OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: gonzo on February 13, 2018, 12:52:31 pm

Title: When the system updates the drop and edrop list from spamhaus ?
Post by: gonzo on February 13, 2018, 12:52:31 pm
Hi :)

I have set up the drop and edrop list from this guide: https://docs.opnsense.org/manual/how-tos/edrop.html.

1) When the system updates the drop and edrop list from spamhaus ?
2) which means information "Default deny rule" that appears in the "Label" column in /Firewall -> Log Files -> Live View ?
3) How to create own alias, which content will automatically update at certain times ? ( every 12 hours )

I tried to update the alias content with cron, but it does not work

gonzo
Title: Re: When the system updates the drop and edrop list from spamhaus ?
Post by: franco on February 14, 2018, 08:30:36 am
Hi there,

1) Use "Url Table", not "Url". It will have an expiry setting for days and hours. It is currently enforced every half an hour, but will be bumped to a higher value soon. "Url" without the table imports the data *only once*.

2) It means no other rule could be found to match the traffic so it is blocked by default. It happens with unexpected and unwanted packets, sometimes when TCP streams violate the state tracking (someone may manipulate the stream).

3) See 1.


Cheers,
Franco
Title: Re: When the system updates the drop and edrop list from spamhaus ?
Post by: gonzo on February 14, 2018, 09:47:51 am

Hi Franco :)

In You the last hope. I made the alias and the firewall rule exactly as you say.

the IP_ataki list is empty, why ?

gonzo
Title: Re: When the system updates the drop and edrop list from spamhaus ?
Post by: arvis on February 20, 2018, 04:15:39 pm
Hi Franco,

Could you please also help will "Defaul deny rule" issue with the same server. We have configured OPNSence as transparent bridge. There are "allow all rules" on every interfaces but quite often we can see that "Default deny" is taking action.  Why it is even reached at all is we have "Allow all rule"?
I'm attaching a couple examples of blocked packets. Why it happened and what to do fix this issue?
Title: Re: When the system updates the drop and edrop list from spamhaus ?
Post by: Oxygen61 on February 21, 2018, 12:58:45 am
Hi :)

I tried to open your ataki List to see if the format fits the Alias Table sheme... and i got this...
>> attachment 1
I don't think the URL is correct. :D

Besides that i don't think you got the Policy order right, when blocking with Alias Tables. :)
When using these rules you need to think "egress". Which means that originating local trusted network traffic should not reach one of the IP-addresses inside the Alias Table.
I don't know about your OPT1 interface, but in case it's a local trusted network (for example:192.168.10.0/24)
you would want to change the source to 192.168.10.0/24 and the destination to your Firehol_Level1 Alias. (same for ataki if it works some day ;))
When looking at your WAN external Interface you would want to configure a policy, which stops originating traffic from your Firehol_Level1 traffic (Source) to any (*) as destination.
You should also think about lowering the time when these tables get refreshed to 1 hour (in case your CPU is doing a good job).

Best regards,
Oxy :)
Title: Re: When the system updates the drop and edrop list from spamhaus ?
Post by: gonzo on February 21, 2018, 06:55:27 am

I just changed the name of the file to a shorter one : http://ip.jchost03.pl/ip_ataki.txt
Title: Re: When the system updates the drop and edrop list from spamhaus ?
Post by: Oxygen61 on February 28, 2018, 10:05:22 pm
Looks good. This file should work. Did it work? :)
Title: Re: When the system updates the drop and edrop list from spamhaus ?
Post by: gonzo on March 01, 2018, 09:48:24 am
did not work.
In firewall logs, I see only IP blocking according to a rule that I have never defined "Default deny rule".
No one can explain to me what this rule is and when it works.
Title: Re: When the system updates the drop and edrop list from spamhaus ?
Post by: franco on March 01, 2018, 09:51:09 am
Default deny is implicit. It matches when no other rule that you defined matches your traffic. This can also happen on state tracking failures.


Cheers,
Franco
Title: Re: When the system updates the drop and edrop list from spamhaus ?
Post by: arvis on March 01, 2018, 10:13:23 am
I can't understand how can it don't match any rule if we have "allow all" on all interfaces... And if this is state tracking failures why they happens then? Something wrong in our firewall setup?
OK, then which settings should we change on our VPNSence firewall to avoid such cases?

 
Title: Re: When the system updates the drop and edrop list from spamhaus ?
Post by: Oxygen61 on March 01, 2018, 11:02:41 pm
Hi arvis and gonzo,

Like any other firewall, OPNsense aswell matches the first rule, which fits the traffic it receives.
If you have not changed your rule order from your posts before then the configures "allow everything rule" matches AFTER your Alias State block rule. In case your list contains data and the traffic fits the block rule, your allow any rule will not ever match in the first place, because the traffic gets blocked way before this allow rule could ever match the traffic. :)
You could try to move this rule to the first position to see if there is no other "Basic" misconfiguration besides the firewall rules..
Is the alias working atleast? You can check if your new state table can download all the IP for your Alias:
Firewall: Diagnostics: pfTables
Does your ataki Alias lists or contains any IP's?

By the way did you configure floating rules? It get's more complicated if that is the case.
OPT1 seems to be an external interface aswell? you should rename your Interfaces otherwise noone will know, what this interface is supposed to do.

Besides that it's always helpful to draw or write down your network map somewhere to look at your configuration from another point of view.

Best regards,
Oxy
Title: Re: When the system updates the drop and edrop list from spamhaus ?
Post by: arvis on March 02, 2018, 02:03:28 pm
Hi,

Yes, of course I understand that firewall rules order is important. But if it would match any of Alias State block rules shouldn't we see on firewall logs that something was blocked by this rule, not by Default deny?
However, at the moment on our server there are no other rules than Allow all. Also, there are no floating rules configure. But Default deny is constantly blocking something. We can see it appearing on Firewall logs live view.
OPT1 is our bridged interface with members WAN and LAN. Physical external interface is WAN and internal is LAN.
Attaching network scheme of our setup.
It would be good to solve that Default deny issue first. Then we could try to move on setting up alias blocking rules.