OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: csmall on May 21, 2019, 07:20:51 pm

Title: Direction
Post by: csmall on May 21, 2019, 07:20:51 pm

With IPS, generally speaking, does it make more sense to do it on outbound traffic or inbound?

Doing it on both sounds like a performance impact will be greater.

But, if your firewall is already restricting inbound traffic to specific ports for services.. then would outbound make more sense so you can see and prevent nasty stuff that is actually on your network?

Title: Re: Direction
Post by: hbc on May 21, 2019, 09:00:20 pm

IPS (suricate) filters before firewall rules. In general, you filter inbound traffic.

This is more cpu friendly. Why waste cpu cycles with routing decisions, shapping, processing etc. and then you drop the packet.

Title: Re: Direction
Post by: ruffy91 on May 22, 2019, 06:40:50 am

This goes both ways, why inspect inbound WAN traffic if you gonna drop 99% of all unsolicited traffic by the firewall.

Title: Re: Direction
Post by: hbc on May 22, 2019, 09:15:57 am

Quote from: ruffy91 on May 22, 2019, 06:40:50 am

This goes both ways, why inspect inbound WAN traffic if you gonna drop 99% of all unsolicited traffic by the firewall.

The outbound traffic of your wan interface is the inbound traffic of your lan interfaces. Why  let the traffic pass your firewall stack, when you drop it in the last step?