What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

pfSense users, what exactly do you log?

Wolf_666 said:
I would suggest to use also pfBlockerNG which now supports DNS blocks.


Sent from my iPad using Tapatalk
Click to expand...

Wolf, what exactly would you use pfBlockerNG for in this situation?
 
BeachBum said:
I also want to setup log analysis like ELK or Splunk, but haven't got into that yet.
Click to expand...

I've been tinkering about with ElasticSearch stuff...

Splunk is pretty awesome, I used to use it quite a bit back in the day - it's tough to get optimized a bit (index's are aweosme!!!), but once sorted - kind of overkill for a home network, but nice for a lab instance to learn Splunk.
 
BeachBum said:
One hiccup I'm having is that when my wife connects her VPN to her work. A computer on her companies network tries to port scan my network and Snort blocks it which results in her not being able to use her VPN. I'm debating wether to suppress that or not as I don't feel they should be port scanning my network.
Click to expand...

should be able to put snort into a warn state vs. block, and then just block that machine at the FW...

it's probably the VPN server port knocking the client to check that it is who is says it is - any mention of what the VPN client software is?
 
BeachBum said:
Wolf, what exactly would you use pfBlockerNG for in this situation?
Click to expand...
My pfSense is set to block everything except what I decided to allow. I am not scared of external threats since unsolicited WAN traffic is blocked by default. My focus is on internal clients and the possibility to get into malicious sites and content. pfBlockerNG blocks clients to start connections with ip ranges and DNS that I blacklisted. Snort is in warning/watching state, I check snort logs for suspicious behavior. Each client (PC) uses itsown antivirus, I don't run any on pfSense.
Any external connection to my LAN is via VPN.
Basically I use pfSense firewall capabilities plus pfBlockerNG as the sole defense wall.




Sent from my iPad using Tapatalk
 
sfx2000 said:
should be able to put snort into a warn state vs. block, and then just block that machine at the FW...

it's probably the VPN server port knocking the client to check that it is who is says it is - any mention of what the VPN client software is?
Click to expand...
Her VPN will not connect with the port knocking machine blocked. I allow Snort to block it, but I imagine letting the FW block it would cause the same problem,no? If I remember correctly her VPN Client app is Cisco.
 
Wolf_666 said:
My pfSense is set to block everything except what I decided to allow. I am not scared of external threats since unsolicited WAN traffic is blocked by default. My focus is on internal clients and the possibility to get into malicious sites and content. pfBlockerNG blocks clients to start connections with ip ranges and DNS that I blacklisted. Snort is in warning/watching state, I check snort logs for suspicious behavior. Each client (PC) uses itsown antivirus, I don't run any on pfSense.
Any external connection to my LAN is via VPN.
Basically I use pfSense firewall capabilities plus pfBlockerNG as the sole defense wall.

Sent from my iPad using Tapatalk
Click to expand...

I guess I kind of do that same thing with Squid/SquidGuard...
 
BeachBum said:
I guess I kind of do that same thing with Squid/SquidGuard...
Click to expand...

Yes Squid can do, I prefer pfBlockerNG because uses natively pfSense firewall and unbound, few resources and great effectiveness.


Sent from my iPad using Tapatalk
 
BeachBum said:
Her VPN will not connect with the port knocking machine blocked. I allow Snort to block it, but I imagine letting the FW block it would cause the same problem,no? If I remember correctly her VPN Client app is Cisco.
Click to expand...

Yep, same here - you have to whitelist that IP/Range of IP's...
 
Wolf_666 said:
Yes Squid can do, I prefer pfBlockerNG because uses natively pfSense firewall and unbound, few resources and great effectiveness.
Click to expand...

Does PFBNG do AV scanning of traffic?
 
BeachBum said:
Does PFBNG do AV scanning of traffic?
Click to expand...
Nope. It uses IP and DNS lists to block, passing IP to firewall (Floating Rules) and DNS to Unbound (towards a thrash/fake DNS Server). It simply block, no scan of traffic content like Snort.


Sent from my iPad using Tapatalk
 
sfx2000 said:
Yep, same here - you have to whitelist that IP/Range of IP's...
Click to expand...
OK, so would I do that in the Services/Snort/Pass Lists? Looks like I'd need to create an Alias list first under Firewall/Aliases, correct?
 
I believe so - you'd have to check to be certain - I'm not running Snort on my pfsense box..
 
You must log in or register to reply here.

Similar threads

JGrana
New Addon - ChatAI - have a chat session with Googles Gemini AI Bot
Replies
2
Views
744
Viktor Jaep
Viktor Jaep
B
Wi-Fi devices randomly disconnect every few months
Replies
0
Views
330
BNolet
B
M
Diversion Diversion failed to update. Check the Diversion-web-update.log with sf in the SSH UI.
Replies
4
Views
381
mikefrommanchester
M
Tyrfing
Asus RT-AX88U Stuck on Merlin Firmware 388.1
Replies
9
Views
1K
Tyrfing
Tyrfing
iJorgen
Optimize blocked events from firewall in the system-log
Replies
5
Views
1K
iJorgen
iJorgen

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 540 (members: 29, guests: 511)
Back
Top