OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • Create rule to allow network scans
« previous next »
  • Print
Pages: [1]

Author Topic: Create rule to allow network scans  (Read 14745 times)

nicovell3

  • Newbie
  • *
  • Posts: 12
  • Karma: 0
    • View Profile
Create rule to allow network scans
« on: April 12, 2018, 09:08:22 am »
Hello,

I'm trying to setup a new rule at my firewall so it'll allow an specific host to scan all ports from other net.

The only problem I have is that, when the rule is already set and I launch a nmap like this:

nmap -Pn -sS -p- -T5 192.168.20.0/24

And then, the OPNsense state table collapses: I've set a max size of 815000, but if I launch three concurrent scans, it gets full. So what I want is to make a rule which allows the traffic to pass and prevents the firewall from storing every connection at the state table. I think I don't need that connections to be stored at the state table, as I don't need the firewall to perform NAT, the scans will only occur at internal networks.

I've tried different settings when creating a floating quick rule which affects to my "monitoring" interface:
  • State Type as none
  • State Type / NO pfsync activated
  • TCP flags with "Any flags." checked

No matter what I set, the state table keeps getting full with the scans. How can I allow network scans without disabling my firewall?
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Create rule to allow network scans
« Reply #1 on: April 12, 2018, 12:33:03 pm »
In theory there are three fixes: disable state tracking, use a full connect scan and run nmap directly on OPNsense.
Logged

nicovell3

  • Newbie
  • *
  • Posts: 12
  • Karma: 0
    • View Profile
Re: Create rule to allow network scans
« Reply #2 on: April 12, 2018, 01:10:41 pm »
Hello fabian, thanks for your reply,

When you say "disable state tracking", are you talking about the entire firewall? How can that be done and which implications would that have?

Thanks for your help.
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Create rule to allow network scans
« Reply #3 on: April 12, 2018, 01:23:13 pm »
no, just the pass rule that allows the scan (and a reverse rule of course)
Logged

nicovell3

  • Newbie
  • *
  • Posts: 12
  • Karma: 0
    • View Profile
Re: Create rule to allow network scans
« Reply #4 on: April 12, 2018, 01:39:30 pm »
And how can I disable state tracking for those two specific rules? I tried setting those rules with the field "State Type" set to "none", but the State table size keeps getting full.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • Create rule to allow network scans
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2