Name: 38.Red-80-58-205.staticIP.rima-tde.net Address: 80.58.205.38 Name: host-22-xx.hcm.fpt.vn Address: 210.245.22.41
Name: 130.Red-217-125-207.dynamicIP.rima-tde.net Address: 217.125.207.130 pfSense is aware of the bogon list, which is a published list of IP ranges that have not been issued and therefore shouldn't be used. However these three IPs are not in the bogon ranges and they also resolve to FQDNs. Is it possible that these are legitimate requests to your web server, but the client has closed the connection? Anyone else please jump in and help answer - I've run out of ideas. Josep I can see your web page fine from 203.97.126.87 -----Original Message----- From: Josep Pujadas i Jubany [mailto:[EMAIL PROTECTED] Sent: Monday, 27 November 2006 7:03 a.m. To: support@pfsense.com Subject: RE: [pfSense Support] Is it an attack? Craig, My clients are seeing the web server with no problems. Port 80 is natted at [Firewall: NAT: Port Forward]: If Proto Ext. port range NAT IP Int. port range WAN TCP 80 192.168.101.2 80 (ext.: 192.168.51.2) First rule at [Firewall: Rules WAN] is: Proto Source Port Destination Port Gateway TCP * * 192.168.101.2 80 * Finally, port 80 is also natted at the ADSL Router. The schema is: Web Server --------------PfSense --------------------- ADSL Router 192.168.101.2/24 LAN 192.168.101.1/24 WAN 192.168.51.2/29 192.168.51.1/29 In fact, I have running on this server other services available from the Internet: 443 (HTTPS) and 2022 (SSH). They are ok for internal & external users. Blocking report is from [Diagnostics: System logs: Firewall]: Nov 26 16:53:59 WAN 217.125.207.130:2883 192.168.101.2:80 TCP Nov 26 16:53:59 WAN 217.125.207.130:2877 192.168.101.2:80 TCP Nov 26 16:54:01 WAN 217.125.207.130:2877 192.168.101.2:80 TCP Nov 26 16:54:02 WAN 217.125.207.130:2883 192.168.101.2:80 TCP Nov 26 16:54:05 WAN 217.125.207.130:2877 192.168.101.2:80 TCP Nov 26 16:54:07 WAN 217.125.207.130:2883 192.168.101.2:80 TCP Nov 26 16:54:13 WAN 217.125.207.130:2877 192.168.101.2:80 TCP Nov 26 16:54:18 WAN 217.125.207.130:2883 192.168.101.2:80 TCP Nov 26 16:54:30 WAN 217.125.207.130:2877 192.168.101.2:80 TCP Nov 26 16:54:41 WAN 217.125.207.130:2883 192.168.101.2:80 TCP Nov 26 16:55:04 WAN 217.125.207.130:2877 192.168.101.2:80 TCP Nov 26 16:55:25 WAN 217.125.207.130:2883 192.168.101.2:80 TCP Nov 26 16:55:52 WAN 210.245.22.41:37102 192.168.101.2:80 TCP Nov 26 16:55:55 WAN 210.245.22.41:37102 192.168.101.2:80 TCP Nov 26 16:56:01 WAN 210.245.22.41:37102 192.168.101.2:80 TCP Nov 26 16:56:12 WAN 210.245.22.41:37102 192.168.101.2:80 TCP Nov 26 16:56:35 WAN 210.245.22.41:37102 192.168.101.2:80 TCP Nov 26 16:58:32 WAN 80.58.205.38:1595 192.168.101.2:80 TCP Only some Internet addresses are blocked at port 80. I think pfSense makes some kind of protection against a big number of connections from certains IPs. However I did'nt find documentation about this. Web server seems to be faster than before ... You can look our web server at www.bellera.cat, if you want. Best regards, Josep Pujadas ---------- Original Message ----------- From: Craig FALCONER <[EMAIL PROTECTED]> To: support@pfsense.com Sent: Sun, 26 Nov 2006 12:06:15 +1300 Subject: RE: [pfSense Support] Is it an attack? > I'll have a stab - please correct me if I'm wrong... > > Josep - I assume this is a snippet from the firewall logs page > showing traffic that has been blocked? > > And that you have a webserver running on 192.168.101.2 with a valid > NAT and a firewall rule to allow traffic from * on WAN to port > 80/tcp on your web server? > > Well - one of those assumptions is wrong. What is your WAN address? > Can users see your web server correctly? > > -----Original Message----- > From: Josep Pujadas i Jubany [mailto:[EMAIL PROTECTED] > Sent: Sunday, 26 November 2006 9:07 a.m. > To: pfSense > Subject: [pfSense Support] Is it an attack? > > Hi! > > pfSense is blocking access to my web server from a determinate IP. > Any rule is configured about this IP. > > Is pfSense considering this an attack. If yes, why? > > Nov 25 18:31:56 WAN 88.19.121.209:14726 192.168.101.2:80 TCP > Nov 25 18:31:59 WAN 88.19.121.209:14726 192.168.101.2:80 TCP > Nov 25 18:32:04 WAN 88.19.121.209:14726 192.168.101.2:80 TCP > .... > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] ------- End of Original Message ------- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]