Messages

1

Italian - Italiano / Non riesco a pingare l'interfaccia WAN

« on: February 03, 2021, 09:24:16 am »

Buongiorno, ho installato OPNSense 21.1 con due schede di rete vboxnet (DHCP abiliato e Netmask 255.255.255.0) di VirtualBox. In particolare risulta che gli indirizzi del firewall sulle due reti sono rispettivamente:

1) LAN: 192.168.56.107

2) WAN: 192.168.57.3

Riesco a pingare il FW da una macchina server appartenente alla LAN e lo stesso posso fare dal FW verso il server.

Non riesco però a pingare il FW da una macchina appartenente alla rete (2), mentre riesco a pingare la stessa dal firewall:

- NO Ping : Client ---> FW;

- Ping : FW ---> Client.

Come è possibile? Credo che ci sia qualche impostazione per l'interfaccia 2 che non mi sta consentendo la corretta comunicazione.

2

Development and Code Review / Defaults rule not in config.xml

« on: November 06, 2020, 09:47:18 am »

Is it possible to manipulate the automatically generated rules (floating and LAN) in order to have these rules in /conf/config.xml, in <filter></filter> node? In particular, in config.xml there are the rules shown by the web interface, but there are not the defaults rule, why?

3

Development and Code Review / Packets total statistic

« on: September 21, 2020, 10:09:29 am »

If I want to know occurence frequency of a generic rule, is it equal to pakets total statistic shown by pfctl -s labels command?

Thanks in advance,

Antonio

4

Development and Code Review / Evaluation statistc

« on: September 18, 2020, 04:23:04 pm »

Is the Evaluation statistic the matching frequency of a pf rule?

From a first analysis it seems how many times a rule is evaluated like a possible rule which matches the traffic. Isn't it?

Thank you in advance. 

5

Development and Code Review / Re: Cardinality of ruleset

« on: September 18, 2020, 09:51:01 am »

Thank you very mych.

Antonio

6

Development and Code Review / Re: Cardinality of ruleset

« on: September 18, 2020, 09:43:58 am »

What is the cleaning criteria of pfctl? Is there any anomaly, suach as dependency anomaly o redundancy anonmaly?

7

Development and Code Review / Cardinality of ruleset

« on: September 18, 2020, 09:28:57 am »

Good morning to all, I have a question:

the number of rules in /tmp/rules.debug (starting from antispoof lof for <interface>)  is grather than the number of rules obtained through pfctl -s rules. Why?

I'm just considering the default ruleset.

8

Development and Code Review / Re: Firewall Rules Optimization

« on: September 16, 2020, 03:49:15 pm »

Thank you very much. I have another question:

The number of rules in /tmp/rules.debug (starting from antispoof lof for <interface>)  is grather than the number of rules obtained through pfctl -s rules. Why?

I'm just considering the default ruleset.

9

Development and Code Review / Re: Firewall Rules Optimization

« on: September 10, 2020, 12:26:51 pm »

Someone could tell me if is there an equivalent pf.conf file for OPNSense? Is it /tmp/rules.debug?

10

Development and Code Review / Re: Firewall Rules Optimization

« on: September 10, 2020, 11:49:56 am »

Thanks a lot Franco!

11

Development and Code Review / Firewall Rules Optimization

« on: September 10, 2020, 10:47:08 am »

Hi,

how does function the Firewall Ruleset Optimization command? Follow the man of set ruleset-optimizan from pf.conf:

basic -->    Enable basic ruleset optimization. This is the default behaviour. Basic ruleset optimization does four things to improve the performance of ruleset evaluations:

        1. remove duplicate rules
        2. remove rules that are a subset of another rule
        3. combine multiple rules into a table when advantageous
        4. reorder the rules to improve evaluation performance

none --> Disable the ruleset optimizer.
profile --> Uses the currently loaded ruleset as a feedback profile to tailor the ordering of quick rules to actual network traffic.

It is important to note that the ruleset optimizer will modify the ruleset to improve performance. A side effect of the ruleset modification is that per-rule accounting statistics will have different meanings than before. If per-rule accounting is important for billing purposes or whatnot, either the ruleset optimizer should not be used or a label field should be added to all of the accounting rules to act as optimization barriers.

Optimization can also be set as a command-line argument to pfctl, overriding the settings in pf.conf.


I try to clone some rules in LAN ruleset and in Firewall --> Advanced Settings --> Miscellaneous, the basic Firewall Rules Optimization is set. When I reload all fw services, the ruleset is the same. Why?

Thanks in advance.

Antonio