OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: nicovell3 on April 12, 2018, 09:08:22 am

Title: Create rule to allow network scans
Post by: nicovell3 on April 12, 2018, 09:08:22 am
Hello,

I'm trying to setup a new rule at my firewall so it'll allow an specific host to scan all ports from other net.

The only problem I have is that, when the rule is already set and I launch a nmap like this:

nmap -Pn -sS -p- -T5 192.168.20.0/24

And then, the OPNsense state table collapses: I've set a max size of 815000, but if I launch three concurrent scans, it gets full. So what I want is to make a rule which allows the traffic to pass and prevents the firewall from storing every connection at the state table. I think I don't need that connections to be stored at the state table, as I don't need the firewall to perform NAT, the scans will only occur at internal networks.

I've tried different settings when creating a floating quick rule which affects to my "monitoring" interface:

No matter what I set, the state table keeps getting full with the scans. How can I allow network scans without disabling my firewall?
Title: Re: Create rule to allow network scans
Post by: fabian on April 12, 2018, 12:33:03 pm
In theory there are three fixes: disable state tracking, use a full connect scan and run nmap directly on OPNsense.
Title: Re: Create rule to allow network scans
Post by: nicovell3 on April 12, 2018, 01:10:41 pm
Hello fabian, thanks for your reply,

When you say "disable state tracking", are you talking about the entire firewall? How can that be done and which implications would that have?

Thanks for your help.
Title: Re: Create rule to allow network scans
Post by: fabian on April 12, 2018, 01:23:13 pm
no, just the pass rule that allows the scan (and a reverse rule of course)
Title: Re: Create rule to allow network scans
Post by: nicovell3 on April 12, 2018, 01:39:30 pm
And how can I disable state tracking for those two specific rules? I tried setting those rules with the field "State Type" set to "none", but the State table size keeps getting full.