PFSense: Comprehensive Guide to Installation, Configuration, and SYN Flood Attack log Analysis: pfSense-CE-2.6.0-RELEASE-amd64.iso

If you’re interested in building a cybersecurity lab at home, pfSense is one of the best tools you can use to protect and manage your network. Think of pfSense as your lab’s first line of defense. In cybersecurity, having control over what enters and leaves your network is essential. A firewall like pfSense acts as a protective barrier between your internal network and the outside world, blocking unauthorized access and monitoring the traffic that flows in and out.

By setting up pfSense, will learn how firewalls work, gain control over your lab’s security, and create a realistic environment for learning and practicing cybersecurity skills.

Step 1: Requirements

To get started, here’s what you need:

Virtual Machine Software: We’ll use VMware for this setup.

pfSense Installer: Download the pfSense installer file (ISO) from pfSense’s official website.

Step 2: Creating a Virtual Machine for pfSense

Open VMware:

Go to File > New Virtual Machine.

Choose Typical setup.

Select ISO File

Choose the Installer disc image file (iso) and locate the pfSense ISO you downloaded.

Click Next to continue.

Name Your VM:

Give your virtual machine a name like pfSense_Lab_2.6.0.

Select where to save it, then click Next.

Allocate 20GB of disk space.

Store virtual disk as a single file > Next

Set Hardware Requirements:

Click on Customize Hardware

Allocate at least 1 GB of RAM for basic use. For better performance, use 2 GB or more.

Assign at least 1 CPU and consider 2 cores for better performance.

Add 2 Network Adapters:

We chose two network adapters to simulate a real router setup:

1. First Adapter: NAT (for WAN)

This acts like the connection to the internet. The NAT adapter lets pfSense connect to the internet through the host computer. It gets an IP address automatically and allows you to see how pfSense handles internet access.

2. Second Adapter: Host-only (for LAN)

This is the internal network. The Host-only adapter connects pfSense to other virtual machines as a private network, like a home network. It’s isolated from the outside world, which keeps it secure and good for testing.

The NAT adapter connects pfSense to the internet, and the Host-only adapter creates a secure internal network to test and manage pfSense like a real home or office router.

Click “Finish” and then “Power on” the virtual machine.

The VM should boot from the pfSense ISO. You will see a boot menu.

Step 3: Installation Process

Go Through the Install Process:

Accept the terms

Select the “Install” option, which will start the pfSense installation.

Select language by scrolling down and select language

Scroll down to ensure the section of the language

Continue with us.kbd keymap

In the Partitioning window we see the opted for “Auto (UFS)” or “Auto (ZFS)” guided disk setup. This step simplifies the installation process by automatically partitioning the disk. The ZFS setup is typically preferred for its reliability and advanced features, though UFS works well for simpler setups.

We will select the “Auto (UFS)”

Recourse, we selected ZFS, so need to choose our disk configuration. we will select stripe (no redundancy), which is fine for basic testing and non-critical use.

A prompt confirming that is the selected disk will be overwritten, press space to select the option and OK

Choose Yes to continue, and reboot when the installation finishes.

The system began extracting the distribution files. This is the actual installation process where pfSense writes its system files to the disk. we need to wait for this process to complete.

Since this is a standard installation, it’s best to choose “No”. This will allow the installer to exit and the system to reboot into the newly installed pfSense environment.

When the system will reboot into the newly installed pfSense environment, we need when prompted, to remove the ISO image from the VM to avoid booting from it again:

Go to VM > Removable Devices and disconnect the ISO.

Reboot the VM by pressing Enter.

After rebooting we will reach the PFSence console menu

The options we see in the pfSense console menu provide different administrative and troubleshooting capabilities for pfSense. Depending on what task we need to perform, we can use one or more of these options to manage our pfSense instance effectively.

Console Menu Options:

1. Assign Interfaces: Allows you to reassign the network interfaces (WAN, LAN) or add more interfaces if needed.

Useful if you need to change or verify which physical or virtual network adapters are used for the WAN or LAN.

2. Set interface(s) IP address: Lets you manually configure or change the IP addresses for the interfaces.

This is useful if you need to set a static IP for the WAN or change the LAN IP address.

3. Reset webConfigurator password:

Resets the password for the web interface back to the default (admin/pfsense).

Use this if you forget the web interface password.

4. Reset to factory defaults: Resets all pfSense settings to the factory default configuration.

This is a helpful recovery step if your configuration becomes problematic and you need to start over.

5. Reboot system: Restarts the pfSense system.

Use this after making major configuration changes or for troubleshooting purposes.

6. Halt system: Powers down the pfSense system safely.

Useful for maintenance or when you need to stop the virtual machine or physical hardware.

7. Ping host:

Sends ICMP ping requests to a specified host to test connectivity.

Good for basic network troubleshooting to verify if pfSense can reach other devices or the internet.

8. Shell: Opens a command-line shell for advanced administrative tasks.

This is where you can execute FreeBSD commands or make manual adjustments that aren’t available in the standard menu options.

9. pfTop: Displays a real-time overview of active network connections and processes, similar to the top command in Linux.

Useful for monitoring network traffic and system performance.

10. Filter Logs: Shows real-time or recent firewall log entries.

Helps with troubleshooting firewall rules and understanding what traffic is being blocked or allowed.

11. Restart webConfigurator: Restarts the web interface service without restarting the whole system.

Useful if the web interface becomes unresponsive.

12. PHP shell + pfSense tools:

Provides a shell for running PHP scripts or pfSense-specific tools and commands.

Helpful for advanced troubleshooting or configuration.

13. Update from console: Checks for and applies system updates from the console.

Use this to update pfSense without accessing the web interface.

14. Enable Secure Shell (sshd):

Starts the SSH service, allowing remote secure access to the pfSense console.

This is useful if you want to administer pfSense from a remote terminal.

15. Restore recent configuration:

Reverts the configuration to a recent backup or saved state.

Ideal for recovery if a recent change caused an issue.

16. Restart PHP-FPM:

Restarts the PHP FastCGI Process Manager, which is responsible for handling web server requests for the webConfigurator.

Use this if there are webConfigurator errors or if the interface becomes unresponsive.

Step 4: Connecting Kali Linux Machine to pfsence

First Before Starting the machine we need to add a Network Adapter exactly like we did when we crated the pfsence machine.

so we will have 2 Adapters

1. NAT adapter connects pfSense to the internet
2. Host-only adapter creates a secure internal network to test and manage pfSense like a real home or office router.

Start the Kali Linux Machine

Check the IP Address of Kali Linux:

ip a

From the ip a output in Kali Linux machine (on the right) , the machine has an IP address of 192.168.1.195 on eth1.

This IP address is in the same subnet as the LAN IP of pfSense 192.168.1.1/24(on the left side), which means that the Kali machine is on the same local network as the LAN interface of pfSense.

Ping the pfSense LAN Interface:

If there is connecting issues

1. Assigned a Static IP and Brought Up eth1

sudo ip addr <LAN IP> dev eth1
sudo ip link set dev eth1 up

2. Check the Default Gateway on Kali Linux

Ensure that Kali Linux is using the pfSense LAN interface (192.168.1.1) as its default gateway.

ip route

The routing table on your Kali Linux machine doesn’t show a default route that directs traffic to pfSense. To ensure that Kali Linux uses the pfSense LAN interface (192.168.1.1) as its default gateway, you should manually set this route.

3. Add a Default Gateway

sudo route add default gw <LAN IP>

4. Check again the Default Gateway on Kali Linux

ip route

The routing table on your Kali Linux machine shows a proper default route

(default via 192.168.1.1 dev eth1)

5. Test Connectivity

ping -c 4 <LAN IP>

Step 5: Accessing the pfSense Web Interface

Open Browser: Use the LAN IP to access the web configuration through a browser on the Kali Linux machine.

Go to https://196.168.1.1 from your host machine’s browser.

http://196.168.1.1

Will see a security warning. Choose Advanced > Accept the Risk and Continue.

Note: Accepting this risk is generally safe when accessing known devices on your local network, like your pfSense firewall.

If this was a public or unfamiliar website, bypassing such a warning would not be recommended due to potential security risks.

Login:

Default username: admin

Default password: pfsense

Contacting log

On pfSense console menu (On the left side) there is a logs below the menu show recent activity, such as successful logins or system messages. We see messages indicating successful login attempts by the admin user from different IPs (192.168.1.2 and 192.168.1.103).

Initial Setup Wizard:

1. Click on “Next”: Proceed with the wizard to configure the initial settings.

Steps in the Wizard:

General Information: Enter the hostname, domain, and DNS servers if needed.

Time Server: Set your time zone and optional time server configuration.

WAN Configuration: Configure the WAN interface settings (usually, this will be set up to obtain an IP automatically via DHCP if using NAT in a virtual environment).

RFC1918 and Bogon Network Settings

RFC1918 Networks and Bogon Networks settings on the WAN interface in pfSense. These settings control whether traffic from certain types of IP addresses is blocked from entering your network through the WAN interface.

For Lab Environments: Uncheck both options to allow traffic from private and bogon networks if your WAN is set up using a private IP space or if you need to simulate such traffic.

For Real Networks: Keep these options checked to enhance security by preventing unwanted private and bogon traffic from entering your network.

LAN Configuration: Set the LAN IP address (keep it as 192.168.1.1 or change it if needed).

Admin Password: Change the default admin password for security purposes. This is important as the warning indicates that the default password is still set.

Reload pfSense to apply the new settings and complete the initial setup.

Finish

Accept

Close

After after completing the initial setup will see the pfSense dashboard .

1. Disks: Shows information about disk usage. In this case, the / partition is using 721 MB of the total 16 GB, which is 4% of the disk space.
2. Interfaces:

WAN: This is your external network interface, configured with the IP address 192.168.19.17. The connection is running at 1000baseT <full-duplex>, which indicates a gigabit connection capable of transmitting and receiving data simultaneously.

LAN: This is your internal network interface with the IP address 192.168.1.1, also running at 1000baseT <full-duplex>.

The dashboard provides an overview of the system’s health and network interface status, which is essential for monitoring our network and ensuring everything is functioning properly.

On the System Logs page, we can check different types of log entries to troubleshoot or monitor various activities and system states. The logs show the “General” tab, which indicates system-level events. Here, we can find entries related to:

1. System Startup/Shutdown: Details about system boot processes and shutdown procedures, as seen with entries about syslogd starting and exiting.
2. Kernel Messages: Notifications about kernel-level operations such as loading modules, processing threads, and disk operations.
3. Process Details: Information related to the starting, stopping, or status updates of system processes.

You can navigate between different log categories like Firewall, DHCP, VPN by selecting the appropriate tabs, allowing us to diagnose issues or confirm system behavior comprehensively.

In the Firewall Logs view we can observe detailed entries related to the traffic that has been blocked or allowed by the pfSense firewall rules.

1. Action: Indicates what action was taken for the traffic, such as blocking or allowing it. In your case, the red ✖ indicates that the traffic was blocked.
2. Time: The timestamp showing when the specific log entry was recorded.
3. Interface: The network interface where the traffic was observed, such as LAN or WAN.
4. Rule: The specific firewall rule that triggered the action. The entries here are labeled as Default deny rule, meaning these packets were blocked because they didn't match any existing rules allowing them.
5. Source: The IP address from where the traffic originated.
6. Destination: The IP address or endpoint where the traffic was intended to go.
7. Protocol: Indicates the type of protocol used for the connection, such as UDP or TCP.

This view is useful for troubleshooting connectivity issues, identifying unauthorized access attempts, and monitoring general network activity on your pfSense system.

By clicking on the icon next to the log entry, we initiate the creation of an "Easy Rule" to permit this traffic.

The “Easy Rule” feature in pfSense’s firewall logs allows us to quickly create a firewall rule by clicking on a log entry that shows blocked traffic. By doing this, you can allow specific traffic that was previously blocked.

In the a confirmation screen that was opend for adding this rule. It specifies that the rule type is “Pass” for traffic on the LAN interface, allowing UDP traffic from the source 192.168.195.1 to the destination 192.168.195.255 on port 137.

To add the rule, you would click the “Confirm” button, which would update the firewall configuration to permit this specific traffic.

To view or modify the firewall rules in pfSense, we navigate to the Firewall tab on the top menu and select Rules. This section allows us to add, edit, or review existing rules that dictate how traffic is managed on your network interfaces (such as LAN or WAN).

From the dropdown list choose Rules .

Once inside the Rules section, you can review, add, or adjust rules to control traffic.

This helps manage and customize the flow of network traffic according to our security requirements or connectivity needs.

Firewall rules in pfSense, as in most firewalls, function based on several key criteria to determine whether traffic should be allowed or denied. Here’s how these rules work and what information is needed:

Key Components of a Firewall Rule:

1. Source

This defines the originating point of the traffic.

It can be an IP address, network, or alias representing a group of IPs or networks.

1. Destination:

This is where the traffic is intended to go.

It can also be an IP address, network, or alias.

2. Source to Destination (Traffic Path):

The rule specifies which traffic is allowed or denied between a source and a destination.

For example, we might have a rule that allows traffic from a LAN IP (source) to a specific external IP on the WAN (destination).

Lets crate a Rule

Click on Firewall from the top menu, as shown in your image.

Choose Rules from the dropdown list.

Choose Aliases (Aliases in pfSense simplify rule management. By grouping ports, IPs, or networks into aliases, we can write more readable and maintainable firewall rules).

Choose Ports > Add

To create a new alias in pfSense for ports or other types of configurations,

1. Name: Enter a descriptive name for the alias. This will be used to reference this alias in firewall rules. For example, we might name it WEB_PORTS or WEB_ACCESS.
2. Description: Enter a brief description to help us remember what this alias is for. For example, “Common web service ports.”
3. Type: Ensure the type is set to Port(s) since we are defining ports.
4. Port(s): Enter the ports we want to include in this alias. we can add a single port, such as 80 for HTTP or 443 for HTTPS, or we can add a range of ports, 1000:2000. We can also add multiple ports by separating them with commas.
5. Add Port: Use the Add Port button to add more ports to the alias as
6. needed.

Once we entered all the necessary details, click Save to create the alias.

Once saved, you can use this alias in your firewall rules to simplify rule creation and management. This can be helpful when you frequently need to allow or block traffic on specific ports across your network.

We have successfully created a firewall alias named WEB_PORTS with ports 80 (HTTP) and 443 (HTTPS). This alias can be used to simplify rule creation for managing traffic involving these ports, such as allowing or blocking web traffic across the network.

alias named SSH_BLOCK to represent the SSH port (22). This alias can be used in firewall rules to block or manage traffic related to SSH connections.

To proceed:

1. Save the Alias: Click the Save button to save the alias.

To apply these changes and make them effective in pfSense:

Click on the green button labeled “Apply Changes” shown in the yellow notification bar to apply the newly created aliases to our firewall configuration.

Creating a NAT port forwarding rule in pfSense

Go to Firewall > NAT > Port Forward.

On the top menu we can see the different types of Network Address Translation (NAT) configurations available in pfSense. Here’s what each of these options means:

1. Port Forward: This is used to redirect incoming traffic on a specific port or range of ports on the WAN (or any other interface) to a different port or IP address on an internal network. It’s commonly used for making internal services (web servers, FTP servers) accessible from outside the network.
2. 1:1 NAT: This configuration maps one public IP address to one internal IP address. It is a direct mapping where all traffic sent to the public IP is forwarded to the internal IP, and vice versa. It’s useful when you have multiple public IPs and want each to be associated with a unique internal IP.
3. Outbound: Outbound NAT, also known as Source NAT, is used to control how traffic originating from internal networks is presented to external networks. This is commonly configured to hide internal IP addresses behind a public IP address (usually the IP of the WAN interface). By default, pfSense automatically handles outbound NAT for private subnets.
4. NPT (Network Prefix Translation): This is specific to IPv6 and allows for the translation of IPv6 prefixes. It helps in translating one IPv6 prefix to another, enabling IPv6 address space to be mapped between different network segments. This can be useful for scenarios where IPv6 addresses need to be consistent across networks for communication purposes.

Each of these NAT types serves a different purpose based on the network’s needs and how traffic should be routed or translated between internal and external networks.

1. Click on the Add button to create a new port forwarding rule.

Configuring the Rule: Interface: Choose the interface (e.g., WAN).

Protocol: Select the protocol (TCP, UDP, or TCP/UDP).

Source Address: Leave as Any unless you want to specify a source.

Source Ports: Leave as Any.

Destination Address: Select the interface IP address or specify a particular IP.

Destination Ports: Choose the port or alias for which you’re creating the rule.

Redirect Target IP: Enter the internal IP address of the device you want the traffic to be redirected to.

Redirect Target Port: Specify the port on the internal device.

1. Add a Description (optional): Provide a short description for easy identification.
2. Save and Apply: Click Save and then Apply Changes to activate the new rule.

We can now test if the NAT port forwarding rule works by trying to access the service from an external source.

In the Firewall Rules configuration page for the WAN interface in pfSense we see:

Firewall / Rules / WAN: This is the section where you can create, modify, or delete firewall rules specific to traffic coming into the WAN (Wide Area Network) interface.

Top Tabs (Floating, WAN, LAN): These tabs allow us to switch between different interfaces or rule types: Floating: Rules that can be applied globally across interfaces and can be configured to affect traffic in various directions.

WAN: Rules specifically for traffic entering through the WAN interface.

LAN: Rules for traffic moving within or exiting the internal network.

Drag to Change Order): This section lists all the firewall rules defined for the WAN interface. The order of rules matters because pfSense processes them from top to bottom; the first rule that matches the traffic stops further evaluation.

Columns

States: Indicates the state of each rule (active or inactive).

Protocol: Specifies the protocol that the rule applies to (e.g., TCP, UDP).

Source and Destination: Define the source and destination addresses the rule pertains to.

Port: Specifies the port or port range for the rule.

Gateway: Indicates if the rule is tied to a specific gateway.

Queue: Associated with traffic shaping for prioritization.

Schedule: Shows if the rule is applied according to a schedule.

Description: A brief description of the rule for easy identification.

Actions: Allows editing, deleting, or changing the rule’s position.

Note: the buttons we see buttons that helps manage rules for configuring access, restrictions, and NAT settings effectively in pfSense.

Add (green up arrow): Adds a new rule at the top of the rule list.

Add (green arrow): Adds a new rule at the bottom of the rule list.

Delete (red bin): Deletes selected rule(s).

Toggle (circle with a line): Enables or disables a rule.

Copy (square icon): Copies the selected rule for replication or modification.

Save (blue disk): Saves changes made to the rules.

Separator (orange plus): Adds a separator to organize rules for better visibility.

Firewall Rule Creation:

setup interface for creating or editing firewall rules in pfSense. This includes defining:

Action (Pass, Block, Reject)

Interface (WAN, LAN)

Protocol (TCP, UDP)

This is where specific criteria are set to control traffic through the firewall.

Source Address:

1. The Source field is set to any, which means the rule will apply to traffic coming from any IP address. This is a broad configuration, allowing the rule to match any incoming source.

2. Invert Match Option:

The Invert match checkbox, if checked, would make the rule apply to any source except the one specified. In this case, it is unchecked, so the rule is not inverted.

3. Source Port Range:

The Source Port Range is usually set to any, as shown in the explanatory note. This means that the rule applies to traffic regardless of the source port. The source port is often random in most connections and does not need to match the destination port.

The note explains that for most configurations, the source port range should remain as any, since specifying source ports is not common unless dealing with specific use cases (e.g., special server-to-server communication).

Destination Configuration:

The images depict setting the destination for a rule, which might involve setting custom ports (e.g., port aliases like WEB_PORTS).

Options for specifying destination port ranges and IP addresses are shown.

Advanced Options:

Some images illustrate the advanced settings section, where additional parameters like source OS, TCP flags, and connection limits can be defined.

These settings refine how rules are applied, offering more granular control over traffic management.

Advanced Parameters and Customizations:

The advanced settings show features like enabling/disabling reply-to, setting connection limits, and specifying state types for session management.

VLAN priorities and policy routing options are also adjustable, showcasing the depth of customization available.

These steps detail how rules are defined, modified, and managed within the pfSense interface, focusing on specifying traffic control criteria, applying security measures, and enhancing network traffic management.

After saving the rule we see a newly created firewall rule applied to the WAN interface in pfSense.

Rule Summary:

This rule allows IPv4 TCP traffic (as indicated under the Protocol column).

The Source is set to *, meaning it allows traffic from any source.

The Port for the source is unspecified (*), implying any port from the source can initiate this traffic.

The Destination is set to This Firewall, indicating that traffic is directed to the pfSense device itself.

The Port for the destination is set to WEB_PORTS, which is a port alias (presumably covering ports 80 and 443 for HTTP/HTTPS traffic).

Description:

The description of this rule reads pfsense web port rule, which suggests that this rule is designed to allow web traffic to the pfSense firewall.

Actions:

The icons under the Actions column allow us to:

Anchor and prioritize the rule (as seen by the anchor icon).

Edit, disable, copy, or delete the rule using the corresponding icons.

Apply Changes:

A yellow notification banner at the top indicates that the rule configuration has been changed and needs to be applied to take effect. The green Apply Changes button confirms these changes.

This rule is structured to permit incoming TCP traffic on HTTP and HTTPS ports to the WAN interface of the pfSense firewall.

After Applying the Changes will see a green notification at the top stating: “The changes have been applied successfully. The firewall rules are now reloading in the background. Monitor the filter reload progress.”

This indicates that a change to the firewall rules has been applied and is being reloaded. It means the new rules or changes made are now in effect.

Let’s create One more Rule that allows specific types of traffic (ICMP, web ports) to be monitored and passed based on the set parameters.

Creating and Editing Firewall Rules:

Action: Set to Pass, meaning that the rule will allow traffic that matches the criteria specified. If set to Block or Reject, the rule would deny traffic instead.

Disabled: This option is unchecked, indicating that the rule is active. If checked, the rule would be saved but not applied or processed.

Interface: Set to WAN, meaning this rule applies to traffic coming through the WAN (external) interface.

Address Family: Set to IPv4, meaning the rule applies specifically to IPv4 traffic. You could choose IPv6 or IPv4+IPv6 to match other types of traffic.

Protocol: Set to ICMP, which is the protocol used for network diagnostics and control messages, such as ping requests.

ICMP Subtypes: The value is set to any, meaning this rule will apply to any type of ICMP message. The dropdown shows examples of specific ICMP subtypes that could be chosen, such as Echo reply, Alternate Host, or Datagram conversion error.

Source: The field is set to any, which means this rule applies to traffic coming from any IP address.

Invert match: This checkbox is unchecked. If enabled, the rule would match any source except the specified source address. Since it is unchecked, it matches the specified source as defined (in this case, any).

Destination: Set to This firewall (self), which indicates that the rule applies to traffic whose destination is the pfSense firewall itself. This is often used for managing incoming traffic to services running on the pfSense device, such as the web interface, VPN, or other services.

Invert match: This is also unchecked, meaning the rule will only apply to traffic explicitly heading to This firewall (self) and not to other destinations.

The “Log packets that are handled by this rule” option is enabled for monitoring.

Log:

The checkbox for Log packets that are handled by this rule is checked.

This means that any packets matching the criteria of this rule will be logged by pfSense.

This option is useful for monitoring and troubleshooting purposes, allowing administrators to see which traffic is passing or being filtered by this specific rule.

A warning is displayed advising that local logging has limited space, suggesting the use of a remote syslog server for heavy logging needs.

Description:

The field contains the text ICMP log management.

This is a user-defined description that helps identify the purpose of this rule. Descriptions make it easier to understand the context of the rule when reviewing firewall rules later.

Descriptions should be concise and meaningful; they will be displayed in the firewall rule list.

Advanced Options:

The Display Advanced button is visible, which, when clicked, would reveal additional advanced configuration options for the rule.

These advanced settings typically include options for source operating systems, DiffServ Code Points (DSCP), TCP flags, and more specific state and tagging configurations.

Rules Applied Confirmation:

The interface reflects that changes have been successfully applied and the rules are active on the WAN interface.

SYN flood attack simulation

a SYN flood attack, which is a type of Denial-of-Service (DoS) attack. It is typically used to test network resilience or conduct stress tests.

ping -c4 <Target>

hping3 -S -p 53 --flood --rand-source <Target>

hping3: A packet generator and TCP/IP stack that is often used for testing and security purposes.

-S: Sends TCP packets with the SYN flag set. This is commonly used in SYN flood attacks.

-p 53: Specifies port 53, which is typically used for DNS services. The target host will see incoming packets aimed at this port.

--flood: Sends packets as fast as possible, without waiting for replies. This creates a flood of traffic and can overwhelm the target's resources.

--rand-source: Randomizes the source IP address in the packet header. This can make it harder for the target to block the attack by simply filtering out a single IP address.

<Target>: The destination IP address being targeted by this flood of packets.

Ctrl+C to stop the attack

Now Lets check our logs

On PFSence interface navigate to

Status > System Logs > Firewall

We see many incoming connections flagged with TCP:S without corresponding TCP:A (ACK) or completed handshakes in our logs, it's a sign that these connections may be part of a SYN flood attack.

Repeated SYN Requests: The log shows continuous incoming traffic from various external IPs, all trying to connect to the internal IP 192.168.19.17 on port 53 (commonly used for DNS) using the TCP protocol with the SYN flag. SYN packets are used to initiate a TCP connection, and a flood of SYN packets is a common characteristic of a SYN flood attack.

High Frequency of Denied Requests: The number of repeated connection attempts from various IP addresses at the same timestamp suggests an automated or malicious attempt to overload the system or service.

Diverse Source IPs: The use of different source IPs may indicate IP spoofing, which is often used in SYN flood attacks to make it more challenging to mitigate the attack by blocking specific IP addresses.

I hope you enjoyed reading and setting up pfSense with me. If you have any questions or insights, feel free to share. Good luck with building your lab!