Posted: Sat Apr 12, 2025 20:50 Post subject: Detect and Block Port Scanners setting blocking outbound
I noticed that enabling "Detect and Block Port Scanners" in the Security Firewall sections adds these lines to iptables:
Code:
-A INPUT -i vlan2 -m psd --psd-weight-threshold 15 --psd-delay-threshold 300 --psd-lo-ports-weight 3 --psd-hi-ports-weight 3 -j DROP
-A FORWARD -i vlan2 -m psd --psd-weight-threshold 15 --psd-delay-threshold 300 --psd-lo-ports-weight 3 --psd-hi-ports-weight 3 -j DROP
And after little time the FORWARD lines starts incrementing (with iptables -v -L -n) and all my DNS queries to 8.8.8.8 start to fail. I can switch DNS servers and it starts to work again, but that isn't a workable option.
I also wonder if this isn't caused by frustrated port-scanners/hackers and are spoofing with common DNS IPs to get this rule to trigger.
In any case, I feel like this is a bug and LAN traffic should not be impacted by a rule meant to block WAN traffic. Thoughts?
Is this on the current release? Also, why would you use only one DNS server?
Yes, the most recent version as of 3 days ago: v3.0-r60662 std (04/10/25)
Technically I use pi-hole as my LAN's DNS server but it in turn goes out and hits the Google DNS servers (8.8.8.8 and 8.8.4.4). I can change the DNS servers and add more, but if the first (primary) DNS address is blocked, it really slows down all Internet browsing.
I feel like the iptables rule that is used should be modified to avoid this problem. Perhaps it is just a UDP/DNS issue if you don't use dd-wrt as your LAN's DNS service?
@ho1Aetoo thanks for the smartdns option but I'm not completely following. I just want to turn on the port scanners blocking feature without my internal DNS server (pi-hole) getting blocked when it reaches out to external DNS services. Or it might in the DNS-response coming back that gets blocked--I'm not really sure. Is your pi-hole on the WAN side of dd-wrt? Mine has to be in the LAN side. So it is going to have to make many 53/UDP calls to DNS IPs. Or 443/TCP if DoH is used, but I have not really looked into that much.
I just don't really get why a DNS service using a single port would get flagged as a port scan with the iptables psd option. I might try my local ISP's DNS service and see if that gets blocked. I have this suspicion that port-scanners spoof common DNS IPs to cause this problem.
Thanks everyone. That bug is kind of related. It seems to do with the TCP-SYN Flood flag not being able to be disable which is something I did try to see if my DNS calls would stop getting tarpitted. I saw the same behavior of it not being disabled and figured it just wasn't meant to be disabled .
In that thread, though, it said that the "Detect and Block Port Scanners" and "Slowdown connection attempts (Tarpit)" really shouldn't be enabled unless you want to mess with attackers. Having them enabled is going to make it appear your ports are open and might cause attackers to hit you harder. So, I guess I'm better off not having those settings enable which has been working much better for me.
.