Messages

1

24.7 Production Series / Wazuh - firewall filterlog - include label in the log message?

« on: September 24, 2024, 12:24:28 am »

Hello,

The firewall live view is a super tool and has alot of info when it comes to blocks. I am using wazuh and I am successfully getting logs sent to wazuh from the opnsense router.

I note however that some interesting info is not sent, specifically the name of the interface (the devicename yes, not the common name), and also the label. Here is an example log message

Sep 22 23:51:06 OPNsense.localdomain filterlog[95260]: 107,,,2956dfb9e11c9187b293c85d71232195,vtnet0,match,block,in,4,0x0,,63,30380,0,none,6,tcp,60,172.25.25.12,158.xxx.xxx.xxx,57610,443,0,S,1541627095,,64240,,mss;sackOK;TS;nop;wscale


so although I blocked 158.xxx.xxx.xxx, I can't see in wazuh or in the syslog. In this particular case, 158.xxx.xxx.xxx is in a Alias definition.

It would be super cool to have this label and perhaps even the interface common names logged.  I have to log into the OPNsense router to learn more about any blocks that I am logging.

I am open to other ways to get this info via the wazuh agent?  Cheers and thanks for your help

2

General Discussion / Re: am I too dense to figure out how firewall rules are supposed to work

« on: March 11, 2024, 06:31:05 pm »

Hm ok so the trick is to not have a firewall rule attached to that NAT configuration. Ill try that thanks

3

General Discussion / am I too dense to figure out how firewall rules are supposed to work

« on: March 10, 2024, 04:42:41 am »

I am trying to block traffic for some port forwards I have created. I have a port forward I generally want to be accessible from the Internet, however I have some abusers that I want to block.

I read that NAT and port forwarding is done first. Noted.

The port forwarding works. If I create an inbound floating rule or an inbound rule on the WAN that blocks the abusers, they still can access the port forward. 

The only "solution" I have come up with is to instead of doing a port forward for "*" any , I am using an inverted match on the source address, and doing a port forward for an inverse match on a Alias I created that has the list of hostnames I want to block.


This seems an overly complex way to do a port forward for all but 3 or 4 IP addresses.

I would have assumed in my overly simplistic world that you could create a inbound rule that blocks these abusers before the NAT permit rule, however since port forwarding and NAT is done before everything else from my understanding of the docs, is what I described the only way to have exceptions to a port forwarding?

Thanks for making me less clueless on this matter.

4

Intrusion Detection and Prevention / Re: pid xxx (suricata), jid 0, uid 0, was killed: failed to reclaim memory

« on: February 26, 2024, 01:18:25 pm »

I doubled RAM to 12G and 48 hours later its still going so I guess I was running out of available memory.

5

Intrusion Detection and Prevention / pid xxx (suricata), jid 0, uid 0, was killed: failed to reclaim memory

« on: February 24, 2024, 02:37:00 pm »

Hello,

I am new to the IDS setup and i created a schedule to update the rules once a day. However when it comes to reloading after the successful download, both suricata and unbound crash and do not restart;

2024-02-24T02:14:23   Notice   kernel   <3>pid 61010 (unbound), jid 0, uid 59, was killed: failed to reclaim memory   
2024-02-24T02:14:23   Notice   kernel   <3>pid 97109 (suricata), jid 0, uid 0, was killed: failed to reclaim memory   
2024-02-24T02:12:03   Notice   rule-updater.py   download completed for https://rules.emergingthreats.net/open/suricata-7.0/emerging.rules.tar.gz   
2024-02-24T02:12:02   Notice   rule-updater.py   version response for https://rules.emergingthreats.net/open/suricata-7.0/version.txt : 10539   
2024-02-24T02:12:01   Notice   rule-updater.py   download completed for https://threatfox.abuse.ch/downloads/threatfox_suricata.rules   
2024-02-24T02:12:01   Notice   rule-updater.py   download completed for https://feodotracker.abuse.ch/downloads/feodotracker.rules   
2024-02-24T02:12:01   Notice   rule-updater.py   download completed for https://sslbl.abuse.ch/blacklist/sslipblacklist.rules   
2024-02-24T02:12:00   Notice   rule-updater.py   download completed for https://sslbl.abuse.ch/blacklist/sslblacklist_tls_cert.rules

any tips how to fix this?  I have 6GB available to this opnsense VM, going to try and move it up to 8 and see if its running out of RAM perhaps?

6

General Discussion / Re: Migrating from pfSense to OPNsense and sourceIP traffic filtering is not working

« on: February 22, 2024, 09:17:19 pm »

interesting, it seems to work on pfSense in this way, clearly my state wasnt open when I tested. I am trying to block TOR using a Alias, by adding it as an IN filter on the LAN instead which I suppose will do the same effect. thanks for clearing  this up for me.

7

General Discussion / Re: Migrating from pfSense to OPNsense and sourceIP traffic filtering is not working

« on: February 22, 2024, 07:01:49 pm »

thanks for the welcome.  I wiped my config and started fresh, and still have yet to be able to block an inbound packet. I went nuclear and created the following rule, applied to the WAN , inbound direction. attached image. Simply made a floating rule, applied to WAN, block, in, any any.  Yet I still have no effective inbound filtering, I would have thought this would kill all connectivity.

8

General Discussion / Migrating from pfSense to OPNsense and sourceIP traffic filtering is not working

« on: February 22, 2024, 06:11:22 am »

Hello,

For the life of me I cannot figure out why inbound or outbound traffic that I am identifying by a source IP Alias is not blocked by rules I make.

I am running OPNsense in proxmox, if I shut down the vm and boot back to my pfsense I am able to define rules with a source IP alias and block them inbound or outbound. But for whatever reason in the latest OPNsense, I can't seem to ever match traffic by its source IP and its driving me bonkers.  I can't get it to reject packets either with a floating rule or with a rule on each interface, regardless if its the WAN interface or the LAN interface, in / out or both directions in the case of floating rules.

Any tips as to what I could be doing wrong as I have spent a number of hours trying to figure out what would normally be a trivial thing....thanks