Messages

Buongiorno, ho installato OPNSense 21.1 con due schede di rete vboxnet (DHCP abiliato e Netmask 255.255.255.0) di VirtualBox. In particolare risulta che gli indirizzi del firewall sulle due reti sono rispettivamente:

1) LAN: 192.168.56.107

2) WAN: 192.168.57.3

Riesco a pingare il FW da una macchina server appartenente alla LAN e lo stesso posso fare dal FW verso il server.

Non riesco però a pingare il FW da una macchina appartenente alla rete (2), mentre riesco a pingare la stessa dal firewall:

- NO Ping : Client ---> FW;

- Ping : FW ---> Client.

Come è possibile? Credo che ci sia qualche impostazione per l'interfaccia 2 che non mi sta consentendo la corretta comunicazione.

Is it possible to manipulate the automatically generated rules (floating and LAN) in order to have these rules in /conf/config.xml, in <filter></filter> node? In particular, in config.xml there are the rules shown by the web interface, but there are not the defaults rule, why?

If I want to know occurence frequency of a generic rule, is it equal to pakets total statistic shown by pfctl -s labels command?

Thanks in advance,

Antonio

Is the Evaluation statistic the matching frequency of a pf rule?

From a first analysis it seems how many times a rule is evaluated like a possible rule which matches the traffic. Isn't it?

Thank you in advance. 

Thank you very mych.

Antonio

What is the cleaning criteria of pfctl? Is there any anomaly, suach as dependency anomaly o redundancy anonmaly?

Good morning to all, I have a question:

the number of rules in /tmp/rules.debug (starting from antispoof lof for <interface>)  is grather than the number of rules obtained through pfctl -s rules. Why?

I'm just considering the default ruleset.

Thank you very much. I have another question:

The number of rules in /tmp/rules.debug (starting from antispoof lof for <interface>)  is grather than the number of rules obtained through pfctl -s rules. Why?

I'm just considering the default ruleset.

Someone could tell me if is there an equivalent pf.conf file for OPNSense? Is it /tmp/rules.debug?

Thanks a lot Franco!

Hi,

how does function the Firewall Ruleset Optimization command? Follow the man of set ruleset-optimizan from pf.conf:

basic -->    Enable basic ruleset optimization. This is the default behaviour. Basic ruleset optimization does four things to improve the performance of ruleset evaluations:

        1. remove duplicate rules
        2. remove rules that are a subset of another rule
        3. combine multiple rules into a table when advantageous
        4. reorder the rules to improve evaluation performance

none --> Disable the ruleset optimizer.
profile --> Uses the currently loaded ruleset as a feedback profile to tailor the ordering of quick rules to actual network traffic.

It is important to note that the ruleset optimizer will modify the ruleset to improve performance. A side effect of the ruleset modification is that per-rule accounting statistics will have different meanings than before. If per-rule accounting is important for billing purposes or whatnot, either the ruleset optimizer should not be used or a label field should be added to all of the accounting rules to act as optimization barriers.

Optimization can also be set as a command-line argument to pfctl, overriding the settings in pf.conf.


I try to clone some rules in LAN ruleset and in Firewall --> Advanced Settings --> Miscellaneous, the basic Firewall Rules Optimization is set. When I reload all fw services, the ruleset is the same. Why?

Thanks in advance.

Antonio