Block ip for X minutes



  • Hi,
    i create a rule that when a source ip create more than 30 new connection block it, i want set this rule in a way that block source ip for x minutes is it possible?

    and also can we set that if source ip block for X minutes and again create more than 30 new connection block it for ever? give penalty time to the ip meaning ?
    thanks,



  • Based on what I can see in the documentation, there's a default 1 hour block.  Not sure if it's configurable.  As making it a permanent block on the second trigger, not sure. 
    You can use packages to extend the functionality of a pfSense appliance;  lots of people use snort to implement IDS functionality (I'm not taking a stance on the correctness of running snort on the pfSense appliance), I imagine going through the packages and rules you should be able to do what you want.  Not having done it myself I can't tell you how to implement it.



  • @blackmetal:

    Hi
    Your mean is when i block an ip it will be block for 1hr and after 1hr i should  block it again or i am wrong?

    To the best of my understanding, the default behavior, when an IP gets blocked, it will be blocked for 1 hr, then unblocked.  If that IP triggers the overload rule again, it will be blocked for another hour again, unblocked after an hour, then blocked again if it triggers the overload.  Every time the over load is triggered IP is blocked for an hour, then unblocked

    I'm also saying that the extra packages may give more control so you could:
    IP triggers an overload, you block it for 1 hour or whatever time you want.  After that time elapses it's unblocked.  If the overload is triggered again you may be able to block it permanently.  That would depend on if there is support in the extra packages and what package you could use.

    I'm going on what I can find in documentation, not because I've actually done it.



  • So when we block an ip manually it does not unblock after 1hr right? If pfsense block it itself then unblock after an hour
    And also canyou give that docs link which explain this i want read it myself



  • @blackmetal:

    So when we block an ip manually it does not unblock after 1hr right? If pfsense block it itself then unblock after an hour
    And also canyou give that docs link which explain this i want read it myself

    The documentation is part of gold membership, so the best I can give you is to google for things like "pfsense rule connection limit".

    If you have a list of IPs that feed into a package designed to "block traffic from IPs in the list", then it will not unblock.
    The overload portion of a rule (connection rate limiting) if that triggers a block, the IP will be blocked for 1 hour then unblocked.