Dear all,
May I know if there is whitelist in crowdsec opnsense?
I followed this page:https://docs.crowdsec.net/docs/whitelist/create/ (https://docs.crowdsec.net/docs/whitelist/create/)
and created the file /usr/local/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
with below content.
name: crowdsecurity/whitelists
description: "Whitelist events from my ip addresses"
whitelist:
reason: "my ip ranges"
ip:
- "192.168.2.254"
~
I removed the Decision, and restarted Crowdsec.
I can see the file loaded in Parsers tab.
But it doesn't work.
I checked the Decision tab and the IP is banned again.
Parsers tab
mywhitelists.yaml enabled,local /usr/local/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
Decision tab:
3051281 crowdsec Ip:192.168.2.254 firewallservices/pf-scan-multi_ports ban 16
an hour 990
Anyone have ideas how to add the IP to whitelist?
Thank you.
maybe crowdsec discord can get you help? https://discord.com/channels/921520481163673640/1003971753200074752
Maybe this can help.
https://app.crowdsec.net/hub/author/crowdsecurity/configurations/whitelists
in my case the IP was on the CAPI list so i had to follow those instructions but it didn't work until i ran the CLI command cscli decisions delete --ip 1.2.3.4 from the shell.
(update) it was blocked again today probably after updating with the API, so it seems the whitelist procedure isn't working.
I've never used Crowdsec before so this may not be the best solution, but what I did was run
cscli parsers install crowdsecurity/whitelists
which creates a whitelist.yaml file in
/usr/local/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity
then I edited that file to whatever I desire. After restarting Crowdsec it shows as 'enabled,tainted' but I guess 'tainted' just means the default auto-generated config was updated. It seems to be working
Adding whitelists as parsers seem to work on 1st glance, but they are not taken into account:
my/homelan-whitelist 🏠 enabled,local /usr/local/etc/crowdsec/parsers/s02-enrich/my-homelan-whitelist.yaml
my/whitelist 🏠 enabled,local /usr/local/etc/crowdsec/parsers/s02-enrich/public-whitelist.yaml
and I still got my local desktop PC banned:
root@opn:~ # cscli alerts list -i 192.168.11.69 -a
╭────────┬───────────────────────────────────────────────┬──────────────────────────────────────┬─────────┬────┬───────────┬─────────────────────────────────────────╮
│ ID │ value │ reason │ country │ as │ decisions │ created_at │
├────────┼───────────────────────────────────────────────┼──────────────────────────────────────┼─────────┼────┼───────────┼─────────────────────────────────────────┤
│ 312440 │ lists:otx-webscanners (1035 Ips) │ update : +1035/-0 IPs │ │ │ ban:1035 │ 2025-08-19 06:19:49 +0000 UTC │
│
│ 311787 │ Ip:192.168.11.69 │ firewallservices/pf-scan-multi_ports │ │ │ ban:1 │ 2025-08-18 09:37:24.421109652 +0000 UTC │
The only working solution was:
cscli allowlists create my_allowlist -d "Trusted Home LAN"
cscli allowlists add my_allowlist 192.168.11.0/24 -d "Home LAN"
root@opn:/usr/local/etc/crowdsec/conf.d # cscli allowlist inspect my_allowlist
──────────────────────────────────────────────
Allowlist: my_allowlist
──────────────────────────────────────────────
Name my_allowlist
Description Trusted Home LAN
Created at 2025-08-19T07:43:22.504Z
Updated at 2025-08-19T07:43:29.430Z
Managed by Console no
──────────────────────────────────────────────
─────────────────────────────────────────────────────────────
Value Comment Expiration Created at
─────────────────────────────────────────────────────────────
192.168.11.0/24 Home LAN never 2025-08-19T07:43:29Z
─────────────────────────────────────────────────────────────
root@opn:/usr/local/etc/crowdsec/conf.d #