Hallo zusammen,
ich setze OPNsense 20.7.7_1-amd64 ein und habe sie zwischen meiner Fritzbox und meinem internen Netzwerk hängen. Mal ein ein Versuch das ganze etwas darzustellen:
---------------------- Zwischennetz ---------------------------------------------------- Internes Netzwerk
( Internet ) ---- [ FritzBox 192.168.1.1 ] --- 192.168.1.0/24 --- [ 192.168.1.2 (igb0) - OpnSense - (igb1) 192.168.2.1 ] ----- 192.168.2.0/24
---------------------- ----------------------------------------------------
Ich habe aktuell kein NAT (mehr) aktiv.
Die Rules aus Firewall -> Diagnostics -> pfInfo -> Rules sehen so aus (ich habe mal nur die Rules an sich gepastet und die labels raus gelassen - da das nur IDs sind helfen die wohl nicht viel):
@0 scrub on lo0 all fragment reassemble
@1 scrub on igb1 all fragment reassemble
@2 scrub on igb0 all fragment reassemble
@0 block drop in log on ! igb1 inet from 192.168.2.0/24 to any
@1 block drop in log inet from 192.168.2.1 to any
@2 block drop in log on ! igb0 inet from 192.168.1.0/24 to any
@3 block drop in log inet from 192.168.1.2 to any
@4 block drop in log on igb1 inet6 from fe80::20d:b9ff:fe43:4bf5 to any
@5 block drop in log on igb0 inet6 from fe80::20d:b9ff:fe43:4bf4 to any
@6 pass in log quick on lo0 inet6 all flags S/SA keep state
@7 block drop in log quick inet6 all
@8 block drop in log inet all
@9 block drop in log inet6 all
@10 pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
@11 pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
@12 pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
@13 pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
@14 pass out log quick inet6 proto ipv6-icmp from (self:5) to fe80::/10 icmp6-type echorep keep state
@15 pass out log quick inet6 proto ipv6-icmp from (self:5) to ff02::/16 icmp6-type echorep keep state
@16 pass out log quick inet6 proto ipv6-icmp from (self:5) to fe80::/10 icmp6-type routersol keep state
@17 pass out log quick inet6 proto ipv6-icmp from (self:5) to ff02::/16 icmp6-type routersol keep state
@18 pass out log quick inet6 proto ipv6-icmp from (self:5) to fe80::/10 icmp6-type routeradv keep state
@19 pass out log quick inet6 proto ipv6-icmp from (self:5) to ff02::/16 icmp6-type routeradv keep state
@20 pass out log quick inet6 proto ipv6-icmp from (self:5) to fe80::/10 icmp6-type neighbrsol keep state
@21 pass out log quick inet6 proto ipv6-icmp from (self:5) to ff02::/16 icmp6-type neighbrsol keep state
@22 pass out log quick inet6 proto ipv6-icmp from (self:5) to fe80::/10 icmp6-type neighbradv keep state
@23 pass out log quick inet6 proto ipv6-icmp from (self:5) to ff02::/16 icmp6-type neighbradv keep state
@24 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
@25 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
@26 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
@27 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
@28 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
@29 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
@30 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
@31 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
@32 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
@33 pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
@34 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
@35 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
@36 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
@37 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
@38 pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
@39 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state
@40 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state
@41 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state
@42 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state
@43 pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state
@44 block drop in log quick inet proto tcp from any port = 0 to any
@45 block drop in log quick inet proto udp from any port = 0 to any
@46 block drop in log quick inet6 proto tcp from any port = 0 to any
@47 block drop in log quick inet6 proto udp from any port = 0 to any
@48 block drop in log quick inet proto tcp from any to any port = 0
@49 block drop in log quick inet proto udp from any to any port = 0
@50 block drop in log quick inet6 proto tcp from any to any port = 0
@51 block drop in log quick inet6 proto udp from any to any port = 0
@52 block drop in log quick proto carp from (self:9) to any
@53 pass log quick proto carp all keep state
@54 block drop in log quick proto tcp from <sshlockout:0> to (self:9) port = ssh
@55 block drop in log quick proto tcp from <sshlockout:0> to (self:9) port = https
@56 block drop in log quick from <virusprot:0> to any
@57 block drop in log quick on igb0 inet from <bogons:1294> to any
@58 pass in log quick on lo0 all flags S/SA keep state
@59 pass out log all flags S/SA keep state allow-opts
@60 pass in log quick on igb1 proto tcp from any to (self:9) port = ssh flags S/SA keep state
@61 pass in log quick on igb1 proto tcp from any to (self:9) port = http flags S/SA keep state
@62 pass in log quick on igb1 proto tcp from any to (self:9) port = https flags S/SA keep state
@63 pass out log route-to (igb0 192.168.1.1) inet from 192.168.1.2 to ! (igb0:network:1) flags S/SA keep state allow-opts
@64 block drop log quick on igb1 inet from any to <blocklist_de:31888>
@65 block drop log quick on igb0 inet from any to <blocklist_de:31888>
@66 block drop log quick on igb1 inet from <blocklist_de:31888> to any
@67 block drop log quick on igb0 inet from <blocklist_de:31888> to any
@68 pass in quick on openvpn inet from 10.10.0.0/24 to any flags S/SA keep state
@69 pass in quick on igb0 reply-to (igb0 192.168.1.1) inet proto udp from any to any port = openvpn keep state
@70 pass in quick on igb1 inet from (igb1:network:1) to any flags S/SA keep state
@71 pass in quick on igb1 inet6 from (igb1:network:*) to any flags S/SA keep state
Die Regeln hat OpnSense so erzeugt (bzw die Blocklist_de habe ich als Floating hinzugefügt), daher sind die z.T. etwas redundant.
IPv6 habe ich deaktiviert.
10.10.0.0/24 ist das Netz für mein OpenVPN.
Wenn ich nun aber unter Firewall -> Log Files -> Live View sehe finde ich unter Anderem folgende blocks (die xxx.xxx.xxx.xxxx habe ich mal anonymisiert. Die Services unter der IP kann ich aber ganz normal erreichen):
lan -> Dec 31 14:14:03 192.168.2.250:39080 xxx.xxx.xxx.xxx:443 tcp Default deny rule
Mir ist kein Funktionseinschränkung aufgefallen (unter Anderem war hier auch bereits mein Mailserver gelistet - aber mein Mailer funktioniert astrein) und betreibe das Ganze nun auch schon einige Monate. Ich verstehe aber nicht wo diese Blocks herrühren, denn nach dem Regelwerk müssten die Pakete meiner Meinung nach durchgehen (entsprechend Regel 70). Und die Tatsache, dass ja alles Services funktionieren sagen ja auch, dass es eigentlich gehen müsste. Die 192.168.2.250 ist übrigens mein Notebook, aber ähnliche Blocks habe ich auch von anderen Clients im Netz schon gesehen.
Vielen Dank für eure Hilfe.
Kann es vielleicht sein, dass das Pakete von "alten Sessions" sind und die deshalb verworfen werden?
Quote from: Gandalf2434 on January 03, 2021, 08:25:25 PM
Kann es vielleicht sein, dass das Pakete von "alten Sessions" sind und die deshalb verworfen werden?
Wenn du die Regel in Kopie anlegst und unter "Erweiterte Optionen" den Staustyp auf "keiner" setzt klappt es?