OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: alh on September 27, 2020, 10:53:48 pm

Title: [solved] HAProxy & Firewall
Post by: alh on September 27, 2020, 10:53:48 pm
I was playing around with Fail2Ban and wanted to block IPs that fail to auth with a HAProxy backend server. So I created an external alias and Fail2Ban updates that alias. So far so good. However, when I add a firewall rule to block src=ips in alias nothing happens. I had a look at the log and it seems like running HAProxy on publicip:port completely bypasses the firewall. There is nothing in the firewall logs but HAProxy logs the connection. Is that correct?

So to work around this I would need HAProxy to bind to another IP and make a port forward from the public IP/interface?

Title: Re: HAProxy & Firewall
Post by: guest18661 on October 02, 2020, 05:37:43 am
I just tested a rule on external server. I put the source as that server's IP, WAN as my interface and block as the action. It worked fine. I was not able to load a website served by a server behind HAProxy which is running on the opnsense firewall. I deleted the rule and was able to load the website.

I didn't test using fail2ban with an external alias, but I don't think you need to worry about it being an issue with haproxy and it bypassing the firewall. There is probably something else going on with the way the rule is configured or other rules bypassing it, or something going on with the way the alias is updated perhaps.
Title: Re: HAProxy & Firewall
Post by: alh on October 12, 2020, 12:25:08 pm
Thanks so much for your input. There were two issues:


Do you by any chance know on how to trigger this manually, could only find the endpoint "reconfigure" but I'm not sure that is correct.