OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: GarryG on April 19, 2020, 08:22:53 pm
-
I switched from pfsense some time back, and after some initial problems when migrating my rulesets, most everything seems to be working fine. Or so I thought.
A couple days ago one of my VMs behind OPNsense started to get hit by lots of brute-force SSH connection attempts ... which seemed weird as I had a pretty decent set of rules that should only allow for certain ports to be open, SSH not being one of them, and have an explicit deny all rule in the WAN rules.
Now, even adding a deny all-all to port 22 right at the beginning of my WAN rules, I can still get through to my servers ...
Now, I've not had any problems with pfsense with blocking or allowing access, nor anything else I've used in the last 20+ years as a firewall (multiple Linux firewalls, Cisco ASA, Fortigate, ...)
So either some rule got totally out of hand in the backend that isn't visible in the list on the frontend, or I have some misconception of OPNsense ...
Now, I'm not a *BSD guy, so please excuse my ignorance here ... I thought I could just rely on the frontend converting what I configured to something that worked in the backend, but somehow something obviously isn't ... so, e.g., I read up on pf, and supposedly "pfctl -sr" should output the current ruleset. Problem is, I get nothing when I run that command ...
What am I missing here???
-
It's hard to say without getting more detail on your rulesets (screenshots, including the "automatically generated" rules). Have you tried an external port scanner to see if you have other holes on the WAN interface that should not be open? Something like the ShieldsUP scanner on grc.com can be useful to make sure that the rule you want to work is actually doing what its supposed to do.
What I can say is that by default, OPNsense will block all unsolicited incoming connections, just like pfSense does. So I suspect this is less of an OPNsense issue and more of a tweaking issue that will need to be reviewed line by line to find the offending rule.
-
I believe there is some basic problem when creating the pf rules ... I compared to another pfsense system, using pfctl -sr, I get a nice dump of all the rules ... as mentioned earlier, there's not a single rule output when I do the same on the opnsense machine ...
Is there some script that I can trace that takes the gui output/config file and creates all the pf rules?
-
You mention initial problems when migrating rule sets, how were these migrated originally? Did you have to manually re-create them in the GUI or was it some other method?
On my OPNsense test box and on my production box, when I connect via SSH and drop to a console, I get a full output of the rules present when I run "pfctl -sr". I'm running OPNsense 20.1.4 AMD64/OpenSSL.
-
I manually recreated everything on the OPNSense VM ...
Also, I'm pretty sure that the firewall was still working at some point ... just can't tell what happened some (not too long time ago) that it's not creating any rules anymore from the actual config ... I'm hoping to pin it down somehow if I can follow how the config is turned into the actual pf rules ...
Just restarted the old pfsense installation in order to get back to some (albeit slightly outdated) protection .. ;) That way I can mess around with the OPN installation without making it any worse ...