Firewall logs

Mithrondil

In the list of source IPs in the firewall, should there be non LAN ip adresses showing up as source?

Theres 1 Ip adress listed as source wich comes from greece, wich is not even where I live.

Another thing, last night I noticed NETBIOS connection being blocked in the log, and I immidately turned it off in the adapter settings.
Now when I logged on to pfsense 20min ago at 17:25 my local time, and checked the firewall logs, and theres no firewall logs prior to 17:05 my local time.

Is there any reasons to belive that Ive been hacked?
![source Ips.jpg](/public/imported_attachments/1/source Ips.jpg)
![source Ips.jpg_thumb](/public/imported_attachments/1/source Ips.jpg_thumb)

Mithrondil

Another thing is that theres been no new entries in the firewall for over 30min, no entries at all.

doktornotor

Excellent job. So, you obfuscated the RFC1918 IPs and left the public ones intact? ::) ::) ::)

Post some logs and your firewall rules.

Mithrondil

The 2 public ones are not my WAN adresses, and they do not belong to me.

![airvpn rules.jpg](/public/imported_attachments/1/airvpn rules.jpg)

![airvpn rules.jpg_thumb](/public/imported_attachments/1/airvpn rules.jpg_thumb)
systemlogsfirewall.jpg_thumb

doktornotor

STOP OBFUSCATING NON-ROUTABLE RFC1918 IPS!!!

:( >:( >:( >:( >:(

https://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

Mithrondil

As my forum title says, Im a junior member in terms of pfsense knowledge, and please, theres no need for emotional outbursts or flames.

As to my questions regarding if an non LAN ip adress from greece should show up on the firewall logs is still not answered, and the same goes to the question why theres been no more log entries in the firewall logs for more then 60minutes.

Also, why would netbios be showing up as blocked if Im not using it, nor have other PCs running.

doktornotor

There's no NetBIOS anywhere on what you posted. There's also no "non LAN ip adress from greece" anywhere on LAN on the screenshots you posted…

Mithrondil

In the first post in this thread, I attached a picture called sourceip.jpg

In this screenshot theres 3 LAN IPs ( obfuscated ) and 2 non LAN IPs, none of these 2 IPs belong to me in anyway, 1 of of these non LAN IPs are 176.58.157.215, this IP traces back to greece.

doktornotor

Either post relevant logs or just don't bother. Explanation of the logs you posted was already linked above (aka someone closed a browser tab).

Nachtfalke

Just search for the public IPs in the firewall log. Use the filter options and the post these logs here so that we can try to find out what is happening.