First off, I am new to pfSense. I have been playing with it for a bit and I am mostly comfortable using it. I have installed pfSense + pfBlockerNG + snort (no blocking yet).
I finally moved my pfSense machine to between the modem and wireless AP/router. More testing is due, but mostly works fine.
The issue is when I checked the firewall logs after the move, I saw that the 50 lines were filled in about 5 minutes with blocks to the WAN. I have since increased log to 500 lines to see (slightly) bigger picture. Now, in about 5 minutes I typically get 15 (+/- a few) blocks. Meaning about 180/hr or over 4000/day blocks. I have checked some of the IP addresses and saw most were coming from the Russian Federation (with St Petersburg area being the MOST common). I also saw some from China, Vietnam, France, east and south Africa, and the Netherlands. There are some single hits, but usual a sequence of 4 to 10 hits. These hits can be from a single IP/port combo, single IP/multiple ports, or varying IPs (4th set of numbers varies, but still in range according to a Who’s IP lookup.) /multiple ports.
Is this hit rate typical, high, or low?
Should I be concerned? Just let pfSense deal with it or do something more?