Hi Everyone , i am trying to figure out the best approach. I beg borrowed and stolen from different sources and big shout out to Rick Frey. However, when i implement port scanning detection in raw, using standard parameter, it advertently captures a google ip and then they cannot search do use some other google service. Google has published their ips, but obviously the list is incomplete. I have determined that the majority of issues come from this issue is raw. The rule is:
;;; Detect WAN UDP Port Scans
chain=RFC Port Scans action=add-src-to-address-list in-interface-list=WAN Interfaces log=yes log-prefix="" protocol=udp psd=21,3s,3,1
address-list=temporary wan port scanners address-list-timeout=none-static
I have looked at the logs and it is mostly going to port 443 on UDP, which seems harmless as i do not have a sstp service running.
I have changed as it used to put it in the black list and then all periodically there would be issues with google.
I am not sure how to best handle this so customers will not complain, as this has become an issue and they dont care they just do not want to happen again.
Leave it..not sure what i will do with all these addresses..even after one day.
Change it so its simply drops the connection and we live to fight another day.
Change it so the blacklist for this particular harm doesnt affect the forward chain, so they can still utilize wonderful google.
If anyone has experience or suggestions, i would appreciate it.
From the way you write, you don't appear to be like an ISP.
What do you care about port scans?
You're just wasting your time.
The DEFAULT firewall rules block everything,
only you can create problems by haphazardly opening up services that shouldn't be faced to the internet.
There is no point in gathering addresses and putting them in a blacklist because the traffic will still arrive over your limited-bandwidth subscriber line, and dropping it will not help with anything. When your firewall is properly configured ( = you did not change the default firewall ) the traffic will not come in anyway.
What you are observing is that some people send traffic with spoofed address. Sometimes that is done so the reply you send is going to the real owner of the address and is causing problems for them. That can e.g. be part of a DDoS attack for them (not for you). When you put these addresses on a blocklist, you can block traffic for the owner which indeed could be google.
In the past I experimented with such things and I quickly found out that e.g. 8.8.8.8 would end up on the blacklist. Some tracing revealed that people were sending all kind of port scans, both TCP and UDP, with source address 8.8.8.8.
I am not familiar with the “limited-bandwidth subscriber line” ..if port scans are dropped how is that doing anything…i really do not understand what you mean by this comment. In terms of spoofing an ip, again, i dont see how this is possible for two way traffic, so i guess that is one way of creating a ddos attack, although not particularly practical. Regarding sending port scans from a fake address, there would be little use for the sender as he will not receive a reply back.
I understand that using the standard firewall and not collecting anything has merit, but this client wanted otherwise, so i am stuck with these false negatives that are somehow google ips.. and maybe that is the purpose of the hacker of using a fake ip, it makes no sense for this..but who knows.
jeez man, i was asking a question as i have no idea what you meant…but if you do not want to reply , so be it as “lessons” are probably best taught to yourself
The (my) question remains, why does the customer want to do this? What problem will be solved? What is the list used for?
In regards to your question:
“limited-bandwidth subscriber line” might be an assumption where the list is used for...it won't make a difference in the ISP connection or bandwidth.
IP spoofing is something you have to take into account
The false negatives are no false negatives, they are just unwanted consequences of this approach.
Those shi~~y people are counting on people that act like you, to block an IP address for a VALID serivce just because the spoofed packet it looks like a port scan.
You're helping them block legit services for you and your client(s).