I followed Tom’s tutorial and have set up pfblockerNG, it works fantastic. Then I noticed something that made me a bit worried:
Once I have GeoIP turned on and enabled the top spammer list (ipv4), deny inbound, then I started to see pfsense reporting a huge amount of inbound denies from a Chinese IP, which is poking only port 6690, and it’s trying different outbound ports to reach me.
The 6690 port is the default of Synology Drive and it was open. After seeing these huge amount of attempts I closed port 6690 on my pfsense, also turned off the synology.me DDNS, set up alias in Synology which makes Drive go through other port.
Surprisingly, the amount of attempts from that Chinese IP dropoed significantly after I took action, it went less active for a few hours but now it goes full throttle again.
I had a few ports open at that moment: HTTPS, SMTP, SMTP-TLS, IMAP/S, 5006, 6690, and a custom DSM HTTPS port. Now 6690 is closed.
The huge amount of attempts shocked me quite a bit. There are many ports of Synology that could be open, only targeting 6690 seems a bit weird to me too.
Is this kind of things normal or am I really seeing a targeted attempt?