I have two OPN19008R Firewalls running the latest production version of opnsense.
One is the main firewall which allows access to the internet and DMZ, the other one is behind the first one and allows access to the LAN.
I need to allow some servers in the DMZ to communicate to some servers in the LAN on some ports, so on the first firewall I was able to define a rule allowing access to the destination server/vlan on some ports, but on the second Firewall that option is not allowed as it is in the first firewall. I could consider that since the port filtering was done on the first firewall I can assume all traffic coming from those servers is safe, but I'd rather also check on the second firewall, and I'd like to understand why that option is not available (it shows a forbidden sign on mouse over for any port or vlan coming and going anywhere). I checked both firewalls seem to be configured with the same options.
A side question I have enabled the suricata ids and rulesets, then selected "download and update rules" but they still show as not installed, any reason why ?
Having used PFSense before but being new to opnsense these are possibly basic questions, but I'd appreciate any insight :)
Hello! I try to help you!
Quote from: remd on June 08, 2017, 06:27:25 PM
... I'd like to understand why that option is not available (it shows a forbidden sign on mouse over for any port or vlan coming and going anywhere). I checked both firewalls seem to be configured with the same options.
Check if you have "Any" for "Protocol" selection on that firewall rule. If you don't specify a particular protocol, like TCP, or TCP/UDP (meaning, you set the rule to be applied to "any" protocol) then you can't modify ports, as not every protocol (in "any") contains ports in its structure.
Quote from: remd on June 08, 2017, 06:27:25 PM
A side question I have enabled the suricata ids and rulesets, then selected "download and update rules" but they still show as not installed, any reason why ?
Be sure to not forget "Apply" after enabling rulesets, and before "download & update rules". It should work, no problem.
Quote from: remd on June 08, 2017, 06:27:25 PM
Having used PFSense before but being new to opnsense these are possibly basic questions, but I'd appreciate any insight :)
You're welcome, no worries! :)
PS. I didn't use pfsense. Ever! ;)
duh! thanks for your answer, must have been tired :)
of course a protocol needs to be set to filter by port, it is working fine now.
Regarding the IDS, I haven't been able to figure it out, I don't see any apply, it just mentioned that it is enabled, but not installed.
The main problem for the moment was the port filtering, so I'll get back to the IDS config later.
Cheers!
Hello again!
Glad it helped! At least for the port matter.
Regarding Suricata, when you enable the rulesets, a "Download & Update Rules" should get them in your system. You should see them with "[date/time]" in place of "Not installed"
Conversely, if you disable them, and before being disabled they had [date/time] of last download, after "Download & Update Rules" the now disabled rulesets will change to "Not installed".
I tested this over and over and over again, because I do some troubleshooting for some problems in the network caused by some rulesets/ rules, and I am definitely sure about the way "Enable/ Disable" and "Download & Update Rules" work.