Re: [pfSense] How could I block messages trying to pass as from my net?

2018-05-22 Thread John Johnstone

On 5/18/2018 10:42 AM, Alberto José García Fumero wrote:


Im trying to block spam (for instance, from 185.234.217.232).
As far as I know, it's trying to pass as a message from my very net:

Transcript of session follows.
De: Mail Delivery System 
Para:   Postmaster 
Asunto: Postfix SMTP server: errors from
unknown[185.234.217.232]
Fecha:  Fri, 18 May 2018 10:10:39 -0400 (CDT)
  Out: 220 partagas.ettpartagas.co.cu ESMTP Partagas
  In:  EHLO 190.6.79.98
  Out: 250-partagas.ettpartagas.co.cu
  Out: 250-PIPELINING
  Out: 250-SIZE 1524
  Out: 250-ETRN
  Out: 250-STARTTLS
  Out: 250-ENHANCEDSTATUSCODES
  Out: 250-8BITMIME
  Out: 250 DSN
  In:  AUTH LOGIN
  Out: 503 5.5.1 Error: authentication not enabled

Session aborted, reason: lost connection

For other details, see the local mail logfile

but the MTA correctly rejects it as a fake.


It might not be good to describe what happened here as your MTA rejected 
the connection as a fake.  If your MTA is configured to reject a 
connection because the EHLO contains your IP address (which is 
unlikely), that isn't what happened here.


Your MTA returned a 503 error to the sending server because your MTA is 
not configured to accept an AUTH login.  250-AUTH is not part of its 
response to the EHLO.  Most mail servers accept AUTH only on port 465 or 
port 587.



I have created an alias list (rechaza) in the menu Firewall/Aliases,
where I put all the addresses known to be spammers, and tried to reject
them with the rule in Firewall/Rules/WAN

Action: Block
Interface: WAN
TCP/IP version: IPV4
Protocol: TCP
Source: (single hots or alias) rechaza
Destination: 190.6.79.98
Destination port range: any

but I can not stop the spam right in the WAN interface.


If you take a look at Status > System Logs > Firewall and notice what 
you see for Source and Destination this can help you understand better 
how filtering and NAT works.  For your WAN interface, Source will be the 
public IP of the origin of the packet.  If there is no port forwarding 
configured for the destination port, no NAT occurs so the destination 
address will be your public IP.  If port forwarding is configured for 
the destination port, then NAT does apply and the destination address 
will be your LAN IP.  It helps to keep this in mind when developing rules.


It is a good idea to not be too specific with rules.  Since you are 
running a mail server you must have port 25 forwarded to the mail server 
LAN IP.  Because of NAT for port 25, specifying your public IP 
190.6.79.98 as the destination prevents the rule from matching.  Because 
of NAT, to have a match you would need to have the mail server LAN IP as 
the destination.


You probably want to block the IP from going to any destination though 
regardless of whether the destination port is forwarded or not.  So in 
your rule you want


Destination: any

instead of


Destination: 190.6.79.98


If you were to add another LAN interface to pfSense in the future the 
rule will continue to match then as well.


If you are intending to block all traffic, not just TCP, from the 
source, you want


Protocol: any


On 5/18/2018 12:52 PM, Alberto José García Fumero wrote:


Could I create a rule saying, for instance: "reject packets originating
(apparently!) from the WAN address and directed to my WAN address? (as
they are trying to forge identity)


This is unnecessary.  There is no way for a system on the Internet to 
establish a TCP connection that apparently originates from your WAN address.


If you are running a mail server or anything else that faces the 
Internet, hopefully you are using snort or suricata and are just trying 
to supplement with your own rules.  There is no way you could maintain 
an effective list of addresses to block with just your own rules.  You 
should also be using anti-spam measures on your mail server as well.


-
John J.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

2018-05-17 Thread John Johnstone

On 5/16/18 12:25 PM, WebDawg wrote:


It is high risk compared to serial, but when you are doing the job
remotely, and the pfsense device is your core router, how do I log in
and see the serial data?


Dial-up modem?  Just couldn't resist...

-
John J.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] OpenVPN binds to wrong interface with no ip

2017-11-08 Thread John Johnstone

On 11/8/17 8:04 PM, Adrian Zaugg wrote:



On 08.11.17 16:55, WebDawg wrote:

Do you know this to be true because credentials and such are hosted on
one interface, but not another?


It is clear from the logs and from the credentials asf. as well.


In a dual WAN configuration a single instance of OpenVPN can be 
configured on localhost 127.0.0.1 and will be reachable via both WAN 
interfaces.


https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN

Is this an option for you?

-
John J.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Multiple SSIDs

2015-11-27 Thread John Johnstone
On Nov 24, 2015, at 10:50 AM, Steve Yates  wrote:
> 
> Steve Yates wrote on Tue, Nov 24 2015 at 9:28 am:
>>We haven't used wireless with pfSense yet.  The manuals for the
>> hardware models don't seem to mention how to set up the optional
>> wireless. The doc site suggests not using wireless in pfSense?
>> (https://doc.pfsense.org/index.php/Should_I_use_pfSense_as_my_access_poi
>> nt)  It also says that some cards can handle multiple SSIDs
>> (https://doc.pfsense.org/index.php/Wireless_Interfaces).  Does anyone
>> know if pfSense's hardware models support multiple SSIDs?

I haven't used wireless with pfSense.  From what I've glanced at in the 
freebsd-questions mailing list, wireless with FreeBSD is very much a hit or 
miss situation.  I'd definitely stick with an external access point.

My company has a D-Link DAP-2660.  It's not running through pfSense though.  It 
has multiple SSID capability although we're not using it.  You can configure 
each SSID to a VLAN.  It only gets light use and works well.

-
John J.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Snort questions

2015-11-07 Thread John Johnstone

On 11/6/15 5:47 PM, Sergii Cherkashyn wrote:


Thank you John, but it doesn't seem to work.

I can download the archive file, but inside it has Barnyard2 folder with
int.waldo files in it and three more files - int.stats, alert and some
snort_randomnumber file. none of them seems to be in pcap format and
contain the pattern of the traffic that triggered the alert.


I haven't used Barnyard2 so I'm not sure what's in there and since I 
haven't enabled it, that folder is empty in my download file.


In the tar file are files with a name snort.log.unix-timestamp.  These 
are pcap files that can be opened with something like Wireshark or 
tcpdump.  The alert files are the alerts in csv format.


This must be documented somewhere but I don't know where.  I just 
browsed through these files to figure this out.


You might already be aware of this but just in case.  The files do not 
have filename extensions so you need to explicitly open the files if you 
are looking at them under Windows or Mac OS e.g. right-click then Open 
with or start Wireshark then open the files from the File Open dialog.


-
John J.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Snort questions

2015-11-06 Thread John Johnstone

On 11/5/2015 12:06 PM, Sergii Cherkashyn wrote:


2. Is there any way to see what exact traffic/pattern triggered the
Snort Alert? I know how to find the rule description that the
potentially harmful traffic matched, but interested to see the exact
traffic log that triggered the alert. I'd like to have more information
before marking it as a false positive for my environment and start
ignoring or disable some rules.


Snort saves the packets that triggered the alert in pcap format.  You 
can download these from pfSense and view them with Wireshark.


From Services > Snort > Alerts tab by Save or Remove Logs, click Download.

-
John J.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Access control

2015-10-12 Thread John Johnstone

On 10/4/15 9:56 AM, Brian Caouette wrote:



Using captive portal and free radius package. Is there a way to block a
user name from a specific device? User has access to any device while
logged in but can't login if on device b? Trying to limit kids internet
which works but their sneaky and use common guest account which I don't
want to block so wondering if I can prevent their devices from
connection with guest account.

DJ-BrianC(207) 212-6560
www.djbrianc.us


This is a different approach but maybe you could:

o  Create DHCP static leases for the kids devices
o  Define a schedule for access
o  Create a rule for their IP's that uses the schedule

It can be circumvented if they use some other device but it might be 
good enough.


-
John J.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Access control

2015-10-12 Thread John Johnstone
Forgot to send to the list.

-
John J.

Original message:
From: John Johnstone <jjohnstone-pfsensel...@tridentusa.com>
Date: October 12, 2015 at 4:04:22 PM EDT
To: Brian Caouette <bri...@dlois.com>
Subject: Re: [pfSense] Access control

> On 10/12/2015 3:51 PM, Brian Caouette wrote:
> So a schedule in pfsense rules vs definitely ed times in the radius
> package? Would that give an error that their outside their times in the
> captive portal screen? I'll play with this later and see if i can wrap
> my head around it. Thank you for the idea!

I haven't used the captive portal so I don't know how the idea would interact 
with it.  I was thinking of this being a simple alternative to the portal / 
radius approach.  If the concept works, the kids traffic will just pass or not 
depending on the time of day.  There wouldn't be any user friendly errors that 
will let them know when they are being blocked.

-
John J.

> 
>> Brian Caouette
>> (207) 212-6560
>> 
>> *Visit my websites:*
>> /www.djbrianc.us/
>> /www.proprintmaine.com/
>> /www.realtruth.biz/
>> 
>> *and Michelle's:*
>> /www.msphotographymaine.com/
>> /www.ltaphoto.com/
>> 
>> 
>>  Original message 
>> From: John Johnstone <jjohnstone-pfsensel...@tridentusa.com>
>> Date: 10/09/2015 11:52 AM (GMT-05:00)
>> To: list@lists.pfsense.org
>> Subject: Re: [pfSense] Access control
>> 
>> On 10/4/15 9:56 AM, Brian Caouette wrote:
>> >
>> >
>> >Using captive portal and free radius package. Is there a way to block a
>> > user name from a specific device? User has access to any device while
>> > logged in but can't login if on device b? Trying to limit kids internet
>> > which works but their sneaky and use common guest account which I don't
>> > want to block so wondering if I can prevent their devices from
>> > connection with guest account.
>> >
>> > DJ-BrianC(207) 212-6560
>> > www.djbrianc.us
>> 
>> This is a different approach but maybe you could:
>> 
>> o  Create DHCP static leases for the kids devices
>> o  Define a schedule for access
>> o  Create a rule for their IP's that uses the schedule
>> 
>> It can be circumvented if they use some other device but it might be
>> good enough.
>> 
>> -
>> John J.
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold