pfSense Gold Subscription

Author Topic: Maximum connections per host - empty virusprot table  (Read 1510 times)

0 Members and 1 Guest are viewing this topic.

Offline roymayr

  • Newbie
  • *
  • Posts: 11
    • View Profile
Maximum connections per host - empty virusprot table
« on: May 07, 2012, 10:29:11 am »
Hi,
When trying to use the advanced option 'Maximum number of established connections per host', users get blocked, but I see nothing on the 'virusprot' table or any other table.
For testing, I set a ridiculous small number (5) and of course, I cannot get a single webpage... so it is working, but I want/need to see the list of trapped people.

Even with the default hour of the cron to remove blocked users, I haven't found a way of 'monitoring' this function.
Am I missing something? is snort a requirement to see users in 'virusprot' table?

I'm using the last stable PfSense (2.0.1) in a box with several VLANs.  I set the rule just in one Vlan for testing.
Thanks in advance!

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9962
    • View Profile
Re: Maximum connections per host - empty virusprot table
« Reply #1 on: May 07, 2012, 11:19:38 am »
Even with the default hour of the cron to remove blocked users, I haven't found a way of 'monitoring' this function.
I use this funcion with cront running every two minutes to avoid exernal users being blocked for up to two hours.
*/2     *     *     *     *     root     /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 60 virusprot

Am I missing something? is snort a requirement to see users in 'virusprot' table?
No, it's a built in pfsense function

Offline roymayr

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Maximum connections per host - empty virusprot table
« Reply #2 on: May 07, 2012, 11:43:05 am »
Thanks for the quick answer...

I understand the use of the cron and I think your timing is fine.  I'll get there after my testing and tuning.
At this point, I just want to see the list of blocked users... That would be a great help to play with the "Maximum connections per host" setting and find the right numbers for my net.

So contrary to other posts, I want to see people listed at the virusprot table... but even blocking people after 5 connections (which is happening), I don't see them in any table... so I cannot manage this.
I blindly trust on the cron that will "clean" whatever is there...  but I want to see that list.

Thanks for the ideas.

Offline roymayr

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Maximum connections per host - empty virusprot table
« Reply #3 on: May 08, 2012, 09:36:30 am »
Ok... let me try this way.

For those who are using "Maximum connections per host" option in your rules.  Have you ever seen a user in the virusprot table or any other table?
If so, which PF version are you running? Did you do anything "special" to make it work? or just as it is.

thanks!

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9962
    • View Profile
Re: Maximum connections per host - empty virusprot table
« Reply #4 on: May 08, 2012, 10:08:05 am »
Ok... let me try this way.

For those who are using "Maximum connections per host" option in your rules.  Have you ever seen a user in the virusprot table or any other table?
If so, which PF version are you running? Did you do anything "special" to make it work? or just as it is.

thanks!

I do. I'm using version 2.0.1 amd64

Offline roymayr

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Maximum connections per host - empty virusprot table
« Reply #5 on: May 09, 2012, 04:06:22 pm »
Ok... let me try this way.

For those who are using "Maximum connections per host" option in your rules.  Have you ever seen a user in the virusprot table or any other table?
If so, which PF version are you running? Did you do anything "special" to make it work? or just as it is.

thanks!

I do. I'm using version 2.0.1 amd64

Thanks marcelloc... it seems you are very lucky! so far, the only one getting something in the virusprot table.  ;)
I'm using same version, but i386 in a VM - ESXi.  I'm not sure whether that could make any difference.  I've tried everything, but I have never seen a user listed in the virusprot table, even knowing there are blocked users.  Any further advise?  It is hard to know what is going on with your rules if you cannot see this.
Thanks again.