Can Pfsense block outgoing virus activity?



  • I have free wifi set up at my coffee shop, using regular linksys router.

    My isp suspends my account whenever someone using the free wifi has a virus on their device. My isp is now threatning to suspend my account for a month if this happens again.

    My isp cannot actually detect the viurs themselves. What is happening is when a certain virus tries to update itself, they end up contacting a ip address that has been sinkholed by abuse.ch. The abuse.ch website log the ip address which is sent to a third party website that contact my isp several days later. Upon receiving this log, my isp suspends my internet account.

    My isp recommends that I run an antivirus on all my computers. They don't understand that this is a free wifi, and these devices don't actually belong to me.

    I cannot simply ban the infected computer from my network, because I don't find out that their was an infected device on my network until several days later when my isp contacts me.

    I am thinking of putting in a pfsense box.

    Can pfsense block viruses from getting internet access?
    Can pfsense block viruses like Kins, and zeus, if they were on an infected device that was brought on my network?
    What percentage of viruses/trojan/worms/bots is pfsense not able to block/ get through?
    How much will the through suffer if outgoing internet traffic is scanned for virus activity?



  • Perhaps not a perfect solution, but you could use a package like pfblocker to blacklist the outgoing IP addresses.

    This option will rely on you updating the list of banned IP's on pfblocker to the same one your ISP gets notified about.



  • Hi,

    I am thinking that your ISP or abuse.ch is only seeing your external IP address not the internal client IP?

    Only 2 options you have I can think off is to:

    1:  Get a new broadband provider who doesn't block so easily

    2:  User the Snort package to listen on the internal LAN and WAN interface.

    No guarantee that the selectable signatures from snort will include the IP address of where your wifi guests are trying to connect to.  But you have options to block (temporarily or permanently) the source or destination IP address.  Source I would think in this case is your wifi guest and Destination is the IP they virus wants to get its updates from.

    I only scan the WAN connection and not LAN so I am not 100% on what  I've said but it is worth investigating.

    So scanning the WAN will block connections coming into your wifi.  Scanning LAN will block clients getting out the internet.

    1 gripe I can think of is that you could end up completely block your wifi guests if they are detected in sending or receiving virus stuff, so that will mean you'll be constantly asked "why can I not get to the internet, email etc " by customers…..so this could take up your time and/or loose customers.



  • In some cases pfsense can block outgoing virus activity because usually there is a specific port if you're lucky. So, setting up the rules appropriately can help to alleviate some virus/trojan activity. I use the rules that are used by huge corporations. The basic rule in those places is to only allow what you need.

    That way if one of the pc's is infected with something like this where the port is 6000, nothing can get by unless you're allowing it. I wouldn't even allow proxies but that's another ballgame altogether.

    http://www.speedguide.net/port.php?port=6000

    Some ports have multiple uses as you can see on the link that I provided. It's up to you to decide whether any of those services need to be run on your network.

    I'll show you my firewall rules just to demonstrate what I believe to be a good set of rules. On second thought they are all aliases so I'll just type them here.

    1st, I used this guide to help me and then I added my own twist.

    https://doc.pfsense.org/index.php/Example_basic_configuration

    This is very important. After all of the rules are created go and uncheck the anti-lockout rule. You can just click on the E or edit button in the Lan rules.

    Make an alias for all of the basic TCP ports that are needed just for connectivity which is 80,443,21 and you may need others but thats all I need. Then for DNS you want to add something like Opendns or whatever you like to the General TAB. Then you want to create a rule that does not need an alias btw because it's by itself.  TCP/UDP Lan net to Lan address port 53 or select DNS from the drop down list. Note: You will only be able to do this after adding dns servers to the general tab. If you don't add those DNS servers then what you're stuck with is a rule like this TCP/UDP Lan net to anywhere port 53 because a rule like Lan net to Lan address will not work without entering DNS servers manually in the General tab meaning that you won't have any connection. I don't know about you but I don't want my DNS servers to be able to just go anywhere.

    I would also recommend making a similar rule for the pfsense web gui. Make a custom port in advanced. Find your way to it. After doing that Make a rule like this. Lan net to Lan address or you could even use the domain name of the pfsense box for the destination and then put whatever custom port that you have chosen. That way your web gui is no longer tied to a port that can also go out to the internet. Maybe it's not even necessary but it helps me to sleep at night.

    One other thought before the next port. Keep peer to peer software off of your network. They will eat all of your bandwidth and end up costing you big bucks.

    For NTP the time protocol. Make an alias for that to even if it's just one port. It's udp 123.

    When you're making firewall rules it is best to keep it neat and not too lengthy and pfsense is wonderful for that. If you look in the docs there is an explanation on how someone saved themselves from creating 9 rules with just one alias.

    Okay back to the rules.  If the network requires online gaming find out on your own because some people will lie to your face about what they need and it may allow things that you and your ISP do not want. If they say something like, I play games on steam. Just use google or whatever you like and  search for something like which ports does Steam require etc…  Do that for everything. Make clean aliases and then create your LAN rules wih those aliases.

    But, if they say they need certain ports open for something and they won't tell you usually, but if they hint at something like backtrack, Nmap and many others, that's what you don't want. If it sounds like something you never heard of or they get overly happy about it, don't open anything for them. Show them the door. That's why you only allow what you need. For most, that's just the internet and possibly some email ports if you use an email program. In which case if they are complaining about not getting email I would make each one of them  come up with their laptop and tell them to open their email server settings.  You would be looking for something like this. This is Verizon's settings.  pop.verizon.net port 995 smtp.verizon.net 465 and they use TCP so just use TCP when creating the email alias.

    I would also recommend this video called The Gentlemen Thief from a Defcon seminar. https://www.youtube.com/watch?v=1kkOKvPrdZ4

    In so many ways, even if it's not physical such as in the video. It is what security professionals have to face everyday. I would also recommend watching Casino but that's another subject. That's only if you're really dedicated. The main focus is on how people are constantly trying to cheat and rob the Casino. Then just let the story unfold.



  • Geez, if only all other ISPs on Earth were this responsive to bad actors on their networks.



  • It's a seminar get used to it. I have to say though from watching many Defcon videos. Usually, I don't learn anything. What I've noticed the most is that they really like to show off and to someone that doesn't know I'm sure they're impressed but yeah, you just have to sift through the nonsense and pick out something that may help whatever situation that you're in. Or, just watch it while doing house chores. In some cases you could even run the vacuum and learn just as much. I switch from that to Blackhat videos as well. They seem to be a little more informative. But, it depends on what you're into.



  • what about creating deny all outgoing connection over the LAN,
    like this all infected machines won't success a broadcast to the internet.



  • He would have to get the IP address/possibly mac address to,  and it is a public place so you would never find it in a crowd unless you were maybe a professional pen-tester and really understood everything about packet sniffing with something like wireshark. Even then it's really difficult to see if something is actually malware. I would just run HAVP as a transparent proxy and turn on all the bells and whistles. The only trouble with that, like a lot of packages, is that you will need to trim some things down that may cause false positives, and then again I wouldn't worry about it. If they can access the internet there really is no need to worry about anything.  There's lots of ways to protect yourself.  But that's if he decides to use Pfsense. It is commercial grade as far as I am concerned meaning that your average user will not want to mess with it simply because it is so powerful and with that comes a lot of learning.

    I just thought about something. Most places that I connect to wirelessly in the public require a password to get online and usually I would have to go to the front desk to ask for it. That was at a few hotels though. I'm not sure how his place is run but a password would be wise. I think that is part of what Captive Portal is used for.



  • Snort with auto-blocking is the answer here. I've had so many machines on my guest network get knocked down because they have botnet CnC clients running on them, it's insane. Add the guest range to your whitelist so they don't get completely blocked, and only the offending remote IP will get blocked.


Log in to reply