Blocked ip not in logs
-
We we just doing apache request on a server behind the WAN testeing a website by checking the pages if they where working. Our ip was totally blocked and i could not find any thing why that was.
I tried to see if the blocked ip was in the logs. in the snort logs in the pfblocker. I disabled the packages no result.
After rebooting the firewall i saw that i had setup these in the wan rules which could cause the block :
Maximum number of established connections per host (TCP only)
Maximum state entries per host
Maximum new connections / per second(s) (TCP only)I dont no for sure, but if that was the case, is a complete reboot of the pfsense the only option to clear this ?
-
I dont no for sure, but if that was the case, is a complete reboot of the pfsense the only option to clear this ?
You keep asking this and I have no idea until we have figured out the real problem. I have seen cases where cruft left behind by some packages has led to firewall problems, specifically pfBlocker. If you have the ability, I might suggest recreating your pfSense installation with only defaults, no extra packages, and then do your basic config and test your web server. I really have a feeling that it's one of the installed packages.
How long after reboot does the block return? Your light testing is not going to breach any thresholds for states, so fiddling with those will likely not be helpful. If you have made changes, remember to change them back again once you have verified that they don't help your issue.
-
hi,
i had the same problem today… Was outside of the wan testing some web server behind PFSense in his lan.
I was also unable to find how to unblock our IP.
Used a other internet connection to reboot PFSense, but swe can't afford a reboot in a production ...
There must be something to find a blocked IP and unblock it.I'm also looking for a Whitelist option, but this also seems not to be present in PFSense.
Thanks to let us know
Best regards -
There is no circumstance where you have to reboot to "unblock" something. The only circumstances where something gets blocked like that are Snort alerts and you can get locked out from the firewall itself from one particular source IP if you try to log in with a bad username/password 15 times. Either of those can be cleared out under Diagnostics>Tables, or for Snort, within its configuration.
-
i don't have snort installed, but Suricata is installed.
I don't activated it. Is Suricata working and filtering also if it's not active ? -
I am having the same issue. SO strange. i know it may be the limits like maximum connection, states etc pr. rule which trigger this blacklist, but i can't find any places to un-block. I thought it was possible in "Diag–> "tables"--->"blacklist" but just found out it wasnt there.
Somehow it also unblock after certain time. Maybe in hours. Where to look?
-
After rebooting the firewall i saw that i had setup these in the wan rules which could cause the block :
Maximum number of established connections per host (TCP only)
Maximum state entries per host
Maximum new connections / per second(s) (TCP only)When any of these rules are tripped, pfsense places the offending ip address in Diagnostics -> Tables -> virusprot
The firewall will not respond to the offending address for 1 hour.
A reboot will empty the table. -
@abauer:
After rebooting the firewall i saw that i had setup these in the wan rules which could cause the block :
Maximum number of established connections per host (TCP only)
Maximum state entries per host
Maximum new connections / per second(s) (TCP only)When any of these rules are tripped, pfsense places the offending ip address in Diagnostics -> Tables -> virusprot
The firewall will not respond to the offending address for 1 hour.
A reboot will empty the table.that is a damn good information! I will test if its appears on this list. Someone who know where to adjust the time before it unblock it self?
-
Not configurable.
-
-
It is configurable by editing the cron job for "/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot", which can be done with the cron package. The 3600 is the timeout age in seconds.
-
@cmb:
It is configurable by editing the cron job for "/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot", which can be done with the cron package. The 3600 is the timeout age in seconds.
Awesome! thank you!