OPNsense Forum
English Forums => General Discussion => Topic started by: jclendineng on August 03, 2022, 06:03:20 pm
-
I have crowdsec and its working well. I already have a central node so I was able to tie opnsense into it just fine. I had a question though, I see this:
Enable Firewall Bouncer (IPS)
When this is enabled I get no alerts for blocks in the firewall logs. I have to disable this to get any alerts from my block rules. Is this expected?
Enable log for rules
I enable the above and I get some alerts but they are all blank, with no info except that it came from crowdsec. Basically I want to make sure the crowdsec lists are being blocked correctly and since they wont show up in the logs its a bit difficult. It seems like the firewall bouncer is needed to block detections on the firewall but needs to be disabled to get blocks to show up in the logs using the blocklists that ship with crowdsec.
-
It will probably have more visibility on github https://github.com/crowdsecurity/opnsense-plugin-crowdsec/issues
-
Hello!
I suppose you are running the 1.0 version (crowdsec 1.3.4), with opnsense 22.7
> Enable Firewall Bouncer (IPS)
> When this is enabled I get no alerts for blocks in the firewall logs.
You mean you don't see anything in /ui/diagnostics/log/core/filter ?
or with
# cat /var/log/filter/latest.log | grep 'blocked by crowdsec'
Is the process "crowdsec-firewall-bouncer" running?
What's in /var/log/crowdsec/crowdsec-firewall-bouncer.log ? If you enable verbose debug in the settings tab, you should see the calls to pfctl there too.
Another thing to try (for ipv4):
# pfctl -t crowdsec_blacklists -T show
-
Hello!
I suppose you are running the 1.0 version (crowdsec 1.3.4), with opnsense 22.7
> Enable Firewall Bouncer (IPS)
> When this is enabled I get no alerts for blocks in the firewall logs.
You mean you don't see anything in /ui/diagnostics/log/core/filter ?
or with
# cat /var/log/filter/latest.log | grep 'blocked by crowdsec'
Is the process "crowdsec-firewall-bouncer" running?
What's in /var/log/crowdsec/crowdsec-firewall-bouncer.log ? If you enable verbose debug in the settings tab, you should see the calls to pfctl there too.
Another thing to try (for ipv4):
# pfctl -t crowdsec_blacklists -T show
Interesting, so expected behavior is instead of showing up in the firewall logs you have to use terminal and tail the actual log? Thats good to know, I may need to disable the bouncer then, and just use the v4/6 blocklists manually so I can properly audit them without needing a custom solution. Im assuming the IDS part is enough to track and report the rogue IPs, so that should work fine.