OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: enoch85 on June 05, 2016, 01:02:04 am

Title: Load default rules in Intrusion Detection
Post by: enoch85 on June 05, 2016, 01:02:04 am
So, I played around with Intrusion Detection and enabled rules that I thought would be nice to have (DOS, Trojan, Scan Fedo Tracker), hit apply and now I can't browse until I turn Intrusion Detection off. Just removing "Enabled" didn't help as the rules are still enabled when I go to "Rules", something to improve imo.

Is there any way to load the "default rules" or delete all the current rules and start over? If I check rules I have >58000 entries and need to manually remove each one. I will be done when I'm 100 years old.

Also, are there any rules that you recommend? I run a ESXi server with some domains over SSL and I would really want some more security if possible.

Thanks!
Title: Re: Load default rules in Intrusion Detection
Post by: AdSchellevis on June 05, 2016, 10:59:32 am
Hi enoch85,

Did you apply your changes? (download & apply when changing complete rulesets, apply when changing specific rules)
Download / Apply should also remove the uninstalled sets.

Same comment on Github too: can you please only add issues on GitHub for missing features or if the outcome of the forum thread is that it is (looks like) a bug.
(for more info about creating issues, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md (https://github.com/opnsense/core/blob/master/CONTRIBUTING.md))

As for the recommended rules, the abuse.ch sets are pretty useful with very little false positives, I would start with those and test again. If all works, then add some of the ET rulesets, like malware, trojan.

Best regards,

Ad


Title: Re: Load default rules in Intrusion Detection
Post by: enoch85 on June 05, 2016, 12:23:07 pm
Yes, the rules I applied was removed when I clicked "Download & Update Rules". Thanks!

After that I got the "default rules" left - 21 enteries that were enabled. I then clicked Enable --> Apply, and the same issue occured, I could browse but it was veery slow and most pages didn't work. So not even the "default rules" worked. Am I doing something wrong?

Btw, I'm on IRC.
Title: Re: Load default rules in Intrusion Detection
Post by: AdSchellevis on June 05, 2016, 01:06:27 pm
It's probably an issue with netmap in combination with your network driver, which type of network card is configured in ESXi and do you have all hardware offloading features disabled?
Title: Re: Load default rules in Intrusion Detection
Post by: enoch85 on June 06, 2016, 01:47:06 pm
I use VMNET3 for the Network, and this is how my config looks like in the firewall:

(http://i.imgur.com/E1KrsNv.png)