The firewall will not block a connected IP, suricata can

Started by someone, October 15, 2025, 06:04:16 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 15, 2025, 06:04:16 AM
Testing I found say you have someone with a 10000 year connection
You want to block and stop them
A rule in the firewall will not work because they already have a connection
And I have found that some even after they have disconnected can reconnect
Because they planted a door in your computer, this is a corporation in this instance
I found they put the door in browser history, so they can connect anytime
But when browser history was deleted they had
to make a new connection subject to firewall rules
But suricata can and will block them immediately if you make a rule with that IP
October 15, 2025, 03:42:09 PM #1
Crickey it is so hard to read your posts, in this pseudo-verse and no punctuation. Are you able to change that going forward? Not criticism intended, just making it easier.
Anyhow, I think you say you have a (corporate) device which makes connections out and you say you can block it with a firewall rule. Is there a question ?
October 16, 2025, 04:20:06 AM #2 Last Edit: October 16, 2025, 06:05:02 AM by someone
I was talking about a security problem that came up and how to fix it.
Problem was an IP that showed up in the connections, command ss -tu
Which was unknown and unwanted
A corporation planted malware into my computer via the browser
I could see their IP in the connections
Point one was, once a connection is made to your computer the firewall cannot block it
Point two was that suricata can block unwanted IP's even if they have a connection by making a rule
Just make a rule in user defined rules

Then some notes
This IP had a very long connect timeout, now that can be changed with restrictions in firewall, or suricata, maybe even in opnsense gui
I blocked the IP with suricata
Thanks
With the computer at idle, no browser open, this IP tried to connect outgoing in the middle of the night
I found that this IP doorway was planted in browser history
I deleted the history, the IP went away
What damage was done or intended, I dont know, I am working on endpoint monitoring and protection
Just a reminder to watch your connections, and how to block them quick
Thanks
Print
Go Up Pages1
User actions