New user concerned over firewall logs… Am I being attacked? [SOLVED]

  • Hi there I'm new to pfSense (about 2 days) and I'm loving it so far. There is every option I could ever want plus more.

    Basically over the past few hours I've been noticing lots of source IP addresses trying to connect to my WAN address on port 63446. Roughly 50 attempts every hour.

    WAN    174.114.XX.XX:63446    UDP
    WAN  174.114.XX.XX:63446    UDP
    WAN  174.114.XX.XX:63446    UDP
    WAN    174.114.XX.XX:63446    UDP

    Can someone explain to me what's actually going on here? Is this anything I should be concerned about? I'm running iftop and it looks like the attempts are being blocked, but still should there be this much activity on that port when I don't even use it?

    EDIT: Forgot to mention, I added an alias to block port 63446 thinking this would remedy the issue… but I guess this only blocks the source port and not the destination?

    Any information would be greatly appreciated...thanks!

  • Static IP? Otherwise simply get a new one and see what happenz…

  • My ISP (Rogers Canada) changes the IP every so often, but I can't change it without phoning them and requesting a new one. Just rebooted the cable modem & my pfSense box, looks like it's still happening.

  • You don't need to block that port since it's already being blocked. Being that it's UDP, I bet it BitTorrent traffic. The DHT for BitTorrent will register and IP+port into a global swarm, which will then hold onto that entry for several days. I had this issue a while back. After a week, I stopped getting hit on the port. Fire up BitTorrent again, start getting hit on the port again for another week.

  • LAYER 8 Netgate

    Looks like your firewall is doing its job.

  • LAYER 8 Global Moderator

    yeah most likely torrent - the net is full of noise ;)  50 times in an hour is just very low level noise..  If it was 50 a second then maybe something you might need to look into ;)

    If you don't want to see the noise create a rule to no log it.

  • Thank you for your responses! I did notice the traffic after I downloaded a Linux ISO through torrent (Transmisson) but this traffic happened more than an hour after I closed the program. Glad to see this is relatively normal… will make a rule later to deal with it.

  • LAYER 8 Global Moderator

    why do you need a rule - the default rule already blocks it, unless your wanting a rule not to log it.

Log in to reply