[pfSense] PF sense box generating a ton of traffic to somebody's port 80.
mrcpu at mathisen.org
Fri Mar 23 21:37:56 EDT 2012
2 parts, the important part is question 2.
I have pfsense 2.0.1 running in a VM, works fine. Installed the unbound
Kind of just forgot about it, because it's running great, logged in, and
found in pftop that unbound is doing the following:
18:25:05.185579 IP 184.108.40.206.53 > 220.127.116.11.80: 53936 27/0/12
18:25:05.185586 IP 18.104.22.168 > 22.214.171.124: udp
18:25:05.185743 IP 126.96.36.199 > 188.8.131.52: udp
18:25:05.508231 IP 184.108.40.206.80 > 220.127.116.11.53: 53940+ [1au] ANY?
Over and over and over, 11GB worth of data so far...
So Question 1 is why.
But the more specific pfsense part is:
I have a floating rule that says block quick on the WAN interface, all
traffic both directions, any protocol, with 18.104.22.168/24, and log it.
It's the first rule in the floating rule section.
>From pfctl -sr:
block drop log quick on em0 inet from 22.214.171.124/24 to any label
"USER_RULE: FLT -- block excessive traffic from .98"
However, nothing is logged, and the traffic is still going up. I have
reloaded the filter ruleset. What am I missing?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the List