Re: [pfSense] How could I block messages trying to pass as from my net?
On 5/18/2018 10:42 AM, Alberto José García Fumero wrote: Im trying to block spam (for instance, from 185.234.217.232). As far as I know, it's trying to pass as a message from my very net: Transcript of session follows. De: Mail Delivery System Para: Postmaster Asunto: Postfix SMTP server: errors from unknown[185.234.217.232] Fecha: Fri, 18 May 2018 10:10:39 -0400 (CDT) Out: 220 partagas.ettpartagas.co.cu ESMTP Partagas In: EHLO 190.6.79.98 Out: 250-partagas.ettpartagas.co.cu Out: 250-PIPELINING Out: 250-SIZE 1524 Out: 250-ETRN Out: 250-STARTTLS Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: AUTH LOGIN Out: 503 5.5.1 Error: authentication not enabled Session aborted, reason: lost connection For other details, see the local mail logfile but the MTA correctly rejects it as a fake. It might not be good to describe what happened here as your MTA rejected the connection as a fake. If your MTA is configured to reject a connection because the EHLO contains your IP address (which is unlikely), that isn't what happened here. Your MTA returned a 503 error to the sending server because your MTA is not configured to accept an AUTH login. 250-AUTH is not part of its response to the EHLO. Most mail servers accept AUTH only on port 465 or port 587. I have created an alias list (rechaza) in the menu Firewall/Aliases, where I put all the addresses known to be spammers, and tried to reject them with the rule in Firewall/Rules/WAN Action: Block Interface: WAN TCP/IP version: IPV4 Protocol: TCP Source: (single hots or alias) rechaza Destination: 190.6.79.98 Destination port range: any but I can not stop the spam right in the WAN interface. If you take a look at Status > System Logs > Firewall and notice what you see for Source and Destination this can help you understand better how filtering and NAT works. For your WAN interface, Source will be the public IP of the origin of the packet. If there is no port forwarding configured for the destination port, no NAT occurs so the destination address will be your public IP. If port forwarding is configured for the destination port, then NAT does apply and the destination address will be your LAN IP. It helps to keep this in mind when developing rules. It is a good idea to not be too specific with rules. Since you are running a mail server you must have port 25 forwarded to the mail server LAN IP. Because of NAT for port 25, specifying your public IP 190.6.79.98 as the destination prevents the rule from matching. Because of NAT, to have a match you would need to have the mail server LAN IP as the destination. You probably want to block the IP from going to any destination though regardless of whether the destination port is forwarded or not. So in your rule you want Destination: any instead of Destination: 190.6.79.98 If you were to add another LAN interface to pfSense in the future the rule will continue to match then as well. If you are intending to block all traffic, not just TCP, from the source, you want Protocol: any On 5/18/2018 12:52 PM, Alberto José García Fumero wrote: Could I create a rule saying, for instance: "reject packets originating (apparently!) from the WAN address and directed to my WAN address? (as they are trying to forge identity) This is unnecessary. There is no way for a system on the Internet to establish a TCP connection that apparently originates from your WAN address. If you are running a mail server or anything else that faces the Internet, hopefully you are using snort or suricata and are just trying to supplement with your own rules. There is no way you could maintain an effective list of addresses to block with just your own rules. You should also be using anti-spam measures on your mail server as well. - John J. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata
On 5/16/18 12:25 PM, WebDawg wrote: It is high risk compared to serial, but when you are doing the job remotely, and the pfsense device is your core router, how do I log in and see the serial data? Dial-up modem? Just couldn't resist... - John J. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] OpenVPN binds to wrong interface with no ip
On 11/8/17 8:04 PM, Adrian Zaugg wrote: On 08.11.17 16:55, WebDawg wrote: Do you know this to be true because credentials and such are hosted on one interface, but not another? It is clear from the logs and from the credentials asf. as well. In a dual WAN configuration a single instance of OpenVPN can be configured on localhost 127.0.0.1 and will be reachable via both WAN interfaces. https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN Is this an option for you? - John J. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Multiple SSIDs
On Nov 24, 2015, at 10:50 AM, Steve Yates wrote: > > Steve Yates wrote on Tue, Nov 24 2015 at 9:28 am: >>We haven't used wireless with pfSense yet. The manuals for the >> hardware models don't seem to mention how to set up the optional >> wireless. The doc site suggests not using wireless in pfSense? >> (https://doc.pfsense.org/index.php/Should_I_use_pfSense_as_my_access_poi >> nt) It also says that some cards can handle multiple SSIDs >> (https://doc.pfsense.org/index.php/Wireless_Interfaces). Does anyone >> know if pfSense's hardware models support multiple SSIDs? I haven't used wireless with pfSense. From what I've glanced at in the freebsd-questions mailing list, wireless with FreeBSD is very much a hit or miss situation. I'd definitely stick with an external access point. My company has a D-Link DAP-2660. It's not running through pfSense though. It has multiple SSID capability although we're not using it. You can configure each SSID to a VLAN. It only gets light use and works well. - John J. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort questions
On 11/6/15 5:47 PM, Sergii Cherkashyn wrote: Thank you John, but it doesn't seem to work. I can download the archive file, but inside it has Barnyard2 folder with int.waldo files in it and three more files - int.stats, alert and some snort_randomnumber file. none of them seems to be in pcap format and contain the pattern of the traffic that triggered the alert. I haven't used Barnyard2 so I'm not sure what's in there and since I haven't enabled it, that folder is empty in my download file. In the tar file are files with a name snort.log.unix-timestamp. These are pcap files that can be opened with something like Wireshark or tcpdump. The alert files are the alerts in csv format. This must be documented somewhere but I don't know where. I just browsed through these files to figure this out. You might already be aware of this but just in case. The files do not have filename extensions so you need to explicitly open the files if you are looking at them under Windows or Mac OS e.g. right-click then Open with or start Wireshark then open the files from the File Open dialog. - John J. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort questions
On 11/5/2015 12:06 PM, Sergii Cherkashyn wrote: 2. Is there any way to see what exact traffic/pattern triggered the Snort Alert? I know how to find the rule description that the potentially harmful traffic matched, but interested to see the exact traffic log that triggered the alert. I'd like to have more information before marking it as a false positive for my environment and start ignoring or disable some rules. Snort saves the packets that triggered the alert in pcap format. You can download these from pfSense and view them with Wireshark. From Services > Snort > Alerts tab by Save or Remove Logs, click Download. - John J. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access control
Forgot to send to the list. - John J. Original message: From: John Johnstone Date: October 12, 2015 at 4:04:22 PM EDT To: Brian Caouette Subject: Re: [pfSense] Access control > On 10/12/2015 3:51 PM, Brian Caouette wrote: > So a schedule in pfsense rules vs definitely ed times in the radius > package? Would that give an error that their outside their times in the > captive portal screen? I'll play with this later and see if i can wrap > my head around it. Thank you for the idea! I haven't used the captive portal so I don't know how the idea would interact with it. I was thinking of this being a simple alternative to the portal / radius approach. If the concept works, the kids traffic will just pass or not depending on the time of day. There wouldn't be any user friendly errors that will let them know when they are being blocked. - John J. > >> Brian Caouette >> (207) 212-6560 >> >> *Visit my websites:* >> /www.djbrianc.us/ >> /www.proprintmaine.com/ >> /www.realtruth.biz/ >> >> *and Michelle's:* >> /www.msphotographymaine.com/ >> /www.ltaphoto.com/ >> >> >> Original message >> From: John Johnstone >> Date: 10/09/2015 11:52 AM (GMT-05:00) >> To: list@lists.pfsense.org >> Subject: Re: [pfSense] Access control >> >> On 10/4/15 9:56 AM, Brian Caouette wrote: >> > >> > >> >Using captive portal and free radius package. Is there a way to block a >> > user name from a specific device? User has access to any device while >> > logged in but can't login if on device b? Trying to limit kids internet >> > which works but their sneaky and use common guest account which I don't >> > want to block so wondering if I can prevent their devices from >> > connection with guest account. >> > >> > DJ-BrianC(207) 212-6560 >> > www.djbrianc.us >> >> This is a different approach but maybe you could: >> >> o Create DHCP static leases for the kids devices >> o Define a schedule for access >> o Create a rule for their IP's that uses the schedule >> >> It can be circumvented if they use some other device but it might be >> good enough. >> >> - >> John J. >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access control
On 10/4/15 9:56 AM, Brian Caouette wrote: Using captive portal and free radius package. Is there a way to block a user name from a specific device? User has access to any device while logged in but can't login if on device b? Trying to limit kids internet which works but their sneaky and use common guest account which I don't want to block so wondering if I can prevent their devices from connection with guest account. DJ-BrianC(207) 212-6560 www.djbrianc.us This is a different approach but maybe you could: o Create DHCP static leases for the kids devices o Define a schedule for access o Create a rule for their IP's that uses the schedule It can be circumvented if they use some other device but it might be good enough. - John J. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold