Unblock a blocked IP ?

atrocity

Hello,

i did some test with our new PFSense today, from outside of our network, and i have locked my own IP by PFSense …
I simply did a test on a web server, and i forgot that some ports was not defined (it's a remote KVM, using Java on the ports 2068 and 8192).
I'm new on PFSense, and was not able to unlock my IP. Did a reboot of the firewall and my IP was free again.
But there must be a way to unblock such a blocked IP, no ?

Also, i'm looking for a whitelist, but was also not able to find something like that.
I only want to avoid to have some IPs blocked if we do something wrong ...
Is there a way to do this ?

Thanks for any help

dotdash

Did you trigger the web configurator lockout?
Go to Diagnostics, Tables and look there.

atrocity

thanks for your reply, but it's not only the webConfigurator the problem.
My webConfigurator anti-lockout rule is disabled.
If i understand it correctly, it should not lock my IP if i use a wrong password, no ?

My problem is that i did a try to make some access from the outside.
PFSense blocked my IP because i forgot to open the 2 KVM ports.
I used a other IP to access PFSense, where i was able to reboot to be unlocked.

My question is: is there a way to whitelist some IP ?

Thanks
Best regards

dotdash

Not sure what you mean by blocked. If you triggered something like the web configurator or ssh lockout, it would be in one of the tables. Look there.
It doesn't 'blacklist' ips simply because they tried to hit a closed port. (You're not running snort, right?)

atrocity

ok, sorry, french is my mother language …

Forget the webConfigurator and gui.
I have servers behind this PFSense, accessible from the internet.
I was outside of our network, and did some tests, accessing our servers.

dotdash

In standard configuration, pfsense will not block IPs for anything other than hammering at ssh or the webgui.
You are saying you tried to hit a closed port from the Internet and then couldn't hit open ports until you rebooted?

atrocity

yes, that's it.

dotdash

That shouldn't happen. Do you have snort installed? Any rules with advanced options such as maximum source hosts, etc?

atrocity

snort is not installed but Suricata is installed but not activated.

Yes, i have some Advanced Settings to limit the rate of some ports, like http, https ( Maximum new connections / per second(s) (TCP only)  10 con./10 seconds )

I can't imagine that this blocked me, because my normal tests with standard web servers are all ok.
It's only when i did a try to open a KVM remote console that i was blocked, because the 2 KVM ports was not defined/enabed.

dotdash

You could turn the logging on for those rules and repeat the test. You should have seen something in the logs when the IP was blocked. I would also check the tables just to see if anything was there.

atrocity

hi,

i know what's blocked me last time, but i want to be able to whitelist some IPs, just in case …
Don't want to be blocked anymore.
Is the only solution to put a Allow rule on top of my rules, allowing everything from this IP's ?

Regards

dotdash

The point I'm trying to make is that the IP should NOT have been blocked. I've never seen anything like that happen in years of working with pfSense. This leads me to believe something strange is going on with your rules. If you know how to re-create the block, you should be able to turn on some logging and find out what happened. If it was me, I would backup the config, install on a clean system (no packages) and set any rules with advanced options to log.

atrocity

Hi,

thanks, but your answer bring me more questions …
We WANT that if someone try some ports will be blocked.
A normal visitor/user don't have to try other ports as web, mail, ect ...