OPNsense Forum

English Forums => General Discussion => Topic started by: kai on February 26, 2018, 08:01:17 am

Title: Inconsistent interface behavior between Intrusion detection and firewall
Post by: kai on February 26, 2018, 08:01:17 am: Hi there.

I have an OPNSense firewall set up as a transparent bridging firewall between my external and internal networks.

I set it up as per the instructions in the docs and it works great for firewalling. As the docs suggest all the firewall rules apply on the bridge interface and no filtering is done on the physical WAN and LAN interfaces (which have no IP).

However, when I turn on Intrusion detection... Under settings, if I only include the Bridge interface, no rules or alerts match. If I add the LAN interface in as well then they trigger on that and if I add the WAN interface in as well they trigger on that.

It's like the firewall itself is filtering on the Bridge interface, but the Intrusion detection module is only triggering on the WAN and LAN interfaces. Is this expected? It seems counter to what the docs suggest about filtering on a firewall in Bridging mode.
Title: Re: Inconsistent interface behavior between Intrusion detection and firewall
Post by: franco on February 28, 2018, 08:56:35 am: Hi,

Different technologies.... the IPS mode (Netmap in FreeBSD) only works on physical drivers, not virtual things like bridges and point to point interfaces.

I'd consider IPS a stark exception from the norm. In IDS mode it works as you would expect it, but then it can't drop. There's always something. ;)

Cheers,
Franco

SMF 2.0.19 | SMF © 2021, Simple Machines
Privacy Policy