Messages

If you are using opnsense 25.1
Remember to change pattern matcher to hyperscan

If you dont change it to drop and leave it as alert
I let it ping at least 10 times
It shows up in alerts and in the log just once
With the action showing blocked or alert
Drop works the best for this test
Look for it manually in the alerts section
Or enter 1.1.1.1 in the search bar in the log file under informational
Cannot search 1.1.1.1 for some reason under alerts, bug in 25.7, other IPs work
in the search bar

A quick test
In user defined rules under Intrusion Detection
put 1.1.1.1 in source address
change action to drop
enter
click apply
wait 5 minutes
ping 1.1.1.1
wait 2 seconds and press ctl c to stop it
check alerts it should be there
remember to delete the rule and click apply

As in the title, opnsense fixed the scan default, so no need to switch to hyperscan anymore
thanks opnsense

If your in IPS mode did you set it to hyperscan(should be), just a thought

In Opnsense you can make a blocklist under user defined rules
You can subscribe to blocklists, and can get them in txt format to read
You can enter them manually in opnsense.test.rules as I do, using sftp
There they survive a reboot

You can easily monitor your connections
open a terminal
SSH into your router
sudo ssh (router lan ip)
fingerprint yes
select option 9 pf
this will show a live version of your connections
And those denied will show syn sent, and no connection
To close use ctl c

Got it
thanks everyone
select protocol and then select from and to port ranges

Thanks everyone
Ok
My WAN rules are default
I understand how they block a "new" incoming connection
I have opnsense on one box and my operating system on another
There is a firewall, ufw defaults on the OS, and blocked ssh and ftp
The bad guys enter the OS through the browser
     Side note: they steal my logs, read them, find lan ip, enter opnsense, steal those logs
So Im trying to block connections from servers who have a connection, opening ports that should not be open
     So example is I can block servers "with a connection" only by manually denying a port and direction
The defaults are for incoming new ports, not established communications, if that helps
So my question is
Is there syntax to deny more than one port at a time
I dont want to enter them one at a time, like 1:52,54:442,442:546,etc does that work
I do know a bit about iptables and ufw, both front ends
And I want to block them from carrying out some attacks through my system

Thanks

Question how to enter port ranges in WAN rules
I need to block port ranges to stop hackers coming through browser
IPP/631 virus for instance
22/ssh
etc
You have to make a rule to stop hackers who have a connection
So I need broad port ranges 1:4000

Most of hacking is through your browser, no password required
Malicious websites, loading files on your computer, planting backdoors on your computer, sending beacons to the bad guys
Sometimes the beacon doesnt activate till a certain bot, spider, scraper hits it, it creates a connection
Malicious downloads, pdf, img, jpg, png, txt, even the page itself can be malicious when it opens in your browser
The web page sends you to twenty other servers, we have no idea what they are doing
They infect your apps, your communications, steal your logs, steal your data
Take snapshots of the screen  if possible instead of a download, much safer

Dont keep your data on your internet computer
Wipe your computer often
Keep a backup of important data
If your using windows, yes a protection suite is needed
Linux we reload
If your using linux or a form and youve spent a lot of time setting it up
Copy it, your whole setup
You can shrink the partitions or partition
And copy the whole thing as is
Then you can reinstall it in less than 30 seconds
And then adjust the partitions again if needed
Linux Mint Disks program does this
And gparted for the partitions
There are others

Yes use default rules until your skill level increases
There are no wrong blocks, thats a maintenance issue on the user
Yes I would run IPS rules
You need them to block attacks toward you and from them attacking others through your computer
Not counting data breaches, spreading malicious forms of attack, etc
Most people will never reach those skill levels, Im just a newb
I deal with them most every day

Is your IPS using a filter, to stop some bad guys
Also you may not see any till there are some
Most of my blocks are from blocklists, IP range blocks, and others
Snort community blocklist, honeypot blocklist, range blocks

Opnsense rules change at times, they are refreshed from those sites
The rules update if you do a manual rule update and install
Or can set up automatic rule updates
Note: Opnsense runs suricata rules and not snort
They are not compatible, they dont have the same engine
Your own rules can be entered manually
If its a simply rule or temporary you can use user defined rules

Yes detections work in hyperscan
1 did you enter your IP in Intrusion Detection>Administration and click advanced in upper right and put your IP in Home Network box
  and remove the others
2 Did you enable the rules, and did you click apply in Enable Intrusion detection and rules categories
3 You may not see any alerts till you actually get some, some ISP's run filters
4 Are you running blocklists, that is most of my blocks, snort community blocklists, my own IP range blocks, and others
  Can either enter them in opnsense blocklists, dont know if its subscriptions
  Or can enter them by cut and paste in user defined rules
  Or enter them manually