Blocked ip not in logs

webroy

Hi Guys,

I had a ip which was blocked by the pfsense firewall, i did not see anything in the logs and snort logs but when i did : System –> Advanced --> Firewall /NAT and disabled firewall the ip could acces again.

So i disabled some firewall rules and saved it , still blocked after enable package filtering. I reset all states to see if it is solved. Nothing. I had to reboot the pfsense to unblock that ipadres...

In snort nothing was blocked in the logs i did not see that ip.

Doe anyone have some feedback how to handle this without rebooting the complete firewall?

KOM

This is something being blocked coming into your network?  There should be an entry in the Firewall log (Status - System Logs - Firewall) if it blocked something.

webroy

Yes, my office ip was blocked in the pfsense firewall. in the firewall logs i did not see my office ipadress. But he was blocked because when i disabled the firewall traffic was allowed. Is there antoher way to flush the firewall so alle connections are reset without rebooting the pfsense ?

I tried reset states - apply a new rule - disabled snort and disabled pfblocker….

KOM

Usually resetting the states does the trick.  You could try shelling in and running:

pfctl -f /tmp/rules.debug

Can you give a screenshot of your Firewall WAN rules?  There may be a rule that is blocking your traffic and it does not have logging enabled.

webroy

is there also a shell commando for resetting all states ? what does this commando do ? pfctl -f /tmp/rules.debug

thx in advance

KOM

A quick Google would answer that.  It reloads the ruleset, but I'm now thinking it might not do a flush.  You can flush just the states with:

pfctl -F states

Perhaps try this instead:

pfctl -F all

which flushes all filters, states, tables etc.

cmb

there are no states for blocked traffic. If you're blocking something and not getting a log, either it's via a user-configured rule that doesn't have logging enabled, or you disabled logging on the default block rules.

webroy

Hi CMB, okay thanks. But the block is solved when i completly reboot the pfsense firewall, is there not another option to release all blocked ip without rebooting the pfsense ?

KOM

Is it consistent like that where a reboot removes the block?  If so, how long after reboot does this magic block return?  Can you give us more information?  Which IP address is being blocked from accessing what server or service?

webroy

the ip is blocked from every service ping http mysql etc etc we were testing a website… it could be because of the setting max connections per second i changed that value.

If that is the case, is there another way to reset this beside a reboot of pfsense

KOM

First, we would need to find the actual root cause of the problem before suggesting a definitive fix.

Can you describe with more detail as to what exactly you're trying to do and what exactly is happening to stop you?  You said something about testing a website…  Are you testing accessing a web server on LAN from WAN?

webroy

We we just doing apache request on a server behind the WAN testeing a website by checking the pages if they where working. Our ip was totally blocked and i could not find any thing why that was.

I tried to see if the blocked ip was in the logs. in the snort logs in the pfblocker. I disabled the packages no result.

After rebooting the firewall i saw that i had setup these in the wan rules which could cause the block :
Maximum number of established connections per host (TCP only)
Maximum state entries per host
Maximum new connections / per second(s) (TCP only)

I dont no for sure, but if that was the case, is a complete reboot of the pfsense the only option to clear this ?

KOM

I dont no for sure, but if that was the case, is a complete reboot of the pfsense the only option to clear this ?

You keep asking this and I have no idea until we have figured out the real problem.  I have seen cases where cruft left behind by some packages has led to firewall problems, specifically pfBlocker.  If you have the ability, I might suggest recreating your pfSense installation with only defaults, no extra packages, and then do your basic config and test your web server.  I really have a feeling that it's one of the installed packages.

How long after reboot does the block return?  Your light testing is not going to breach any thresholds for states, so fiddling with those will likely not be helpful.  If you have made changes, remember to change them back again once you have verified that they don't help your issue.

atrocity

hi,

i had the same problem today… Was outside of the wan testing some web server behind PFSense in his lan.
I was also unable to find how to unblock our IP.
Used a other internet connection to reboot PFSense, but swe can't afford a reboot in a production ...
There must be something to find a blocked IP and unblock it.

I'm also looking for a Whitelist option, but this also seems not to be present in PFSense.
Thanks to let us know
Best regards

cmb

There is no circumstance where you have to reboot to "unblock" something. The only circumstances where something gets blocked like that are Snort alerts and you can get locked out from the firewall itself from one particular source IP if you try to log in with a bad username/password 15 times. Either of those can be cleared out under Diagnostics>Tables, or for Snort, within its configuration.

atrocity

i don't have snort installed, but Suricata is installed.
I don't activated it. Is Suricata working and filtering also if it's not active ?

lowprofile

I am having the same issue. SO strange. i know it may be the limits like maximum connection, states etc pr. rule which trigger this blacklist, but i can't find any places to un-block. I thought it was possible in "Diag–> "tables"--->"blacklist" but just found out it wasnt there.

Somehow it also unblock after certain time. Maybe in hours. Where to look?

knight-of-ni

@webroy:

After rebooting the firewall i saw that i had setup these in the wan rules which could cause the block :
Maximum number of established connections per host (TCP only)
Maximum state entries per host
Maximum new connections / per second(s) (TCP only)

When any of these rules are tripped, pfsense places the offending ip address in Diagnostics -> Tables -> virusprot

The firewall will not respond to the offending address for 1 hour.
A reboot will empty the table.

lowprofile

@abauer:

@webroy:

After rebooting the firewall i saw that i had setup these in the wan rules which could cause the block :
Maximum number of established connections per host (TCP only)
Maximum state entries per host
Maximum new connections / per second(s) (TCP only)

When any of these rules are tripped, pfsense places the offending ip address in Diagnostics -> Tables -> virusprot

The firewall will not respond to the offending address for 1 hour.
A reboot will empty the table.

that is a damn good information! I will test if its appears on this list. Someone who know where to adjust the time before it unblock it self?

doktornotor

Not configurable.