Whay are scanners allowed to bypass blocklists?

Started by HankM, December 11, 2024, 05:33:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 11, 2024, 05:33:32 PM
Three weeks ago, I blocked the entire subnets for the Censys menace
167.94.146.0/24, 167.94.145.0/24. and 167.94.138.0/24

I've also blocked IN ADDITION, the individual IP addresses that still get through the firewall and suck up my bandwidth. What's the point of a firewall if it still has holes in it for the scanner menaces? I sometimes think there are more scanners than people on the internet.

Is this deliberate? Is OPNSense set up to allow certain addresses through it or have they devised a strategy that gives them access no matter what? In which case, it's time you did something about it.

I find this VERY disturbing. NO ONE has the right to probe my servers and try to access my mail server without my permission.

Don't tell me it's MY mistake. the firewall blocks everyone else in the blocklist including subnets, but Censys, Shodan and some others that are blocked by individual IP addresses keep coming back.

And PLEASE don't tell me that these are all 'benign' and for my own good. How would you like it if I came around to your home every day and checked all the doors and windows, hoping to find one open?
December 11, 2024, 05:47:26 PM #1
What do you mean by "get through the firewall"? Do you have publicly reachable address space on your "inside" like in a data centre setup? Or do you have inbound port forward rules for public services you host at home?

If the scans just show up as blocked on your WAN, that's all you can do. Your ISP will route these packets down your subscriber line where they will hit your OPNsense and that is that. What do you expect to achieve by explicit block rules? OPNsense by default blocks everything coming in on WAN, anyway.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 11, 2024, 06:15:19 PM #2 Last Edit: December 11, 2024, 06:17:47 PM by HankM
I have 5 dedicated IP addresses that host webservers and a Postfix/Dovecot mail server in my office. We use port forwarding to split the IP addresses all feed into the OPNSense firewall(?). As attempted hackers and scanners are caught by Fail2ban. We put them into blocklists on the firewall so we can delete the thousands of intruders and block them not just for the one server but for ALL of them.

We use Let's Encrypt and thus we are forced to have Port 80 open for renewals, but Port 80 is the only one open and only for the two servers that host the mail server and websites.

Your comment:
OPNsense by default blocks everything coming in on WAN, anyway.

Is obviously not true, because ONLY Censys and a couple of other scanners have an open door to ALL my servers. Now if you have 10,000 IP addresses that are blocked and NONE ever allow the same IP address back again then there are a bunch of scanners that ARE allowed free access. Are you saying it's a coincidence, it's MY fault because I'm an idiot who doesn't know what he's doing or are you one of them in your byline at the bottom?

When people instantly and rudely go on the defensive. I guess I'm onto something.
December 11, 2024, 06:47:29 PM #3
You seem to misunderstand something here: Most of the users here try to help one another and are not Deciso employees - that includes Patrick, so he has nothing to be defensive about.

I see this is at least the second time you are defensive and seem to know everything. You have made a posting about the same thing about a year ago, remember?

If there really is a bug, we need to be able to recreate that in order to verify, yet you gave no hints on what you did exactly, including exact order of rules and such. Guessing from what I know and what can be publicly seen (you know, OpnSense is open source?), there is no backdoor in OpnSense.

Thus, the assumption that you did something wrong is a possible alternative, but up front, you say "Don't tell me it's MY mistake"? Alrighty then. So, wiseguy, go ahead and find someone else to solve your problem - I am outta here and I bet Patrick is, too.

P.S.: You can buy the business edition of OpnSense or pay Deciso for support. I doubt that they will accept your attitude, though.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
December 11, 2024, 07:03:37 PM #4
This is a community-driven support forum, and no one gets paid for the help provided here.

If you need immediate assistance, consider contacting the Deciso team and purchasing their support services—they'll be able to help you promptly.

Also, remember that politeness goes a long way in getting the help you need. After all, you catch more bees with honey than with vinegar!
DEC4240 – OPNsense Owner
December 11, 2024, 07:09:52 PM #5
NAT port forward rules are processed before filter rules so if you have inbound port forward to your servers and "Filter rule association" set to "pass" that takes precedence over any block rules you might add.

I refer you to the documentation for details:

https://docs.opnsense.org/manual/firewall.html#processing-order
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions