PfSense not blocking attacker (FIXED)

charliem · Oct 8, 2014, 3:51 PM

Can you check that your rules are showing up in /tmp/rules.debug, especially that Torguard / OpenVPN / PPTP VPN really are disabled?

Anything look strange in that file?

MilesDeep · Oct 8, 2014, 5:06 PM

Mine is doing the same thing in an attempt to block 1452. It simply will not.

sect · Oct 9, 2014, 9:01 AM

I'm interested in this problem and will look into this setup myself as soon as I get the time to experiment in my test environment.
@staroflaw Will you post when you find a solution to your problem? Often after solving the problem, nothing is heard thereafter ;-)

staroflaw · Oct 10, 2014, 12:40 AM

Hi charliem

Can you check that your rules are showing up in /tmp/rules.debug, especially that Torguard / OpenVPN / PPTP VPN really are disabled?
Anything look strange in that file?

After looking in the rules.debug file I don't see anything relating to Torguard or PPTP VPN. I do see some reference to OpenVPN

#System aliases
loopback = "{ lo0 }"
WAN = "{ re1 }"
LAN = "{ re0 }"
WIFI = "{ em0 }"
OpenVPN = "{ openvpn }"

anchor "relayd/*"
anchor "openvpn/*"
anchor "ipsec/*"

I do see the blocked rule.

# User-defined rules follow

anchor "userrules/*"
block  in  quick  on $WAN reply-to ( re1 XX.XX.XXX.1 ) inet from 80.82.78.166 to any  label "USER_RULE: Block Attack"

The IP re1 XX.XX.XXX.1 is not my IP. All the X are correct but mine ends in 204 not 1?

This is all the Rules I have set.

I also have my 4G mobile IP and my mates IP blocked but both can still access my services.

Thank you

Star.

kejianshi · Oct 10, 2014, 1:54 AM

Whatever you do, don't wipe it and reinstall it…

If you did that, it might fix it without ever satisfying the curiosity of the masses.

staroflaw · Oct 10, 2014, 9:28 AM

staroflaw Will you post when you find a solution to your problem? Often after solving the problem, nothing is heard thereafter ;-)

I know what you mean, I will deferential post if I fix it.

Whatever you do, don't wipe it and reinstall it…
If you did that, it might fix it without ever satisfying the curiosity of the masses.

I also want to understand why its not working correctly, just in case I see the happen again.

This attack has now been going for 5 days, they have made over 1,728000 requests.
I have reported it to my ISP and Ecatel LTD the owner of that IP.

My ISP says they cannot do anything about it unless they have a large amount of complaints relating to that IP. I totally understand that.
Ecatel LTD say….... "Nothing" I have had no response from them at all. I have contacted them two times now with LOG's and nothing.

Star.

chpalmer · Oct 10, 2014, 5:24 PM

Star:

On your WAN rule to block this guy-

Make sure that Logging is checked…

On the pass/block/recject option at the top of the rule- set to reject (just to test) and see what the firewall logs show...

Set "Destination" to your server LAN IP address.

johnpoz · Oct 10, 2014, 6:56 PM

so how exactly is he getting in and hitting your webserver. I don't see any rules that would be there from a port forward - your wan rules don't show any allows other than icmp from one IP.

So only inbound traffic would be from a state that client on lan created the connection.

look at your state table and filter for his IP and what do you see for states?

staroflaw · Oct 10, 2014, 10:43 PM

I don't see any rules that would be there from a port forward

johnpoz you are absolutely correct. I assumed the wan rule was created automatically for you but as it is clearly not there, obviously not. The answer was in front of me all along. My HTTP Filter rule association was set to PASS. That’s why it just ignored my Block WAN rule.
I don’t know how I missed this!

I can now confirm it is blocking.
A BIG thank you to all who participated in the discussion and for all help offered.

Star.

staroflaw · Oct 10, 2014, 10:31 PM

Here is how I setup my HTTP NAT correctly.

Filter rule association > Create new associated filter rule.

Apply changes.

Then under Rules add your block rule.

Make sure the block rule is above everything else.

You can also see the new rule added NAT HTTP_Server

Star.

johnpoz · Oct 10, 2014, 10:45 PM

jimp? I don't see anywhere where jimp pointed out anything ;)

staroflaw · Oct 10, 2014, 10:56 PM

lol. typo. ;D

kejianshi · Oct 10, 2014, 11:22 PM

I don't remember any mention of a HTTP pass rule… (-:
Which gets me back to my original theory of there must be a pass rule somewhere.

johnpoz · Oct 10, 2014, 11:32 PM

he had has port forward set to pass vs creating a rule… I never understand why people change it from the default of create new rule if you they don't fully understand what they are doing ;)

kejianshi · Oct 10, 2014, 11:42 PM

Simple mistake, I'm sure.

staroflaw · Oct 10, 2014, 11:54 PM

Simple mistake, I'm sure.

Yes it was. :)