Bug in pfSense Filter

Summary

The article discusses a bug in pfSense's filter system caused by a malformed IP address entry in an alias list, leading to unexpected filtering results and a surge of traffic from a specific range.

Abstract

The author, Teri Radichel, recounts the experience of discovering a bug in the pfSense firewall filter after encountering a malformed IP address (180.0.00 with two periods) in an alias list. This erroneous entry resulted in the filter incorrectly blocking and allowing traffic, contrary to the defined rules. Following this, the author's system was inundated with traffic from the 63.140.32.0/19 range, raising questions about the source and intent of this traffic, particularly its possible connection to Adobe. The article suggests that this issue warrants investigation by Netgate, the maintainers of pfSense, and invites readers to follow for updates on the situation.

Opinions

The author believes that the malformed IP address in the alias list is the root cause of the pfSense filter's malfunction.
There is a suggestion that the unexpected traffic from the 63.140.32.0/19 range may be related to Adobe, although the author is uncertain and questions the nature of this traffic.
The author implies that the issue is significant enough to require attention from Netgate's technical team.
The article conveys a sense of urgency for a resolution, as the malfunctioning filter could have serious security implications.
The author offers their expertise in cybersecurity, indicating a professional opinion that the bug is a noteworthy concern within the field.

Malformed IP allowed and causes unexpected filter results

Took me a while to figure this out but someone an IP with this value got entered into oen of my alias lists:

180.0.00

Note that there are not three periods in the above IP address.

That entry caused the filter to malfunction. It was blocking things that were not in the list and allowing things it shouldn’t.

Definitely something for someone at Netgate to look into.

After that I got bombarded with traffic from this range:

63.140.32.0/19

What is going on at Adobe anyway? Where is all this traffic coming from? Doesn’t seem related to what I am doing but perhaps I am wrong.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab