Thoughts on Pfsense and the "threats" i see incoming compared to my old router !



  • Hey guys,

    I am running Pf sense for a week now and i must say it was a struggle for me. The learning curve is very steep. On the system i have several packages installed. The PfblockerNG and Snort are the ones who stood out to me the most so far. Its because of the things they it detects and blocks. And off course with the noticeable false positives.

    Now i have a bit of odd question: in my old situation with my consumer router was i less safe then with the Pf sense system ? I have the feeling i worry about the stuff that is now presented to me. Before in my old router setup i never see any threats.

    I look at those incoming alerts and am amazed that there is so much going on. Why is an IP from Indonesia scanning my IP or from South America.

    How should i put that in perspective. There are a lot of IT pro,s here so somebody should have good thoughts on that.

    Greets,

    HJ



  • Well I'm no IT pro but since I've been using pfsense running snort and pfblockerng I haven't had to remove a single instance of malware on my desktop.



  • @captain1980:

    Hey guys,

    I am running Pf sense for a week now and i must say it was a struggle for me. The learning curve is very steep. On the system i have several packages installed. The PfblockerNG and Snort are the ones who stood out to me the most so far. Its because of the things they it detects and blocks. And off course with the noticeable false positives.

    Now i have a bit of odd question: in my old situation with my consumer router was i less safe then with the Pf sense system ? I have the feeling i worry about the stuff that is now presented to me. Before in my old router setup i never see any threats.

    I look at those incoming alerts and am amazed that there is so much going on. Why is an IP from Indonesia scanning my IP or from South America.

    How should i put that in perspective. There are a lot of IT pro,s here so somebody should have good thoughts on that.

    Greets,

    HJ

    Nothing to much you have to be worry about with those alerts, most of your alerts should be falling into 119 or 120 sid, just snort way saying it can't read packet from your normal interweb browsing and flags it.

    Even with best firewall, up to user to practice safe browsing. Stay away from unknown sites, unknown downloads, use web base email. I've been telling all my customers this, ones that follow it, never call me back.. Ya bad for business, but I have better things to do with my time  8)

    Foxler



  • Ok thanks for the reply.

    Do you guys also use the: DNSBL on Pfblocker NG ? If yes how is that working for you…?

    gr,

    hj



  • The PfblockerNG and Snort are the ones who stood out to me the most so far.

    Snort is not a set it up and forget it application.

    ts because of the things they it detects and blocks. And off course with the noticeable
    false positives.

    This could be narrowed down by your knowledge about this both packets and his applications.

    Now i have a bit of odd question: in my old situation with my consumer router was i less safe then
    with the Pf sense system?

    Perhaps you would please before so friendly and tell us the vendor, model and name of your for
    us unknown router? So we only can imagine have to do guesswork that is not really matching the
    whole situation. In normal I would say a consumer router that makes SPI & NAT is not less safe
    than a firewall, all from outside will be blocked by default and nothing comes in. (If there is no
    security related hole inside of the firmware) and here often the differences are beginning, pfSense
    will be a firewall distribution under maintenance and failures or wholes will be detected and solved
    so far and fast as the development will be able to do or realize, after some time the mostly consumer
    router vendors are cutting theses actions to press you to get their newest model, for sure not all
    vendors but the most of them. pfSense will bring you closer to have some features, options and
    functions that will never be presented by a normal consumer router, this might be makes you able
    to fine tune more the entire traffic as you are familiar with this system, not more but als not less.

    I have the feeling i worry about the stuff that is now presented to me.

    Being familiar fully with pfSense needs several month till several years, based on the used
    functions, options and features or packets. And together with Snort, Squid and HAVP it
    might be needing many more years that you will be a real professional and know exactly
    what you are doing. A consumer router is coming with less functions, but is more easy
    to learn and administer or administrate.

    Before in my old router setup i never see any threats.

    Was your old router abel to show you up threads like this?

    I look at those incoming alerts and am amazed that there is so much going on.

    If you only are using SPI & NAT at a consumer router, it will be blocked all traffic that comes not
    from the internal LAN, so nothing will be able to shown to anybody.

    Why is an IP from Indonesia scanning my IP or from South America.

    I hope this would be a joke, or? This might be someone you is trying out something,
    was entering a false IP address (typo), an automated script will be doing it, …......

    How should i put that in perspective. There are a lot of IT pro,s here so somebody
    should have good thoughts on that.

    ?? Someone is scanning the Internet IP range for IP range to find some opened or buggy systems
    that he can be infecting or entering, mostkly this are totally automated scans and earlier or later
    we all got one of this scans. So nothing wrong with this I thing.

    If pfSense if to hard to learn or to administrate for you, you will be perhaps better to go with a
    consumer router as before. if not you have ponly much more to learn about, or such packets like
    snort or Squid.

    For many things such as pfSense are many Books are out, and now during hard winter times
    it would be the best to get one or two or perhaps more of them and having something to read about!

    • pfSense Book 1 (beginners)
      Link
    • pfSense Book 2 (more experienced users)
      Link
    • Squid Book (beginners, really easy to read and understand)
      Link
    • Snort Book 1 Book 2 Book 3
      Link 1 Link 2 Link 3

    What might it be bring to you if you even more and more ask the same thing and get the same or
    similar answers? Noting in my eyes.



  • The learning curve is very steep.

    It's not a toy for network newbies to dabble with.  You really have to know what you're doing.

    I look at those incoming alerts and am amazed that there is so much going on.

    Don't be.  Get used to it.  The Internet is a Wild West, and someone will be rattling your doorknob every couple of seconds all day every day.

    Why is an IP from Indonesia scanning my IP or from South America.

    The Internet doesn't care about geography.  Bots are looking for hosts to exploit.  They scan all of public IP space.


  • Moderator

    @captain1980,

    You can find more information in the Packages Forum, specifically:

    IDS/IPS (Snort/Suricata):
    https://forum.pfsense.org/index.php?board=61.0

    pfBlockerNG threads:
    https://forum.pfsense.org/index.php?topic=102470.0
    https://forum.pfsense.org/index.php?topic=86212.0



  • @BlueKobold:

    SPI & NAT is not less safe than a firewall, all from outside will be blocked by default and nothing comes in. (If there is no
    security related hole inside of the firmware
    )

    NAT is implemented many different ways and consumer NATs are riddled with bugs or "features" that can cause gaping security holes, but working as designed.



  • Thanks for the replies guys. Getting there. I think i just stick with the basics of Pf sense. Works stable so far.


Log in to reply