Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocked ip addresses not showing up in log

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 789 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Heimire
      last edited by

      hey there,

      We have an alias named blacklised_network.
      We have 3 networks listed.
      We are blocking everything coming from those networks.

      Snort sees the traffic and its reporting it but unfortunatly we dont have IPS turned on at this point.
      Can't turn it on at this point.

      When I check the firewall log I see nothing for those ip addresses but logging for the rule is turned on.
      When I check the states I see the ip addess thats supposed to be blocked.

      I see traffic from those ip address to ports thats not open but nothing in the log for ports thats are open and they are hitting.

      5.254.116.184 has been doing a bruteforce to an exchange server all day.

      I create a rule just for that ip and that seems to work.
      I see no states for that one.


      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That rule's correct to block traffic on WAN sourced from the contents of that alias, but it will have to go above any pass rules on WAN that would otherwise match. I'm guessing you have at least some pass rules above it.

        Adding a block rule doesn't block already-established connections, so you'll want to kill those states after ensuring the rule is on top of the WAN rules.

        1 Reply Last reply Reply Quote 0
        • H
          Heimire
          last edited by

          @cmb:

          That rule's correct to block traffic on WAN sourced from the contents of that alias, but it will have to go above any pass rules on WAN that would otherwise match. I'm guessing you have at least some pass rules above it.

          Adding a block rule doesn't block already-established connections, so you'll want to kill those states after ensuring the rule is on top of the WAN rules.

          Its on top but I am sure its the already-established connections I am seeing.
          I killed those last night and I dont any now.

          Thanks..

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.