Topics

1

Intrusion Detection and Prevention / Direction

« on: May 21, 2019, 07:20:51 pm »

With IPS, generally speaking, does it make more sense to do it on outbound traffic or inbound?

Doing it on both sounds like a performance impact will be greater.

But, if your firewall is already restricting inbound traffic to specific ports for services.. then would outbound make more sense so you can see and prevent nasty stuff that is actually on your network?

2

General Discussion / Question about the LetsEncrypt plugin

« on: August 24, 2018, 04:29:38 am »

If I have already pulled certificatees from LetsEncrypt with certbot by running it individually on web servers behind OPNsense/HAProxy, can I still use the LetsEncrypt plugin to take over the management of the certificates?

If so, how? If not, what would be the best way to cut over to the plugin so I don't have to deal with the individual servers renewing certificates?

3

18.7 Legacy Series / Haproxy ssl-passthrough help

« on: August 15, 2018, 05:37:58 pm »

Can anyone explain to me how I would setup haproxy in OPNsense to do ssl-passthrough instead of offloading?

I currently have a single public ip listening on 443 via haproxy with certainty for a couple of servers/services added to it with ssl offloading configured. There are rules that look at host contains and based on the sub domain name of the url, they are routed to the proper pool of servers.

This is currently working for me.

I am more curious on how I would do this with ssl-passthrough instead of offloading and also how I could still use rules to determine which server pool a sub domain url hits.

Any guidance would be much appreciated.

4

18.7 Legacy Series / Haproxy issue

« on: August 14, 2018, 12:57:54 pm »

I have one service running behind haproxy with ssl offloading enabled and it works fine.

I added another service to a new backend pool of servers and going to the site over ssl fails with ssl protocol error.

If I go to the site directly to the backend ip it works fine. I only get the protocol error when I go to haproxy address.

What could be the issue? It is nginx with and ssl site on 443.

5

18.1 Legacy Series / Block outbound icmp to external address?

« on: June 05, 2018, 06:13:21 am »

What rule would I need to create to block outbound icmp to 8.8.8.8?

In the log live view I see int wan with the wan ip as the source icmp to 8.8.8.8

6

General Discussion / Cloudflare DNS over TLS with Unbound

« on: April 04, 2018, 04:02:59 am »

Looking at this article https://www.netgate.com/blog/dns-over-tls-with-pfsense.html?utm_campaign=DNSoverTLS&utm_content=69532200&utm_medium=social&utm_source=twitter

I enabled unbound and added the custom settings from this article to enable dns over tls on 1.1.1.1 and 1.0.0.1.

It seemed to work fine for a short period of time and then I start getting these errors and the unbound service stops running.

unbound: [58716:1] notice: ssl handshake failed 1.1.1.1 port 853

unbound: [58716:1] error: ssl handshake failed crypto error:140020B5:SSL routines:CONNECT_CW_CLNT_HELLO:no ciphers available

Is anyone using cloudflare dns over tls successfully?

7

General Discussion / Suggestions for multiple servers running port 443 behind OPNsense

« on: December 16, 2017, 01:34:53 am »

Suggestions for multiple servers running port 443 behind OPNsense With a single public ip?

What would be a good option for handling this?

example:

a.domain.com:443 —-> single public ip ——> internal_server1:443

b.domain.com:443 —-> single  public ip ——> internal_server2:443

Can any plugins for OPNsense handle this or would something like nginx/reverse proxy be required? Maybe a layer 7 load balancer like kemp or netscaler etc.

Haproxy can’t do this can it?

8

General Discussion / Can haproxy do content switching similar to a netscaler?

« on: December 10, 2017, 03:25:10 pm »

Can haproxy do content switching like a netscaler? Allowing you to host multiple services on the same port via one IP address.

9

17.1 Legacy Series / Feature Request: IPS Alerts Filtering

« on: June 08, 2017, 12:45:20 am »

It would be nice to have some additional alert filtering options.

Right now you can do a basic search for something in the logs.

It would be great if we could filter more. Like show me all alerts maybe this dst ip and this action in this time frame or all alerts from this src ip that triggered this rule etc..

Also, is it possible to whitelist an ip in IPS? That would be cool.

10

General Discussion / Thanks

« on: June 01, 2017, 10:20:47 pm »

I just wanted to say thank you to all the developers and team members that have made opnsense possible.

You guys have put together a really nice product and it is free for all to use.

Great job everyone. I appreciate it.

11

17.1 Legacy Series / Suricata issue when enabled on LAN

« on: May 31, 2017, 08:30:02 pm »

When I enable suricata on my LAN interface it seems to kill it.

I experience incredibly slow web browsing (enough to be able to continue to use to use the opnsense webui to remove LAN ) and other traffic like streaming YouTube or even loading the video thumbnails in the YouTube app just stops working.

No blocks are registered and I have tried disabling all rules but it always behaves this way.

Wan seems to work fine. I am using an emX intel card. CPU is an i3

Any idea what to troubleshoot here?

12

General Discussion / NIC for workstation?

« on: May 08, 2017, 03:34:31 pm »

Can anyone recommend a low profile 4 port Intel NIC that is known to work well with suricata and can be installed in a workstation/desktop system?

13

General Discussion / Equation Group/ShadowBrokers Suricata Rules

« on: April 21, 2017, 02:40:11 pm »

https://github.com/xNymia/Suricata-Signatures

14

17.1 Legacy Series / POLL: IPS

« on: March 05, 2017, 07:07:21 pm »

I would like to find out who is running 17.1.2 with IPS enabled and ET rules.

Is it working?

Do you have ET rules triggered and blocked?

Do you have any other rules enabled? Are they triggered and blocked?

If it working, what hardware are you running it on? NIC's etc...


I ask because it doesn't seem to work for me and another person I know running completely different hardware (better) with a fresh install of 17.1.2 has the exact same experience. Built in suricata rules trigger and custom geoip rules trigger, but that's it. None of the downloaded (ET) rules seem to work.

A fresh install of the latest pfsense using suricata on the same hardware results in ET rules triggering and blocking as expected.

I'm trying to figure out the cause and it would help to know what others are experiencing.

Thanks.

15

17.1 Legacy Series / 17.1.2 - Still have IDPS issues

« on: February 23, 2017, 12:05:26 am »

I did a fresh install of OPNSense 17.1 last night and then upgraded to 17.1.2 this morning.

It was pretty much default install.

Just now I enabled IDS and IPS, checked off some ET rules that I know were frequently triggered when I was running IPFire with Snort, hit download and install rules, changed them each to drop action and hit download and apply rules again.

Under alerts, all i see is weird suricata alerts with allowed action.

SURICATA STREAM excessive retransmissions

and a bunch of:

SURICATA Applayer Detect protocol only one direction

but no ET or drop alerts.

I don't understand, am i doing something wrong? I had high hopes for the new realtek drivers with suricata.