OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: ThePOO on January 07, 2018, 02:34:16 am
-
17.7.11-amd64
Intel Celeron J1900 1.99GHz (4 cores)
---> What works well:
Intrusion Detection settings:
Enabled X
IPS mode X
Promiscuous mode x
Enable syslog
Pattern matcher Hyperscan
Interfaces WAN LAN
Home networks 192.168.0.0/16
default packet size
Rotate log Daily
Save logs 7
Log package payload
Intrusion Detection Rulesets enabled and configured to DROP:
abuse.ch/Dyre SSL IPBL
abuse.ch/Feodo Tracker
abuse.ch/SSL Fingerprint Blacklist
abuse.ch/SSL IP Blacklist
ET open/botcc
ET open/botcc.portgrouped
ET open/compromised
ET open/drop
ET open/dshield
ET open/emerging-dos
ET open/emerging-exploit
ET open/emerging-malware
ET open/emerging-scan
---> Adding this causes a HUGE problem:
User Defined:
Enabled X
SSL/Fingerprint
GeoIP/Country United States (not)
GeoIP/Direction Both
Action Drop
Description
------------------------------------------------
I live in the United States and the intent is that only traffic from and to the United States be allowed on either the WAN or LAN interfaces.
Once the GeoIP item is enabled I lose control of the router. I'm unable to use the Web UI to access the router. I'm unable to access the router with SSH. No traffic is flowing in any direction on any interface.
The only thing I can do is connect a local keyboard and monitor and log in that way ... It then becomes apparent the only thing I can do is reset to defaults and import my configuration ---- without the GeoIP User Defined item!!!! Then I'm back in business. Something about that User Defined GeoIP item hates me <frown> ...
Any thoughts on what I'm doing wrong?
-
If you have a LAN with private IP's you will get dropped since they are not in the US.
Please don't use IPS for GeoIP. There is a Firewall Alias Type where you can easily select the coutries you want.
Then go to your WAN rules and drop SRC GEOALIAS to WANADDRESS and go to LAN rules and set LANNET to GEOALIAS drop.
-
Oh yeah, I now see where I was blowing my foot off with trying to use that blocking technique ... duh, silly me.
Before trying that I actually tried to use the Geo alias and I could not get the rules for LAN and WAN set up properly to drop traffic.
Can you share a screenshot of your LAN and WAN settings? For some reason I'm just not getting them right ...
-
Better you post a Screenshot and I tell you where to add :)
-
Here we go ...
-
I had surgery two days ago ... gotta sleep for a while. Check back a little later. Thanks in advance.
-
Rules are correct. Whats in your alias?
-
The only countries unchecked are United States and Canada ...
I thought about only checking United States and Canada, then check the "Destination/Invert" on my two rules, if that works. Make them inverse rules, if that is a correct use?
-
Only check US and Canada, then inverse in the rule. Better for your memory :)
-
Well now! The inverse rules work perfectly. Thank you for your gentle assistance, much appreciated.