Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using Pfsense and snort to block DOS atacks

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gxgx
      last edited by

      Hello,

      I'm new to Pfsense. I run a small datacenter and I recently installed Pfsense bridged in my network.

      My interfaces are:

      WAN - Connected to the core switch
      OPT - Bridge IF
      LAN - Connected to the other switch

      All my servers are connected to the same switch as LAN. It works normally.

      But I have some questions about its functionality and log reporting.

      First of all, I simulated a DOS attack from another server (outside the datacenter), using:

      hping3 –udp -p 10000 --destport 10000 --flood    200.XX.XX.XX

      In Status -> Traffic graphs , it shown 50 Mbits (from the source IP of the attack) in WAN IF and OPT IF, but shown nothing in LAN IF.

      In the victim server (200.XX.XX.XX) the attack didn't arrive (using linux iftop). It was correctly blocked by Pfsense.

      The point is: I couldn't see any log with the report of having this source IP (attacker) blocked.

      To make sure the attack simulation was going OK, I plugged my victim server in the core switch - now its linux iftop shown the packets entering.

      I tried to disable Snort , to check if the attack would pass, and also, it didn't pass. I have checked my firewall rules (advanced), and everything was disabled.

      My question is: where can I see exactly what traffic is being blocked?

      In Snort config, under "Blocked", I can see no blocked IPs. Also, I'm using emerging_dos.rules , from VRT , with the rules to have DDOS blocked.

      I'm attacking some screens of my config.
      snort.jpg
      snort.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Status - System logs - Firewall shows you what's being blocked on each interface, if that's what you're looking for.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.