Newb, zeraccess traffic ISP mad at me.
-
Hello Everyone!
Thank you for reading this and hopefully helping me out if you can. I have a small coffee shop that provides free wifi to patrons. I have chosen to use pfsense 2.2-BETA because it works with my hardware.
I have three NICs on the system. The first is my WAN, the second is my LAN and the third is DMZ. I use the DMZ for a wifi AP. I pretty much left everything as is setting wise after installing pfsense. Here are my rules in the pics.
Everything was working fine for months until two days ago. I was notified by my ISP that they will turn off my account because of Zeroaccess botnet traffic coming from me. After talking to them and scanning my machines which did not have the virus I decided to install snort and see what is happening. Clearly whom ever it was, was using my AP, a guest. My internet is back on but I do see a lot of inbound zeroaccess from snort.
My question to you is what am I doing wrong and how to I setup so as to prevent this. I have also run snort on my LAN to see if my machines are doing any traffic to the botnet but so far nothing has shown up.
I am kinda at my last straw here :(
-
I've never been in the situation of offering public Internet access, but I wonder if blocking UDP whole-sale and only allowing TCP ports 80 & 443 would work for most users.
-
Just one note-
Your DMZ rules are in the wrong order…Hint:
- Rules are evaluated on a first-match basis (i.e. the action of the first rule to match a packet will be executed). This means that if you use block rules, you'll have to pay attention to the rule order. Everything that isn't explicitly passed is blocked by default.
put the 443 block above the "allow all" rule.
