OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: coffemug on January 28, 2019, 06:33:11 pm
-
Hello
I am new to Opnsense and just now setup an opnsense firewall which is up and running .
I would like to block files based downloads from my users , ie .exe,mp3
How to do it through opnsense firewall ?
Regards
-
You can run a Squid web proxy with ICAP and ClamAV which scans all files that users download through their browsers. https://wiki.opnsense.org/manual/how-tos/proxyicapantivirusinternal.html
Squid can also block files on file extension: https://www.cyberciti.biz/faq/squid-content-filter-block-files/
Bart...
-
Any other solution. i cant make it work both of them since it looks quite complicated..
I am looking for any regular expression and black list kind of solution
-
Any other solution. i cant make it work both of them since it looks quite complicated..
I am looking for any regular expression and black list kind of solution
-
The firewall is a layer 3 device. You want to filter on layer 7. You are going to need additional complexity to bridge the gap.
Squid is not so bad ;-)
Bart...
-
Any other solution. i cant make it work both of them since it looks quite complicated..
I am looking for any regular expression and black list kind of solution
As of today most traffic is encrypted, no chance without Proxy and SSL inspection
-
The firewall is a layer 3 device. You want to filter on layer 7. You are going to need additional complexity to bridge the gap.
Squid is not so bad ;-)
Bart...
squid is not present in my packages , how to install and configure in opnsense ?
-
Look at official Docs, Proxy with AV
-
Just start here: https://docs.opnsense.org/manual/proxy.html
-
You can do it without Squid using IPS (Suricata), but no granular settings/ no exceptions based on IP addrs, only interfaces:
1. In Services: Intrusion Detection: Administration enable IDS and enable IPS Mode, Pattern matcher ”Hyperscan” (personal recommendation). Then select the interfaces on which the IPS will take action.
2. In the "Download" tab, enable "ET open/emerging-policy", and change (check) the action to (be) "Alert". Then "Download & Update Rules".
3. In the "Rules" tab, select all types of ".exe" rules you need for blocking and change their action from "Alert" to "Block". If unsure, before blocking anything, you can even download some .exe files and see which rules fire in the logs, as alerts..., then change their action directly in the Alerts tab.
Just fine tune and tinker with rules, rulesets and actions there until you get the desired results.
Good luck!
Cheers!
PS Are you coming from "Spiceworks" forum? I remember I gave the suggestion to use OPNsense + IPS to somebody over there, like 2-3 days ago. :)
-
yes, your post at spiceowork made me to configure opnsense and it was kind of cool.
I followed your steps and blocked all the exe under the RULES but even its downloading the exe file ..
see my attachments
-
yes, your post at spiceowork made me to configure opnsense and it was kind of cool.
I followed your steps and blocked all the exe under the RULES but even its downloading the exe file ..
see my attachments
Glad you liked OPNsense.
About still being able to dld exe files, sorry about that: my case was exactly the opposite, I couldn't download, and found the culprit being IPS with those rules (rulesets) set to block everything. It was a long time ago, and it might be that something wrong occurred either with the rules themselves, or something else in IPS engine, but I cant tell for sure, since I don't need and use exactly those rules.
Anyway, other rules like P2P/ torrents blocking and anti-malware etc. are working fine... So I encourage you to still tinker with IPS in OPNsense, it's a really powerful tool after you manage to "tame" it. :)
Good luck!