Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Auto blacklisting IP addresses for which packets have been denied

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      Andrew453
      last edited by

      I'm moving across to pfSense from a Watchguard XTM series firewall.

      The Watchguard had a nice feature whereby, if a packet was not intercepted by any firewall rule (i.e. it was denied by a default rule), it could be blacklisted automatically for a certain amount of time.

      This is useful, for example, where you have a number of open ports and a malicious hacker tries one that isn't open.  The hacker's IP is then blocked, even if he then successfully guesses one of the open ports later on.

      Is there an equivalent feature on pfSense please?  I can't see it.

      Andrew

      1 Reply Last reply Reply Quote 0
      • BBcan177B Offline
        BBcan177 Moderator
        last edited by

        Hi Andrew,

        Nothing out of the box to achieve that functionality, but you can use an Intrusion Detection/Prevention System (Snort or Suricata), to Block the IPs of attempts to ports that you can define in an IDS Custom Rule.

        You can find more Info in the IDS Forums :

        https://forum.pfsense.org/index.php?board=61.0

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • A Offline
          Andrew453
          last edited by

          Thanks for your reply.  I downloaded and set up Snort earlier as an IDS, and couldn't immediately see how to do the above in Snort.  Any pointers you can give me as to how to define an appropriate rule would be much appreciated.

          Many thanks.

          1 Reply Last reply Reply Quote 0
          • BBcan177B Offline
            BBcan177 Moderator
            last edited by

            You can read about custom Snort Rules in these Links:
                http://manual.snort.org/node29.html
                http://archive.oreilly.com/pub/h/1393

            You would create these manual rules in the "custom.rules" category for the Interfaces being used. So for example  WAN: WAN Settings: WAN Rules: and click "custom.rules" in the Category Dropbox selection.
            You should create the SIDs in the 9000000 range and increment it so that no Rule SIDs overlap. You can also use "WAN Variables".

            I would always suggesting starting with a non-blocking implementation of Snort/Suricata, then once you get the Rules working the way you like, you can enable "Blocking Mode".

            Other Settings to enable:

            In the "Global Settings" - 'Remove Blocked Hosts Interval'

            Interface(s) - ie WAN Settings: Alert Settings: 'Block Offenders, 'Kill States' and 'Which IP to Block'

            Hope that gets you started… Post questions for IDS in the thread I posted above and I'm sure others will also help out...

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.