Blocking rule using network alias



  • After the alias I use to block bad IP addresses would not allow anymore
    entries of IP addresses, I decided to make a second alias to continue adding
    more IP addresses as I find them trying to hack my websites or SSH hacking.
    I discovered that the second list was not blocking the IP's because they continued
    to show up in my logs or failtoban emails. I also noticed that China IP's were
    the majority of the failtoban reports, so I tried making a network alias and added
    the IP's in /8 format. ie. 218.2.0.0/8 Again, I was still getting SSH bans for IP's
    in that range. I did reset the state table after adding these aliases.

    Anyone have any idea why this might be happening?

    The version of pfSense is 1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009



  • 218.2.0.0/8 is not a valid subnet - that would be 218.0.0.0/8 (if you are really intending to block the whole of 218)
    You do not mention it, but I guess you added firewall rule/s to WAN to block using the alias as source?
    That should work fine on 1.2.3 - but there are good support reasons to move to V2.1, not too many people can remember 1.2.3 any more  ;)



  • Woops.
    I had several 61.x.0.0/16 were x are different octects such as 147, 155 etc.
    and 60.x.0.0/16. I had changed them to 61.0.0.0/8 and 60.0.0.0/8 then recently
    added that 218.2.0.0/8 were I used 8 by mistake rather than /16. Incidently, I
    was still receiving failtoban reports for 60.x.x.x and 61.x.x.x anyhow before adding
    the 218.2.0.0. I was getting so many different 60.x.x.x and 61.x.x.x that I was trying
    to see if changing it to a /8 would eliminate all 60 and 61 which it had not. This lead
    me to believe that the block rule was not working for what ever reason. My original
    block alias worked until it stopped accepting new entries. I guess there is a limit on
    the number of individual entries an alias can contain.

    When ever there is a large hit on the spam bot population, ssh attacks rise, primarily
    from China. I don't want to block China entirely, just the IP's used to probe for ssh
    servers to hack.

    I had considered upgrading to V2.x a while back, but it was still in beta and I have
    two wans and two lans, so I chose to stick with the one I have that took quite a while
    to get to work like I wanted.


Log in to reply