Using Pfsense and snort to block DOS atacks

  • Hello,

    I'm new to Pfsense. I run a small datacenter and I recently installed Pfsense bridged in my network.

    My interfaces are:

    WAN - Connected to the core switch
    OPT - Bridge IF
    LAN - Connected to the other switch

    All my servers are connected to the same switch as LAN. It works normally.

    But I have some questions about its functionality and log reporting.

    First of all, I simulated a DOS attack from another server (outside the datacenter), using:

    hping3 –udp -p 10000 --destport 10000 --flood    200.XX.XX.XX

    In Status -> Traffic graphs , it shown 50 Mbits (from the source IP of the attack) in WAN IF and OPT IF, but shown nothing in LAN IF.

    In the victim server (200.XX.XX.XX) the attack didn't arrive (using linux iftop). It was correctly blocked by Pfsense.

    The point is: I couldn't see any log with the report of having this source IP (attacker) blocked.

    To make sure the attack simulation was going OK, I plugged my victim server in the core switch - now its linux iftop shown the packets entering.

    I tried to disable Snort , to check if the attack would pass, and also, it didn't pass. I have checked my firewall rules (advanced), and everything was disabled.

    My question is: where can I see exactly what traffic is being blocked?

    In Snort config, under "Blocked", I can see no blocked IPs. Also, I'm using emerging_dos.rules , from VRT , with the rules to have DDOS blocked.

    I'm attacking some screens of my config.

  • Status - System logs - Firewall shows you what's being blocked on each interface, if that's what you're looking for.

Log in to reply