Pfsense snort not blocking portscan traffic



  • Pfsense snort not blocking portscan traffic on wan interface. I have checked preprocessors also. Please guide me. I am a beginner.


  • Rebel Alliance Global Moderator

    What??  You do understand all traffic is blocked by default on the wan…  So only traffic to ports you have forwarded would be allowed...

    So you want snort to do what exactly??  Find an IP that is port scanning you, and and when it gets to your forward block that IP from your forward?  What if the first port they scan is a port you have forwarded?



  • @johnpoz:

    What??  You do understand all traffic is blocked by default on the wan…  So only traffic to ports you have forwarded would be allowed...

    So you want snort to do what exactly??  Find an IP that is port scanning you, and and when it gets to your forward block that IP from your forward?  What if the first port they scan is a port you have forwarded?

    You really suck you know that John.

    You always have some stupid attitude and half the time you don't even know what you are talking about.

    He's talking about port scans. When do port scans happen? They happen with just about every application that we open nowadays because just about everything is connected to what? The internet!

    No John, they are not all blocked just because of the WAN rule.

    "What??  You do understand all traffic is blocked by default on the wan…  So only traffic to ports you have forwarded would be allowed..."

    This is not true. You don't even have to forward them.

    All you need to do to get a port scan is to open any application that connects to the internet.

    So, no, unless you really know that your box is under attack, there is absolutely no reason to check that option in Snort or Surricata. John had it sorta right when he said the WAN would block them by default but who in their right mind is going to sit in front of a computer and not use it. Port scans? I wouldn't worry about them.

    Btw if you want real protection to compliment this wonderful Pfsense.

    Check out this. Best $50 I ever spent. It uses two engines. Emsisoft Antimalware and Bitdefender along with the grand online Armor. Best solution I ever had in my life. It's not a scam which is always a plus and it breaks hacker's shit when I play multiplayer games mainly because I have a lot of experience doing so but emsisoft helps a lot and that just leaves me with a warm and fuzzy feelin:)

    http://www.emsisoft.com/en/software/internetsecurity/?id=12431127


  • Rebel Alliance Global Moderator

    Dude how about you understand what your talking about..  Before you jump on my case..

    "They happen with just about every application that we open nowadays because just about everything is connected to what? The internet!"

    What??? Your completely clueless aren't you  Why don't you look up what a port scan is..

    I don't care how many freaking ports you send traffic too.. The default wan rule drops them without any answer…  So what exactly is snort suppose to do extra??

    Lets say you have a website open from source port 14002, and they scan 14002... What do you think pfsense does since your not coming from the IP of the website.. Yeah that is right it drops it without any sort of response to the sender..

    The only case where pfsense would not block the traffic would be if you forwarded it...



  • "Your completely clueless aren't you  Why don't you look up what a port scan is.. "

    All port scans are not the same.

    How about you go look it up.

    Port scans are not dropped if you are using an application that causes a port scan. I don't suppose you play any multiplayer games? Sure they are dropped if you are not using something. But the second you need something whether it's skype, some multiplayer game or what have you. They all do port scans because why? I'll let you figure that out.

    Your about half right with the default WAN rule doing it's job by dropping unsolicited connection attempts. But this does not apply to all port scans. Sure there may be a few bad ones. But, most of them are legit because the user is causing them. Why am I picking on you?  Every time that I see your name, you are always belittling someone that is asking for help and yes, half the time the information that you put out is misinformation.

    By the way, when was the last time you opened a website with port 14002?

    "Lets say you have a website open from source port 14002, and they scan 14002"  That is not how it works John. Let's say you just go read up on all the different port scans before trying to throw your theories at me.



  • Seems like one of you is talking about port scans originating from the WAN side,  and one of you is taking about port scans originating from the LAN side (via internal application, etc)…

    Obviously the answer,  and how you deal with it, is different depending on which one you are referring to...



  • I know lol. I was just trolling a little bit. I think he was more talking about what you are saying with people using NMAP and other tools to scan for vulnerable ports and then attack or whatever.  I read way too much about it and I'm quite upset because I can't even run pfsense right now but that will change. I did make it personal with John though. Judging by the amount of negative karma he has, well what can I say, there was something in me that wanted to attack. I kind of had a pitbull moment. But who knows. We may get along someday. Although it would probably take a lot of beer and I don't drink. So not likely.



  • @ajkiu:

    Pfsense snort not blocking portscan traffic on wan interface. I have checked preprocessors also. Please guide me. I am a beginner.

    Screen shots of you rules on all the interfaces, including floating rules would help.  Snort configuration would help too.

    Out of the box, pfSense (without any added packages) is configured as deny(drop) all inbound on WAN;  that means anything being sent to your box that did not originate from you, gets dropped.  Anything originating from your LAN or your pfSense box and hitting the outside world is allowed and creates a state in pfSense.  Answers to your traffic will be allowed through.

    As an example, you have a PC on the LAN side of your pfSense box, you open a web browser and try to go to www.google.com.  Your PC (ip address F.G.H.I) will pick a source port for the web traffic, say 14002, www.google.com resolves to IP A.B.C.D, so pfSense creates an entry saying source ip: F.G.H.I source port 14002, dest ip A.B.C.D, dest port 80.  Responses from A.B.C.D will match that entry and be allowed through.  If there is no entry in the table traffic inbound to your pfSense box gets dropped.  Just because your PC has a socket open with one end being port 14002, doesn't mean that anyone on the internet can get traffic through.  If someone tried to send to F.G.H.I:14002, but they are at IP W.X.Y.Z, there is no matching state in the table, so the inbound traffic gets dropped.  That's the way stateful firewalls work.  Protocol makes a difference too:  TCP vs UDP, state of a TCP connection also makes a difference.

    Don't forget that when you go to a web page, you are going to wind up with more than one connection taking place.

    Cmellons:  links please for applications that cause port scans or the types of port scans you are referring to?  I'd like to read up on them.  I'd like to point out that john explicitly stated that port 14002 was source port, not dest port.  Since that falls into the typical range of ephemeral ports, it is very likely that one could get source port 14002 on the local ip when they open a socket to some remote ip at port 80.



  • "Cmellons:  links please for applications that cause port scans or the types of port scans you are referring to?  I'd like to read up on them.  I'd like to point out that john explicitly stated that port 14002 was source port, not dest port.  Since that falls into the typical range of ephemeral ports, it is very likely that one could get source port 14002 on the local ip when they open a socket to some remote ip at port 80."

    By all means please do. I don't know if there is any way around it though.

    They were games I was playing for the most part. One was Wolfenstein Enemy Territory.

    http://www.splashdamage.com/content/download-wolfenstein-enemy-territory

    I think it's just about every game that uses multiplayer, especially those that involve first person shooting and a lot of other elements such as cheat protection etc…

    All I know is that if I turned on the port scan detection, it would maybe take anywhere from 2 to 5 minutes and then I would get disconnected. Then I would check my snort to see if it went off and sure enough that's what it was. It happened on every server that I joined so I'm pretty sure that it's just standard for games that require p2p interaction. I don't have the screenshot because it was years ago. I stopped playing in 2012. You're welcome to check it out. That game is known to do malicious things so I wouldn't put it on your good system. Hopefully you have an old one.



  • Thanks, I wasn't planning on actually playing any games (not my style), just wanted to understand what type of interaction you were talking about.  If the game is "known to do malicious things", I'd start to argue it's not a game, it's thinly disguised malware.

    Snort is not immune to "false postives"

    So looking at it a bit, it looks to be a "feature" of p2p and multiplayer games.  You are connecting to a server so you create the outbound connection, the protocol requires you to do some special things like port forwarding, so basically you've gone and not only unlocked your front door, you've thrown it wide open and hung out a "party inside, come on in" sign.

    Function of what you were doing not a standard case.

    OP:
    Think of portscans as someone randomly dialing a phone number.  You can't prevent them from dialing your phone number, but your reaction is the important part.  Don't recognize the phone number (assuming caller id)?  Don't answer.  The phone call didn't do anything. 
    Same idea with portscans, not much you can do about some guessing your WAN IP address and knocking on a port.  What you need to do is not let the traffic in.
    This means:start with default deny/reject on the WAN interface.  Don't port forward anything unless you have to.



  • So does pfsense or snort block an IP address that is constantly scanning your IP?  Mikrotik can do this. You can set a rule to blacklist an IP that tries to connect to a closed port X number of times. This is what I want to do with pfsense.



  • Watch your firewall get DDOS'd when your blacklist fills up your memory. I've taken the stance with the goal to make my network inherently secure and not worry about individual IP addresses. If you want to block IPs, do it at a regional level. Adding individual IPs is just a cat and mouse game anyway.


Locked