 2.5GHZ or so to make it run cooler and be less volt-hungry and reliable.

    I have one of those processors running in a kids computer here.  In its stock configuration, its an oven.  It will run at 60C under load normally with its stock heatsink, which is a big heavy chunk of copper and aluminium.

  • That's understandable. Thanks for the assistance. I may have to try cutting that green wire. (says to himself, where are my klines?)

  • @doktornotor:

    Just wondering what is the memory usage with the "block every country". :D

    What's so unusual about setting pfBlocker to deny inbound for every country? That's how I run it and always have.

    It only blocks unsolicited inbound traffic, which is the default pf firewall action anyway. It's when you set it to deny outgoing where you get into connection difficulties.

    To answer your question, 8% of 2GB RAM on my 2.6GHz P4 pfSense 2.0.3-RELEASE box, but I have a lot of rules, so I don't really know how much of that is committed to pfBlocker.

  • Banned


    It only blocks unsolicited inbound traffic, which is the default pf firewall action anyway.

    That's not how it works…

    block  in log  quick  on $WAN reply-to ( vr1 x.x.x.x )  from $pfBlockerAlias to any  label "USER_RULE: pfBlockerAlis auto rule"

Log in to reply