Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Block ip for X minutes

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      blackmetal
      last edited by

      Hi,
      i create a rule that when a source ip create more than 30 new connection block it, i want set this rule in a way that block source ip for x minutes is it possible?

      and also can we set that if source ip block for X minutes and again create more than 30 new connection block it for ever? give penalty time to the ip meaning ?
      thanks,

      1 Reply Last reply Reply Quote 0
      • M Offline
        mer
        last edited by

        Based on what I can see in the documentation, there's a default 1 hour block.  Not sure if it's configurable.  As making it a permanent block on the second trigger, not sure. 
        You can use packages to extend the functionality of a pfSense appliance;  lots of people use snort to implement IDS functionality (I'm not taking a stance on the correctness of running snort on the pfSense appliance), I imagine going through the packages and rules you should be able to do what you want.  Not having done it myself I can't tell you how to implement it.

        1 Reply Last reply Reply Quote 0
        • M Offline
          mer
          last edited by

          @blackmetal:

          Hi
          Your mean is when i block an ip it will be block for 1hr and after 1hr i should  block it again or i am wrong?

          To the best of my understanding, the default behavior, when an IP gets blocked, it will be blocked for 1 hr, then unblocked.  If that IP triggers the overload rule again, it will be blocked for another hour again, unblocked after an hour, then blocked again if it triggers the overload.  Every time the over load is triggered IP is blocked for an hour, then unblocked

          I'm also saying that the extra packages may give more control so you could:
          IP triggers an overload, you block it for 1 hour or whatever time you want.  After that time elapses it's unblocked.  If the overload is triggered again you may be able to block it permanently.  That would depend on if there is support in the extra packages and what package you could use.

          I'm going on what I can find in documentation, not because I've actually done it.

          1 Reply Last reply Reply Quote 0
          • B Offline
            blackmetal
            last edited by

            So when we block an ip manually it does not unblock after 1hr right? If pfsense block it itself then unblock after an hour
            And also canyou give that docs link which explain this i want read it myself

            1 Reply Last reply Reply Quote 0
            • M Offline
              mer
              last edited by

              @blackmetal:

              So when we block an ip manually it does not unblock after 1hr right? If pfsense block it itself then unblock after an hour
              And also canyou give that docs link which explain this i want read it myself

              The documentation is part of gold membership, so the best I can give you is to google for things like "pfsense rule connection limit".

              If you have a list of IPs that feed into a package designed to "block traffic from IPs in the list", then it will not unblock.
              The overload portion of a rule (connection rate limiting) if that triggers a block, the IP will be blocked for 1 hour then unblocked.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.