OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: labsy on December 07, 2019, 11:03:39 pm

Title: How to check if Firewall blocking rule is working?
Post by: labsy on December 07, 2019, 11:03:39 pm

Hi,

I have kinda smart FW rule, made of collected IP addresses from numerous web sites (Joomla and Wordpress) on many of our servers, which have some sort of security plugin installed. Every few minutes I pull all blocked/attacker/hacker IP addresses from thosee website plugins (mysql) and inject them via TXT table into firewall ALIAS table.
If anyone interested, here's the list: http://secureit.si/lockouts/list.php

Now, I want to check if firewall is really blocking these IPs.
Where can I see LOGS, if this rule is doing the job? "Logging" is enabled inside this rule, but where can I see those logs?

Title: Re: How to check if Firewall blocking rule is working?
Post by: lfirewall1243 on December 09, 2019, 02:03:14 pm

you can see it under Firewall->Rules->Log->Liveview

Title: Re: How to check if Firewall blocking rule is working?
Post by: labsy on December 31, 2019, 07:58:55 pm

Ok, but LIVE VIEW I assume shows near realtime logs. I cannot check there, for example:
"Dear tech support, our team member is on vacation on Barbados and they cannot send mail."
Where can I check things like this, when I only suspect issue happened 3 days ago?

Title: Re: How to check if Firewall blocking rule is working?
Post by: labsy on January 08, 2020, 07:10:33 am

I am checking those ALIAS rules, but it seems like it is not pulling IP's from the list. I mean, source IP is not blocked, and source IP is not within IP ALIASES.

I have CRON set to check LIST ALIAS every 5 minutes.

Any idea what's wrong?
Any LOG I can check?