OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: utahbmxer on May 06, 2020, 02:02:56 am

Title: NAXSI Whitelist Generation
Post by: utahbmxer on May 06, 2020, 02:02:56 am

Hi
Been playing with OPNsense for several months and just replaced my home firewall (SophosXG) with OPNsense.  I used the NGINX (with NAXSI default rules) plugin to configure all my sites. I setup the first server with the hostname "_" so that it gets any traffic that does not match my valid site names, this "HTTP server" also has a Deny ACL of 0.0.0.0/0.  If you hit my WAF with the IP or any other SNI hostnames that don't match, you get a 403 response which is what the WAF on my XG did and while it's security through obscurity it seems to work great.

I tried to use NXAPI on another workstation but it seems like it's designed to run on the actual web servers as it seems to be trying to pull rules from a already configured list.  I don't want to dig through the error log manually and try to create whitelists, but I guess if that's all that will work here, then be it.

What are some suggestions, what are others doing here for whitelist creation?

Thanks!

Title: Re: NAXSI Whitelist Generation
Post by: utahbmxer on May 06, 2020, 06:04:20 am

Just also discovered that the error logs don't go to SYSLOG Targets like the access logs do.  I am not seeing an option in the GUI.  Seems syslog servers could be useful for errors?

Title: Re: NAXSI Whitelist Generation
Post by: hbc on May 06, 2020, 08:48:44 am

NXAPI expects you to export the logs into elasticsearch database and uses it as data source:

https://github.com/nbs-system/naxsi/tree/master/nxapi

Title: Re: NAXSI Whitelist Generation
Post by: utahbmxer on May 06, 2020, 07:14:42 pm

Right, I knew that.  It looks like it was having issue with the latest version of ES.  I installed 5.6 and it's working now.  Also took the rules out of the conf file from the firewall and it appears to see everything now.

Still would be nice to see NAXSI events (error log) in the syslog servers.  Where do I add feature requests or does the github repo allow pull requests if we add some features to the plug-ins, etc.?

Title: Re: NAXSI Whitelist Generation
Post by: hbc on May 06, 2020, 09:50:19 pm

Quote

Where do I add feature requests or does the github repo allow pull requests if we add some features to the plug-ins, etc.?

Can both be done on GitHub. Make sure to open the feature request issues on plug-in repository with NGINX in title.
There you can also fork and create pull requests.