IDS and Firewall Rules

[cbyrd]

When are IDS rules applied as compared to the firewall rules.

I am doing country blocks in IDS but would like to pass certain email servers in the blocked areas.

I have a firewall rule to allow them but they are still getting blocked by the IDS.

Is there a way away to allow specific IP through in IDS ?

Any help appreciated.
Chris

[franco]

Hi Chris,

The IDS blocking is a level below the firewall itself, so the IDS is protecting your whole firewall system, but also blocks more strongly than your firewall and exceptions won't work from there.

But firewall aliases also provide solid geo blocking. You should consider switching to the those as they gives you fine-grained control over the block targets (or add exceptions).


Cheers,
Franco

[cbyrd]

Franco,

Thank you for the insight.      Does using Geoblocking in the firewall affect performance vs the IDS.

I was using geoblocking in the firewall rules and I was getting an error that it was unable to load the rule in memory.    I did have lots of countries blocked.

Chris

[franco]

Hi Chris,

This is not a problem. The search for the error should be trivial in the forum if you provide the exact message, but I'm feeling lucky today:

https://forum.opnsense.org/index.php?topic=4524.msg17330#msg17330

Performance should be the the same except for very large deployments, although remember you aim for more flexibility by accepting a bit less performance so that's a reasonable tradeoff.


Cheers,
Franco