OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: dlaube on December 30, 2017, 11:25:58 pm
-
Hello OPNsense community!
For a customer i need to install a new gateway/firewall. I never heard of OPNsense before but i was pretty familiar with pfSense. I understand the reasons to fork the project and the more i read about it the more sense it makes.
But i have a problem with OPNsense that prevents me from using it in production.
In pfSense there was a plugin called pfBlockerNG. That plugins used a list of domains, resolved their ip adresses and added firewall rules for them.
I don't see a similar thing in OPNsense right now.
There is only domain based blocking by using a HTTP/HTTPS Proxy. I can't use that because not all devices in the network are configured to use a proxy nor i can force them to be.
While researching i found out about IPS and using "aliases" (https://forum.opnsense.org/index.php?topic=2137.msg6867#msg6867)
But i did not find the alias settings inside IPS.
Is there any way to achieve the same functionality in OPNsense?
Thank you for your time and effort.
-
Hi,
you can load the list via an URL table alias. There are many lists around compatible with this format.
Also you can use transparent proxy, so the users wont see there is a proxy between them, but I think the alias table also fits your need.
https://docs.opnsense.org/manual/aliases.html
-
While researching i found out about IPS and using "aliases" (https://forum.opnsense.org/index.php?topic=2137.msg6867#msg6867)
@dlaube
I saw that also but when I tried to configure it, it did not seem to offer anywhere near the same functionality that pfBlocker does. Also, it doesn't employ the IPS - it utilizes the FW much like pfBlocker does except that the latter adds the FW rules automatically whereas with OPNsense, you need to manually add the FW rules. Also, a few other deltas vs. pfBlocker:
- You must use the alias type URL Table (IPs)
- You cannot enter more than one list per alias whereas with pfB, you can add as many as you wish - This is a huge FW rule mgmt issue.
- You cannot disable a portion of your alias like you can in pfB.
- The minimum list update interval is 24h whereas with pfB, you can go from 1h up to 1 week.
- There are others mainly because pfBlocker is a very comprehensive package.
See this for more details: https://docs.opnsense.org/manual/how-tos/edrop.html?highlight=aliases
Also - FYI - I found another discussion relating to this where they utilize the proxy and blacklists. I tried setting it up and it didn't work. Probably an issue on my end but also, as you alluded to in your post, it still only works for ports 80\443 - far too narrow for what we want with pfB. As I'm sure you already know, pfBlocker doesn't care about ports - just IPs and subnets - which makes it far more functional in this particular realm. And that aside, we really shouldn't be required to employ a proxy just to get mass IP address\subnet filters.
I do like this platform and from what I've seen, the devTeam seems eager to get stuff built into it so here's hoping they will kick this around and add more pfB-esque functionality - or maybe even port pfB - to OPNsense.
In case you're curious, here is the link to the proxy method I mentioned above:
- https://forum.opnsense.org/index.php?topic=6169.0 - and then
- https://docs.opnsense.org/manual/how-tos/proxywebfilter.html
-
I think I used to use pfBlocker on pfSense to do country blocking. It seems that the only way to do it in OPNsense is using Suricata, which is a very high user of cpu resources!
Does every packet of an https download stream have to be inspected to see what country it comes from?
I too am looking for a better solution on OPNsense.
-
I too am looking for a better solution on OPNsense.
We do have GeoIP alias support since April 2016. :)
https://github.com/opnsense/changelog/blob/a4008b74e0315b1fd9fda7ef042ec7e297237a77/doc/16.1/16.1.11#L22
Cheers,
Franco
PS: That was a proactive pfBlockerNG replacement effort...
-
Thanks for the helpful response, Franco. I did just use this page https://docs.opnsense.org/manual/aliases.html to set up the Spamhaus DROP and EDROP lists, so we'll see how that goes.
I'm not sure if you are referring to using that mechanism/method but with a list that contains IPs to block solely by country?
Thanks.
-
The documentation has not been updated, but the help text in the GUI has. There is a "GeoIP" alias type. Since one 17.7.x version it has become very straight forward to add, configure and use. We've probably already talked more than it takes to set it up. :)
Cheers,
Franco
-
Oh, maybe that help text thing was for 18.1 only. It's getting complicated lately separating both tracks, sorry.
https://github.com/opnsense/core/issues/1987
-
Ah, yes! I see it in the drop-down. Ok, I'll try my geo blocking there instead of Suricata ... then I can test if I can run any useful rules in Suricata without destroying my download speed.
If you have suggestions of best 'bang for the cpu-buck' rules, for the purpose of protecting a home network from intrusion/phising/malware drops please let me know.
Thanks!
-
There is no real alternative to more capable hardware here or using Linux. The rule "what you put into it you get out of it" is certainly true. Especially if you want a fast IPS system. The same is true for IPS coverage with the additional rule sets with differing levels of quality.
This alias GeoIP switch should give you a bit more leeway. Reducing rules in IPS can help performance, too.
Remember that with free software you get the most out of it (division by zero).
Cheers,
Franco
-
Thanks again...
I notice as I'm setting up the GeoIP aliases I'm getting errors in the gui:
There were error(s) loading the rules: /tmp/rules.debug:20 cannot define table bogonsv6: cannot allocate memory - The line in question reads [20]: table persist file /usr/local/etc/bogonsv6
I have been creating a few different GeoIP aliases all IPv4 using the cool check boxes. Not sure if this is fatal or not... I'm on the latest 17.7.11 release.
-
That can happen. Fix here: https://forum.opnsense.org/index.php?topic=6703.0