tcp: when are stateful table entries created for stateful firewall?

We know the 3-way TCP link protocol:

C->SYN->S
C<-SYN-ACK<-S
C->ACK->S

enter the image description here

We also know of stateful firewall.
When a stateful filter input (source ip, source port, dest ip, dest port) create? After the end of the 3-way handshake or just the first step of 2?

Selecting a firewall device to colo

Hi everyone,

We have several colo (8) servers on the same DC and we are very happy with the service provided, all are in 1 Gbps ports, … | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1802995&goto=newpost

pfsense – Why does the "DROP" firewall cause more attack traffic than "REJECT" during this DDoS?

I have successfully blocked a DDoS attack on a website on my hosting network. The attack comes from a list of approximately 3,000 IP addresses that are now held in a single firewall rule.

This is not my only blocking list in use, I use multiple FireHOL lists and I have a DROP rule with no problems.

With this new attack, I originally set up a DROP rule but noticed that approximately 10 times more packages were dropped than expected. Logs show bots trying to connect multiple times in quick succession when packets are dropped. In 12 hours I drop about 2.5 million packages.

When I change the rule to REJECT, the number of blocked packets is reduced to what I expected, that is, a similar number of blocked requests that were logged on the web server before I had my rule. More than 12 hours I REJECT about 250K packages.

The complete HTTP request is super simple, just one line, not even a fake user agent etc.

GET / HTTP/1.1|Host:www.example.com

Apparently, these bots are programmed to behave differently when they can successfully send an http request or are actively rejected, but if the packet just drops silently, they go into overdrive. That is normal? Is there anything else I should be aware of? The firewall can easily handle any scenario, which one is better?

How to disable / block Microsoft Store in Windows 10 Pro by firewall?

I want to lock Microsoft Store on Windows 10 pro in a corporate environment. After reading relevant articles on this matter and testing them on my machine, I see that Windows 10 Pro does not support this feature (either through Group Policy (not recommended by my Administrator) or the Registry.

Now, I choose another solution, that is, block it with a firewall. If feasible, can anyone show me the rules on how to block Microsoft Store by firewall? I am using a tool to configure this rule.

firewall: access a node port service in a private GKE cluster from another private GKE cluster

I am using the Google cloud and I have two private GKE clusters.

One of them contains some installed services like nodePort. The other cluster needs to connect to this and access the exposed services.

The cluster with exposed services has only one node with a private IP. I can successfully ping this node from another cluster using this private IP.

But how can I access the services?

I also tried to configure some firewall rules without success.

UDP / firewall forwarding

So I have a raspberry pi that shares internet via ethernet with an older computer without wifi. I want to be able to access the computer from anywhere through VPN and the computer to access anything connected to that VPN.

To do this I connected the pi to the vpn I ran this script to forward the ports:

VPN_INTERFACE=tun0
TARGET_IP=$(sudo cat /var/lib/NetworkManager/dnsmasq-eth0.leases | sort -r | head -1 | awk '{print $3}')


sudo iptables -I PREROUTING -t nat -i $VPN_INTERFACE -p tcp --dport 80:65535 -j DNAT --to $TARGET_IP
sudo iptables -I FORWARD -p tcp -d $TARGET_IP --dport 80:65535 -j ACCEPT

sudo iptables -I PREROUTING -t nat -i $VPN_INTERFACE -p udp --dport 80:65535 -j DNAT --to $TARGET_IP
sudo iptables -I FORWARD -p udp -d $TARGET_IP --dport 80:65535 -j ACCEPT

Now all devices connected to the VPN can ping each other. The problem is that I also want all devices to be able to forward UDP (I need it for PBX) to and from everyone. How can I do this?

Any help is appreciated.

firewall: Centos port 7 27015 does not work

I have a WebHost from another host company, I made remote mysql and everything I need, added in database.cfg but the cs: go server rejects the connections to port 27015, even if the firewall is down and the server is gone.
I would like to mention that port 80 connections go, only 27015 does not go.

telnet: connect to ipadresshide address: connection refused
How can I fix it to make the respective open port work? The firewall is off, remember!
And on the web he writes that he cannot connect to the server because of this as Telnet rejects.

ONLY PORT TCP PROBLEM! UDP WORKING!

networking: how to instantiate the Windows Firewall interface object in Unity

I am trying to make the game add to the Firewall rule. I have already referenced NetFwTypeLib.dll in the project. It took me to this line of code here:

INetFwPolicy2 fwPolicy2 = Activator.CreateInstance(typeof(INetFwPolicy2)) as INetFwPolicy2;

This gave me an exception of:

MissingMethodException: Default constructor not found for type NetFwTypeLib.INetFwPolicy2

I've already tried

Activator.CreateInstance(Type.GetTypeFromProgID("HNetCfg.FwPolicy2"));

which led me to another exception of:

NotImplementedException: Unmanaged activation is not supported

I don't know what to try anymore. Thanks in advance.

Brute Force: Prevention of automatic token attacks without relying on firewall or network infrastructure

Our concern is more about automated application-side prevention attacks. Although the firewall is part of helping to prevent this, it has been demanded in the security practices of our development team that we need a second level of protection. Solutions like MFA and CAPTCHA are solutions to a different problem. They help reduce the chances that an attacker can bypass authentication and guess credentials. What we want here is basically to detect an automated attack and stop it (or realistically, delay it).

The attack the penetration tester made was this:

http://ourapplication.com/passwordreset&token=AAAAAAbbbbCCCCDDDD####3333KkOoBvVNNJIKGDDVL

This is a link sent to email addresses to reset the password. They tried automatic enumeration of the token in order to guess a correct one. Even though they failed to guess a valid one, they still filed this as a vulnerability as our application was unable to detect this automated attack and was unable to block requests. So now we have been at a dead end looking for solutions for this.

Some solutions we have found:

  1. IP address blocking: seems problematic since requests go through multiple servers and components (firewall -> web server -> application server, etc.), it would be extremely difficult to obtain the originating IP address of the requester. Sometimes the attacks could still be behind reps.

This would be feasible if the enumeration were something like username and password. We can devise a logic that detects the enumeration of user names with the same password and start blocking the following requests with the same password. In this case, only one token in the entry.

Running out of reasons to solve this problem. Can anyone help us on this?