What's new

pfSense users, what exactly do you log?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I would suggest to use also pfBlockerNG which now supports DNS blocks.


Sent from my iPad using Tapatalk

Wolf, what exactly would you use pfBlockerNG for in this situation?
 
I also want to setup log analysis like ELK or Splunk, but haven't got into that yet.

I've been tinkering about with ElasticSearch stuff...

Splunk is pretty awesome, I used to use it quite a bit back in the day - it's tough to get optimized a bit (index's are aweosme!!!), but once sorted - kind of overkill for a home network, but nice for a lab instance to learn Splunk.
 
One hiccup I'm having is that when my wife connects her VPN to her work. A computer on her companies network tries to port scan my network and Snort blocks it which results in her not being able to use her VPN. I'm debating wether to suppress that or not as I don't feel they should be port scanning my network.

should be able to put snort into a warn state vs. block, and then just block that machine at the FW...

it's probably the VPN server port knocking the client to check that it is who is says it is - any mention of what the VPN client software is?
 
Wolf, what exactly would you use pfBlockerNG for in this situation?
My pfSense is set to block everything except what I decided to allow. I am not scared of external threats since unsolicited WAN traffic is blocked by default. My focus is on internal clients and the possibility to get into malicious sites and content. pfBlockerNG blocks clients to start connections with ip ranges and DNS that I blacklisted. Snort is in warning/watching state, I check snort logs for suspicious behavior. Each client (PC) uses itsown antivirus, I don't run any on pfSense.
Any external connection to my LAN is via VPN.
Basically I use pfSense firewall capabilities plus pfBlockerNG as the sole defense wall.




Sent from my iPad using Tapatalk
 
should be able to put snort into a warn state vs. block, and then just block that machine at the FW...

it's probably the VPN server port knocking the client to check that it is who is says it is - any mention of what the VPN client software is?
Her VPN will not connect with the port knocking machine blocked. I allow Snort to block it, but I imagine letting the FW block it would cause the same problem,no? If I remember correctly her VPN Client app is Cisco.
 
My pfSense is set to block everything except what I decided to allow. I am not scared of external threats since unsolicited WAN traffic is blocked by default. My focus is on internal clients and the possibility to get into malicious sites and content. pfBlockerNG blocks clients to start connections with ip ranges and DNS that I blacklisted. Snort is in warning/watching state, I check snort logs for suspicious behavior. Each client (PC) uses itsown antivirus, I don't run any on pfSense.
Any external connection to my LAN is via VPN.
Basically I use pfSense firewall capabilities plus pfBlockerNG as the sole defense wall.

Sent from my iPad using Tapatalk

I guess I kind of do that same thing with Squid/SquidGuard...
 
I guess I kind of do that same thing with Squid/SquidGuard...

Yes Squid can do, I prefer pfBlockerNG because uses natively pfSense firewall and unbound, few resources and great effectiveness.


Sent from my iPad using Tapatalk
 
Her VPN will not connect with the port knocking machine blocked. I allow Snort to block it, but I imagine letting the FW block it would cause the same problem,no? If I remember correctly her VPN Client app is Cisco.

Yep, same here - you have to whitelist that IP/Range of IP's...
 
Yes Squid can do, I prefer pfBlockerNG because uses natively pfSense firewall and unbound, few resources and great effectiveness.

Does PFBNG do AV scanning of traffic?
 
Does PFBNG do AV scanning of traffic?
Nope. It uses IP and DNS lists to block, passing IP to firewall (Floating Rules) and DNS to Unbound (towards a thrash/fake DNS Server). It simply block, no scan of traffic content like Snort.


Sent from my iPad using Tapatalk
 
Yep, same here - you have to whitelist that IP/Range of IP's...
OK, so would I do that in the Services/Snort/Pass Lists? Looks like I'd need to create an Alias list first under Firewall/Aliases, correct?
 
I believe so - you'd have to check to be certain - I'm not running Snort on my pfsense box..
 
Similar threads

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top