OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: QuadMSPTech on November 10, 2017, 04:26:58 am
-
Hello all,
I am new to Opnsense, and am trying to make it as close to a full blown UTM as possible. I work with Sonicwalls on a daily basis.
I have read the documentation, and wondered if there is any downside to enabling all the Rulesets? Do they interfere with each other or is it all good to turn them all on?
-
The point about IDS/IPS is to adapt the ruleset to your typical internet use pattern. You only turn on the rules to block connections that are never legitimate. Ultimately then, enabling all rules is applicable to a situation where there is no traffic at all ;-)
Bart...
-
At first, the documentation for IPS rulesets (ET, PT etc.) states very clearly that the rules & the rulesets are not something you turn on in bulk, then call it a day and go home for the weekend. And this is the recommendation coming from those making the rules.
Secondly, I did it! Then issues with erratic FTP transfer, or difficult to establish RDP connections, rose up pretty quickly.
So, NO! NO! NO! Don't activate them all in bulk, it would be a pain afterwards to troubleshoot the issue(s), and find the particular rule (in a particular ruleset) that is causing the issue(s): for RDP and FTP issues I encountered there were NO alerts triggered in IPS logs, so the only way to isolate the culprit was to test/ check/ activate every ruleset, on an one-by-one basis, and after identifying the ruleset, dig down on a rule-by-rule basis, to identify the particular rule(s) in the ruleset(s). Daunting task, believe me!... :)
Cheers!