Messages

Thanks. Makes complete sense. I've become too use to Sophos XG where it hides a lot of these "behind the scene" firewall rules. That's one thing I really like about OPNsense, it shows you everything.

Apologies if this is a stupid question but I can't figure out why these firewall rules were automatically generated or what they would be used for on a typical home network. I'm still learning OPNsense in a VM environment as I'm considering replacing my Sophos XG setup with it.

I have a clean install of OPNsense with just a few minor adjustments (IPS enabled, Web Proxy w/ ClamAV, etc.). OPNsense is also running a DHCP server for IPv4 (no DHCP server for IPv6). I noticed in the WAN firewall rules, there are several automatically generated rules (see attached screenshot).

I don't understand what these rules are for:
- allow dhcpv6 client in WAN (3 of them)
- allow DHCP client on WAN (2 of them)

On the LAN firewall rules, there are three automatically generated rules for "allow access to DHCP server" but that makes sense - those are such that clients on my LAN can access the DHCP server. However, I don't understand why there are rules on the WAN side.

Thanks for posting that link. I've seen it before but I must have completely missed that section. I'm assuming you're referring to this paragraph on that site:

"Occasionaly a rule performs badly or has the potential to generate false positives but the detection logic is valuable. In this case ET will ship the rule disabled, and you can enable the rule through use of a rule manager such as oinkmaster or pulledpork."

I'm also assuming these are the rules that are not enabled  by default when you load a ruleset in OPNsense. I guess if they are enabled in the future, do they automatically get enabled when the ruleset is updated in OPNsense?

On the Intrusion Detection -> Administration page, I noticed when I select a Ruleset on the Downloads page, enable it and then select Download & Update Rules, it enables and downloads fine but when I look at the Rules tab, I see some rules are enabled and others are not. A few questions:

1. Why is this? If I enable a ruleset, I would have thought all of the rules would either be enabled or disabled but that doesn't seem to be the case. What determines which ones are enabled or disabled by default?

2. Is there a quick way to disable or enable all of the rules within a ruleset?

My understanding is Suricata (and Snort) can only scan the unencrypted portion (headers) of HTTPS connections but not the actual payload itself. They would need some sort of decryption engine to decrypt the traffic and scan the payload, or perhaps some interface between the web proxy and IDS/IPS since the web proxy has the capability to decrypt HTTPS traffic using a MIM method.

The only protection I'm aware of for decrypted HTTPS traffic is with a virus scanner which OPNsense uses ClamAV.

You can set the theme under "System -> Settings -> General"

Is there a way to import lists of FQDNs such those listed on https://tspprs.com/ (and have them automatically updated) into an Alias? If I'm understanding this correctly, I would then be able to assign that alias to a firewall rule and I'd have similar functionality as with PiHole or pfBlocker.

Are any of you running a Qotom device with a 1Gb ISP? If so, what type of CPU do you have and what kind of bandwidth throughput are you seeing in speed tests? I'm more curious about performance with IPS enabled and how many signatures you have enabled.

I have a Qotom Q335G4 with a Intel Core i5-5250U but I'm currently running Sophos XG on my home network and it achieves around 900 Mbps with IPS off but drops down to about 300 Mbps with IPS on. Sophos XG uses Snort though which is single threaded and the weird part is throughout doesn't change if I reduce the number of signatures in my ruleset.

I've been running OPNsense in a VM environment and I understand it uses Suricata which is multi threaded, so I suspect bandwidth performance will be better.

System->Settings->Logging.

Thanks marjohn56! Can't believe I missed that. It appears unchecking "Log packets matched from the default pass rules put in the ruleset" will stop logging of the default LAN to Any pass and the anti-lock out rule.

One suggestion/thought for the devs, it's a bit confusing since if you access the default LAN to Any rule, there's an option that says "Log packets that are handled by this rule" which is unchecked. Personally, I think it would make more sense to have this option enable/disable logging and perhaps the other setting in System->Settings->Logging be renamed to something like "Log packets matched from the anti-lockout rule" and only be used for that purpose. Just a thought!

I'm noticing a lot of log entries in my firewall log that I would like to disable (i.e. not logged) but I can't seem to figure out where to do this. The label for these entries are:

- "anti-lockout rule"
- "let out anything from firewall host itself"
- "pass loopback"

I've searched everywhere that would make logical sense to disable these log entries but I'm not finding anything. Any ideas?

I'm seeing pretty much the same error but Suricata still starts. However, I've been having a lot of issues with OPNsense randomly stops responding and I have reboot. I'm running it through Virtual Box in a test environment.

[BEST FANLESS HARDWARE FOR OPENSENSE !!!]

Hi,

Let's be clear, for me this is the BEST FANLESS HARDWARE FOR OPENSENSE !!!

some iperf gives: Full 1Gbps bandwidth with filtering & nat with less of 20% of one core.

Some bad points:

• Wifi is not working fine with OPNSense order it wthout Wifi or ask to Qotom to build with a compatible one.
  (I have changed it for an Atheros 9280)
• Bios have no ouput on serial port
• Ethernet interfaces are not mapped well: 0-0 1-2 2-3 3-1 (hardware-system)

You mentioned the Bios has no output on the serial port. Unfortunately, I don't have any TVs with HDMI near the area I want to setup my hardware so I was planning on using the serial port. Can you still install OPNsense using a serial cable connected to a computer? If so, is there anything in the Bios that you needs to be changed or that you recommend changing? I could install OPNsense in another room with a keyboard hooked up to a TV then just move it back to my office room where my computer is to setup the interfaces via serial.

Yes, I'm running on 17.7.7_1.

1. I don't see any option to set an update frequency at all. See attached screenshot.

EDIT: I figured it out. I had "URL (IPs)" selected and not "URL Table (IPs)". Once I selected that, it shows the "Update Freq. (days)" box where I can enter in a number. One small annoyance is I can't simply change the Type and Save as it keeps giving me an error that "Alias type may not be changed for an existing alias.", so I have to delete everything and create them again. Not a huge issue, but just something I wonder as to why you can't just change the type.

2. I think I might have figured out the issue with the firewall rule. You have to select "Single host or Network" as the Source and then type in "spamhaus_drop". I just left the dropdown box that says 32 at default.

It's probably worth clarifying this in the OPNsense user manual/wiki. It would also be nice the firewall rules section could see all of the alias you've created. Either automatically show up as an option you can just select as the Source or when you start typing in the alias name, it appears. Is there a way to provide inputs on the user manual or do most of the developers read these threads?

EDIT: After re-creating the aliases as "URL Table (IPs)", they show up in the Source drop down list. However, it seems that if you create an alias that is a "URL (IPs)", they do not show up in the Source drop down list for firewall rules. Not sure if this is intended or not? Possible bug?

I'm trying to configure Spamhaus DROP/EDROP using the guide on the OPNsense user manual that can be found here: https://wiki.opnsense.org/manual/how-tos/edrop.html. However, I'm running into some issues:

1. When creating the alias, the user manual states to set the update frequency to 1 for each day. However, there is no option in OPNsense to set an update frequency.

2. When creating the firewall rule to block, there is no way to set the alias I created (spamhaus_drop and spamhaus_edrop) as the source as directed in the user manual.

Is there another way to go about setting up Spamhaus DROP/EDROP?

Another issue I'm having is under the 'Rules' tab, if I select a bunch of rules and click the 'Disable selected' icon on the bottom left of the table, everything just becomes unselected and nothing happens (rules are still enabled as indicated by the checkbox on the right side of the table). I also get a spinning wheel that doesn't go away where that 'Disable selected' icon was. This is on the latest Google Chrome browser in Ubuntu.