Problem excluding hosts within 'excluded subnets'.



  • Hi

    I have a small web site which is experiences lots of probes searching for expliots.
    I've started using pfsense rules to  excude various subnets and it has reduced the probes 'getting though' considerably.

    However, I still find probes in the web logs supposedly coming from addresses within subnets I've excluded.
    I have no idea how this is happening or how to track the problem down.
    Any advice would be gratefully received.

    Details.

    I use port forwarding to my website (port 80) only on 10.1.1.1.
    I have an aliase list which is used to hold all the ip addresses and subnets I want to exclude.
    Then I use two separate rules (ipv4 and ipv6) to exclude traffic on all protocols from any hosts on the aliase list.
    On the pfsense 'rules' page the source is set to 'any' and the destination is set to: 'Type: singe host or alias' and 'address: suspecious list'.

    However, I still get entries in my web logs from excluded sites.

    Example:

    I've excluded subnet 5.0.0.0/8. which I thought would exclude anything originating from 5...*.
    However here is a packet capture containing traffic from my webhost to 'excluded sites':

    05:11:44.977844 IP 5.157.47.158.34019 > 10.1.1.1.80: tcp 0
    05:11:44.978079 IP 10.1.1.1.80 > 5.157.47.158.34019: tcp 0
    05:11:45.018512 IP 5.157.47.158.34019 > 10.1.1.1.80: tcp 0
    05:11:45.057653 IP 5.157.47.158.34019 > 10.1.1.1.80: tcp 421
    05:11:45.057980 IP 10.1.1.1.80 > 5.157.47.158.34019: tcp 0
    05:11:45.286131 IP 10.1.1.1.80 > 5.157.47.158.34019: tcp 1440
    05:11:45.286380 IP 10.1.1.1.80 > 5.157.47.158.34019: tcp 1440
    05:11:45.286439 IP 10.1.1.1.80 > 5.157.47.158.34019: tcp 64
    05:11:45.327408 IP 5.157.47.158.34019 > 10.1.1.1.80: tcp 0
    05:11:45.327852 IP 5.157.47.158.34019 > 10.1.1.1.80: tcp 0
    05:11:45.327892 IP 5.157.47.158.34019 > 10.1.1.1.80: tcp 0
    05:11:45.367875 IP 5.157.47.158.34019 > 10.1.1.1.80: tcp 0
    05:11:45.367961 IP 10.1.1.1.80 > 5.157.47.158.34019: tcp 0
    05:11:45.408149 IP 5.157.47.158.34019 > 10.1.1.1.80: tcp 0
    06:39:40.007689 IP 5.255.253.159.37637 > 10.1.1.1.80: tcp 0
    06:39:40.007991 IP 10.1.1.1.80 > 5.255.253.159.37637: tcp 0
    06:39:40.079975 IP 5.255.253.159.37637 > 10.1.1.1.80: tcp 0
    06:39:40.080159 IP 5.255.253.159.37637 > 10.1.1.1.80: tcp 300
    06:39:40.080342 IP 10.1.1.1.80 > 5.255.253.159.37637: tcp 0
    06:39:40.344432 IP 10.1.1.1.80 > 5.255.253.159.37637: tcp 1398
    06:39:40.344867 IP 10.1.1.1.80 > 5.255.253.159.37637: tcp 1398
    06:39:40.344984 IP 10.1.1.1.80 > 5.255.253.159.37637: tcp 1398
    06:39:40.345062 IP 10.1.1.1.80 > 5.255.253.159.37637: tcp 1398
    06:39:40.345123 IP 10.1.1.1.80 > 5.255.253.159.37637: tcp 98
    06:39:40.417889 IP 5.255.253.159.37637 > 10.1.1.1.80: tcp 0
    06:39:40.418132 IP 5.255.253.159.37637 > 10.1.1.1.80: tcp 0
    06:39:40.418361 IP 5.255.253.159.37637 > 10.1.1.1.80: tcp 0
    06:39:40.418935 IP 5.255.253.159.37637 > 10.1.1.1.80: tcp 0
    06:39:40.419282 IP 5.255.253.159.37637 > 10.1.1.1.80: tcp 0
    06:39:40.419338 IP 5.255.253.159.37637 > 10.1.1.1.80: tcp 0
    06:39:40.419372 IP 5.255.253.159.37637 > 10.1.1.1.80: tcp 0
    06:39:40.419419 IP 10.1.1.1.80 > 5.255.253.159.37637: tcp 0
    06:39:40.491315 IP 5.255.253.159.37637 > 10.1.1.1.80: tcp 0
    09:37:15.418878 IP 5.255.253.159.41503 > 10.1.1.1.80: tcp 0
    09:37:15.418968 IP 10.1.1.1.80 > 5.255.253.159.41503: tcp 0
    09:37:15.490868 IP 5.255.253.159.41503 > 10.1.1.1.80: tcp 0
    09:37:15.491109 IP 5.255.253.159.41503 > 10.1.1.1.80: tcp 193
    09:37:15.491271 IP 10.1.1.1.80 > 5.255.253.159.41503: tcp 0
    09:37:15.491772 IP 10.1.1.1.80 > 5.255.253.159.41503: tcp 1398
    09:37:15.491849 IP 10.1.1.1.80 > 5.255.253.159.41503: tcp 480
    09:37:15.564349 IP 5.255.253.159.41503 > 10.1.1.1.80: tcp 0
    09:37:15.564971 IP 5.255.253.159.41503 > 10.1.1.1.80: tcp 0
    09:37:15.565047 IP 5.255.253.159.41503 > 10.1.1.1.80: tcp 0
    09:37:15.565213 IP 5.255.253.159.41503 > 10.1.1.1.80: tcp 0
    09:37:15.565232 IP 10.1.1.1.80 > 5.255.253.159.41503: tcp 0
    09:37:15.636693 IP 5.255.253.159.41503 > 10.1.1.1.80: tcp 0

    Thanks in advance

    Charlie101



  • On the pfsense 'rules' page the source is set to 'any' and the destination is set to: 'Type: singe host or alias' and 'address: suspecious list'.

    If you want to block access from IPs or subnets in the list you have to enter the list in source area! The destination is your internal IP of the webserver.



  • HI viragomann

    Thanks for your reply.
    I had two rules, one for inward and one for outward bound but they were only IPV4.
    when I added the ipv6 rules I somehow ended up with an ipv6 blocking inward only and an ipv4 blocking outward only.

    I've now added pfblocker which I find much quicker and more convenient for entering ipaddress and subnets.

    Thanks again for your help.

    Charlie101


Log in to reply