Noob ? :( PLEASE HELP! Same IP over and over on HTTP. among other ?'s
Long time reader first time posting! First let me thank everyone for the help this forum has provided for me!
I'll start with my build…
P4 with H/T (Asus p4SE800)
Pfsense 2.2.1 & 2.2.2
on a 20GB IDE HD
1 (1000 LAN) on the MB / 1 (1000 haven't really been using) on PCI / 1 (100; WAN) on PCI
I have a single Cable Modem (WAN) from Brighthouse going to Pfsense, then a gigabit switch, then to a desktop and a laptop. (NOTHING wireless as of right now)
I've installed Squid3 / SquidGuard / Snort / PFBlocker.
I have a multitude of what I believe are some concerns I was hoping some of you can help me with.
First being when setting up my WAN I have to set my modem to "NAPT mode Disabled". From my understanding disables "Bridge Mode". When my WAN interface is refreshed it first goes to a 192.168.100.1 then the interface goes to 0.0.0.0 then to a 184.xx.xxx.xx . Then my firewall log is hit nonstop with 10.xx.xxx.xx:67 or :68 (along with a steady stream of Microsoft IPs that seem to never really disconnect while my PC's are on).
I'm not sure I have setup the WAN interface correctly (or the SSL Certificates setup correctly)... When going through general setup options for the WAN I leave everything at default including both checkmarks at the bottom & everything functions as it should... BUT was still worried about security... Is there any reason for concern?
The major issue I have been having, the reason for posting and concern for security is that I have noticed the same 24.143.205.xx-24.143.206.xx (another BHN Business IP ) in PFtop on every webpage I go to and then while I have all the PC's powered off and just Pfsense running connected to the modem I'll still see 24.143.206.xx pop up on the console PFtop...
Without sounding too insane I am starting to think that because I live in an apartment, that maybe my upstairs neighbor has been splicing off my cable?
ANY HELP would be MUCH appreciated!
KOM last edited by
You might be part of a local cable loop in your building that doesn't do any segmenting so you could be seeing traffic from your neighbours doing broadcasts, DHCP requests etc. It's just noise that you can ignore.
Is there a way to block noise from getting to port 80?
maybe it would help if I posted my Rules? also it would be nice for ANYONE to double check me for mistakes :)
DNS is a alias pointing to OpenDNS servers in the General Settings
ANY help would be GREAT! and thanks for the response!
What packets exactly are you expecting to arrive on LAN interface from WAN net with LAN address destination? Really no idea what your last 3 NAT rules are supposed to do.
the last 2 NAT entries is an attempt to let torrents through to my LAN. The 8080 NAT entry is an attempt to NAT all of port 80 to the proxy… If my thinking is correct. I am not using Transparent mode in squid everything for now is manual entered into the browser.
I guess I should of taken the time to fill descriptions before posting. I apologize :( Happy to answer any other questions.
the last 2 NAT entries is an attempt to let torrents through to my LAN.
Uhm… The last one is completely useless. The other should have WAN address as destination.
The 8080 NAT entry is an attempt to NAT all of port 80 to the proxy… If my thinking is correct. I am not using Transparent mode in squid everything for now is manual entered into the browser.
When the proxy is not supposed to be transparent, then what's the point of the NAT here? (Also, the NAT rule is completely broken, draw some simple scheme of the traffic flow and think about it… The packets do NOT come from WAN net, they come from LAN net... and their destination should be ANY if that's some transparent proxy attempt. Not LAN address. You do not type LAN address to your browser if you want to browse e.g. to www.google.com)
I appreciate the help! I understand what your saying.
Removed the last NAT rule & the 8080 NAT rule.
Changed the remaining torrent NAT rule to a WAN NET Destination.
and left the DNS NAT rule alone.
So far still running :) BUT STILL seeing 24.143.205 and 24.143.206 addresses on every page I go to :( I have tried putting 220.127.116.11/30 & 18.104.22.168/30 in PFBlocker and get over 3000 packets in about 3 hours. and the IP's STILL make it onto Port 80!
NOT to get off bearing BUT another question I have is on HTTPS (443) in squid. Is it more secure NOT to run "SSL man in the middle Filtering" in Squid3?
Was thinking SSL man in the middle Filtering might help rid me of this IP… Matter of fact, are there ANY other settings I could change to make my setup more secure?
There have been 2-3 rules I have to suppress and block in Snort to allow Hulu streaming. Including:
#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2
#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4
these rules have been pretty much suppressed and blocked on both snort WAN & LAN interfaces... From my understanding these alerts are pretty much false positives?
Still trying to get used to PFsense, thanks again for the help!
There is a dedicated subforum for IDS/IPS and another one for proxies - under the Packages section.
Other than that, I'd try with a fresh browser profile and/or safe browser mode without any extensions. Chances are high you have your browser infested with malicious extensions.
I just got done formatting… When I went to my command prompt and pinged www.hulu.com it came back with a 22.214.171.124 IP... I swear the last time I pinged hulu it came back with a "hulu" IP...
BUT either way could you help me with another problem maybe?
every time I restart PFsense Squidguard needs the blacklist downloaded again for me to be able to access the internet. I have placed the blacklist in a directory on the PFsense HD and pointed Sqidguard to the blacklist file location.. BUT every time I restart I have to click the download button in the GUI.
The forum for shooting yourself in foot with proxies is here: https://forum.pfsense.org/index.php?board=60.0
okay. Thank you. 2 more questions if you don't mind and can help :)
First do you know of any steps I can take to prevent DDos attacks?
I know of the SYN Proxy…
But do you know of any other settings / firewall rules that might help with NTP and DNS DDos attacks?
would it be safe to add NTP to NAT? and then point the NAT to a NTP server setup on a DMZ?
as far as DNS protection is the best way to protect yourself from DNS DDos attacks using static DNS and setting up a Dynamic DNS in PFsense? I can only find the same 1 or 2 post about DDos protection :(
AND THEN my last question I believe :)
is there a easy way of getting rid of all these dhcp requests all the time in my logs?