Firewall log 1000 entries in 10 minutes



  • Hi I have been using pfsense for 14 days now,
    I think I've got everything set up the way it should be Guest VLANs and portforwarding to my NAS Server and so on;
    but then I saw I those firewall log entries, (1000 in 10 minutes) and came to think about if it was nomal, Or am I under an attack?



  • It's hard to say really but the 124.207.63.162 going to your address with a destination port of 23 would have me concerned unless you're doing something with telnet. Some of those could also be states retiring. What does the red x on the left say when clicking on it?


  • Rebel Alliance Global Moderator

    Looks like noise to me.. Do you P2P?



  • Looks like P2P noise. Are you on a dynamic ip? Maybe the person using it before you was running torrents.

    The port 23 one is a request to connect, which was blocked because that port leads nowhere. Nothing to worry about, just Internet noise.



  • Thank you, everyone, yes I have used p2p torrent a few times a while ago but no one is active right now.

    Can it really do that?

    No matter which one I click on it just says EasyRuleBlockHostsWAN.

    But if it's just noise, then I am more calm.



  • The torrent client of the other person(s) was told to ask a fragment of the torrent from IP X (yours). Maybe it wasn't told to stop trying to get that fragment, which is why you are still seeing logs for those. Nothing to worry about, it will go away eventually.


  • Rebel Alliance Global Moderator

    yeah once you join a swarm - you can see traffic from that for days for sure..  What you can do if you don't want to see all the noise is create a rule that blocks the udp but not log - which would be blocked anyway by the default rule but.  This way you will see stuff like that tcp attempt to 23, but noise from udp would be not logged and just dropped.

    This will clear up your logs to only show more interesting stuff ;)

    I do it now and then if it flairs up with lots of noise..  You could also turn off logging of the default rule - but then you don't see some interesting stuff ;)  The internet is a crazy wild west of traffic..



  • Thank you,

    It makes good sense, do you have a template to make such a firewall block rule?



  • @FasTrak:

    Thank you, everyone, yes I have used p2p torrent a few times a while ago but no one is active right now.

    Can it really do that?

    No matter which one I click on it just says EasyRuleBlockHostsWAN.

    But if it's just noise, then I am more calm.

    Modern BT uses DHT(Distributed Hash Table), and your IP address may exist in the DHT for several days. At one point, it took me almost a full week before I stopped getting UDP packets.

    You also want to be careful about any randomization to your listing port. I used a client that did this, and it causes DHT entry pollution, effectively creating an addition entry in the DHT for every port I listen to. Because of this, I would get a LOT of these annoying log filling UDP packets. They're really low bandwidth, but your log gets hit.