How is it possible

[akshin]

Hi!

tail -f /var/log/security

em0: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=81009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
        ether xx:xx:xx:xx:xx:xx
        inet xxx.xxx.xxx.xxx netmask 0xxxxxxxxx broadcast xxx.xxx.xxx.xxx
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vmx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=60039b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,TSO6,RXCSUM_IPV6,TXCSUM_IPV6>
        ether xx:xx:xx:xx:xx:xx
        inet 10.0.0.70 netmask 0xffffff00 broadcast 10.0.0.255
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Someone is scanning port 123 through the UDP. But he does this through the global network directly to my local network. How is this possible? How to stop him?

em0 is down
defaultrouter = "10.0.0.1"
This is pfsense local ip.

He is going from another country:
80.241.0.72:123(Kazakhstan) -> pfsense(10.0.0.1) -> 10.0.0.70

 

[gpw928]

I'm not particularly familiar with pfSense, but UDP port 123 is for the NTP protocol as used by the NTP daemon.

I'm guessing that pfSense is blocking the establishment of connections to public NTP servers on the Internet like ntp.nic.kz.

ntpq -pn on host 10.0.0.70 will probably identify 80.241.0.72 as a remote NTP server.

The resolution would generally be either to configure host 10.0.0.70 to use the pfSense firewall itself as the (only) NTP server (and allow it access to the Internet time servers); or to configure the pfSense firewall to allow NTP "connections" intiated from inside your network.

 

[LVLouisCyphre]

gpw928 addressed it, I'm going to elaborate further.

This is not scanning but routine NTP traffic. 80.241.0.72 is ntp.nic.kz; a public NTP server, probably in your region.

You can't effectively construct a firewall unless you know what you're blocking and why.
Know your commonly used TCP/UDP ports or services.

I'm from an much older school generation of *nix admins and users were you could finger user@somedomain someone across the world, now that's rarely happening. We're talking about the SLIP and 10BASE5 days. I have finger enabled on my systems for my clients that can access it through SSH or VPN to my internal network for support contact purposes.

I've built firewalls for decades, I have my pretty much canned policies, rules and traffic shaping from my tenure in the business to protect both *nix and Windows machines and adapt them accordingly when new threats occur.

If your log is being filled with traffic then you may be having an issue with routine traffic such as NTP.

NTP is a common protocol that's typically allowed through firewalls. Internal machines regardless of OS if they use NTP will attempt to poll a regional NTP server if you have NTP enabled unless you configure it otherwise.

Either allow NTP only to your FreeBSD (based) box or cluster that's your firewall or allow it through to all hosts on your internal network. If you block it to your intranet, configure your firewall to be your intranet NTP server. There are NTP DDoS attacks.

What you do is pick an NTP server or a pool and use it and construct an ACL for your specific NTP servers for your network; see ntp.org for more information.

 

[akshin]

Thank you all.