1
24.7 Production Series / Re: Log specific domain traffic, allow and continue processing rules
« on: November 03, 2024, 05:45:47 pm »
I know full well the limitations of reverse dns, but it doesn't really answer my original question
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
24.7 Production Series / Re: Log specific domain traffic, allow and continue processing rules
« on: October 28, 2024, 08:40:54 pm »
Yes i do mean DNS domains. You can use domain names in FW rules, but I'll send logfiles to Spunk to handle the name lookups for the IPs in the logs
3
24.7 Production Series / Log specific domain traffic, allow and continue processing rules
« on: October 24, 2024, 09:48:25 pm »
Hi,
I have a use case where I need to watch access to a specific domain. I'd like to create a rule to allow traffic and log it but then to continue to process other rules (which may then subsequently block this traffic either now or in the future).
I can't work a way to do this - is this even possible?
Thanks, David
I have a use case where I need to watch access to a specific domain. I'd like to create a rule to allow traffic and log it but then to continue to process other rules (which may then subsequently block this traffic either now or in the future).
I can't work a way to do this - is this even possible?
Thanks, David
4
Intrusion Detection and Prevention / OPNSense on ESXi interfering with other VMs
« on: March 31, 2021, 10:18:01 pm »
I've got a strange problem. I'm running OPN sense on a (standalone) ESXi 6.7 server with two nics. There are a bunch of other Linux VMs also running too.
I can ssh into the OPNSense server from my laptop and i can then ssh from there to the Linux VMs (e.g. keeping in the same virtual switch in ESX)
What I can't do is ssh from my laptop to the either the VMs or to the host management port (also on the same vswitch as the linux VMs). I also can't load the management web gui for the host on 443.
I can however ping the Linux VMs from my laptop and I can also get onto the desktop of the VMs using Teamviewer which is luckily installed. I can then ssh between the VMs ok. I can also browse the web through OPNsense.
I did a packet capture on my laptop and I see acks coming back before getting a reset.
My first thought was IPS/IDS sending the reset packets as the Suricata plugin is installed but I've deactivated it and was only configured for the WAN interface anyway (which is a different vswitch in ESX). If enable the plugin but stop the Suricata service it makes no difference.
I know it's OPNSense though because when I shut it down, everything suddenly bursts back into life and i have full connectivity.
Could Suricata somehow still be running in the background or is there any other service that might behave the same way (I don't have Sensei installed)
Cheers
I can ssh into the OPNSense server from my laptop and i can then ssh from there to the Linux VMs (e.g. keeping in the same virtual switch in ESX)
What I can't do is ssh from my laptop to the either the VMs or to the host management port (also on the same vswitch as the linux VMs). I also can't load the management web gui for the host on 443.
I can however ping the Linux VMs from my laptop and I can also get onto the desktop of the VMs using Teamviewer which is luckily installed. I can then ssh between the VMs ok. I can also browse the web through OPNsense.
I did a packet capture on my laptop and I see acks coming back before getting a reset.
My first thought was IPS/IDS sending the reset packets as the Suricata plugin is installed but I've deactivated it and was only configured for the WAN interface anyway (which is a different vswitch in ESX). If enable the plugin but stop the Suricata service it makes no difference.
I know it's OPNSense though because when I shut it down, everything suddenly bursts back into life and i have full connectivity.
Could Suricata somehow still be running in the background or is there any other service that might behave the same way (I don't have Sensei installed)
Cheers
Pages: [1]