OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: xpking on October 01, 2023, 06:55:03 am
-
Dear all,
May I know if there is whitelist in crowdsec opnsense?
I followed this page:https://docs.crowdsec.net/docs/whitelist/create/ (https://docs.crowdsec.net/docs/whitelist/create/)
and created the file /usr/local/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
with below content.
name: crowdsecurity/whitelists
description: "Whitelist events from my ip addresses"
whitelist:
reason: "my ip ranges"
ip:
- "192.168.2.254"
~
I removed the Decision, and restarted Crowdsec.
I can see the file loaded in Parsers tab.
But it doesn't work.
I checked the Decision tab and the IP is banned again.
Parsers tab
mywhitelists.yaml enabled,local /usr/local/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
Decision tab:
3051281 crowdsec Ip:192.168.2.254 firewallservices/pf-scan-multi_ports ban 16
an hour 990
Anyone have ideas how to add the IP to whitelist?
Thank you.
-
maybe crowdsec discord can get you help? https://discord.com/channels/921520481163673640/1003971753200074752
-
Maybe this can help.
https://app.crowdsec.net/hub/author/crowdsecurity/configurations/whitelists
-
in my case the IP was on the CAPI list so i had to follow those instructions but it didn't work until i ran the CLI command
cscli decisions delete --ip 1.2.3.4
from the shell.
(update) it was blocked again today probably after updating with the API, so it seems the whitelist procedure isn't working.
-
I've never used Crowdsec before so this may not be the best solution, but what I did was run
cscli parsers install crowdsecurity/whitelists
which creates a whitelist.yaml file in
/usr/local/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity
then I edited that file to whatever I desire. After restarting Crowdsec it shows as 'enabled,tainted' but I guess 'tainted' just means the default auto-generated config was updated. It seems to be working