Topics

1

Intrusion Detection and Prevention / [SOLVED] How often is ALIAS URL table refreshed, if ever?

« on: January 09, 2020, 11:15:10 pm »

Hi,

related to this: https://forum.opnsense.org/index.php?topic=15226.0 I am wondering, if ALIAS URL table, pulled from external source, is ever refreshed?

I have it configured to pull bad IPs to block them from external URL, but if I manually inject one testing IP there, it does not get blocked not after 1 hour, not after 1 day.
So I guess, whether list does not get updated ever, or maybe CRON for this update is not configured.

Any idea where refresh rate (update) can be set?

2

Intrusion Detection and Prevention / How to check if Firewall blocking rule is working?

« on: December 07, 2019, 11:03:39 pm »

Hi,

I have kinda smart FW rule, made of collected IP addresses from numerous web sites (Joomla and Wordpress) on many of our servers, which have some sort of security plugin installed. Every few minutes I pull all blocked/attacker/hacker IP addresses from thosee website plugins (mysql) and inject them via TXT table into firewall ALIAS table.
If anyone interested, here's the list: http://secureit.si/lockouts/list.php

Now, I want to check if firewall is really blocking these IPs.
Where can I see LOGS, if this rule is doing the job? "Logging" is enabled inside this rule, but where can I see those logs?

3

19.7 Legacy Series / Large IP Blacklists...performance impact?

« on: April 22, 2019, 01:27:31 pm »

Hi,

I am thinking about to aggregate all IP blacklists from various web sites (WP, Joomla, custom builds...), which write logs of attacking (brute-force, dictionary attacks...) IP hosts/addresses into database. I have a script in PHP to extract IP's from database for past 7 or 14 days.
Then I have plan to try/test retreive these into BLocked ALIASES list of OPNSense.

Now, since this list will contain hundreds or even thousands of IP addresses, I am wondering how a 1000's of BLOCK ALIASES LIST would affect firewall performance?

4

18.7 Legacy Series / Each update hiccups upon reboot

« on: January 19, 2019, 05:52:29 pm »

Hi,

with last 2 versions 18.x upon update I had problems when rebooting. Firewall stuck on some disk mapping/mounting (or something disk-related...I do not know where to find those info) and was able to boot properly after some 3-4 soft-resets. Console showed it stuck on intializing or mounting some device, do not remember which one exactly, but it was always DIFFERENT stuck point.

Once it booted, then it worked fine, fast, no problems, and consequent reboots did NOT cause further problems.

I am running on ESX 6.5 with Virtual SCSI disk controller.
VMWare tools are (probably?) installed, but still for past 2 years I see constant warning in ESX GUI: "The configured guest OS (FreeBSD (64-bit)) for this virtual machine does not match the guest that is currently running (FreeBSD 11.1-RELEASE-p18). You should specify the correct guest OS to allow for guest-specific optimizations."

Is there something slightly wrong with my config, or has OpnSense kernel changed in past version?

5

18.7 Legacy Series / Create DNS override TXT records for ACME-02 LE challenge

« on: January 17, 2019, 12:03:49 am »

Hi,

is it somehow possible to create Unibound DNS override for TXT record? I only see A (AAAA) or MX records override.
Adding custom TXT records locally would be super useful for DNS ACME-02 challenge to generate wildcard LE certificates locally.

6

19.1 Legacy Series / Get back the Apply changes warning stripe on top

« on: December 23, 2018, 05:05:32 pm »

Hi,
just my 5 cents - the "Apply changes" warning stripe on top of previous versions was annoying, but now I see VERY HANDY and USEFUL! Now I am on 18.7 version and I really miss this annoying warning, as I am never 100% sure, whether I applied/saved the settings or not.
So my suggestion is to come back with some similar functionality in further releases.

7

18.7 Legacy Series / suricata.log: Operation not supported by device

« on: September 09, 2018, 06:16:20 pm »

Hi,

I think after updating to 18.7 I see on terminal screen:
syslogd: /var/log/suricata.log: Operation not supported by device

Did this came from update?
Is this critical?

8

Intrusion Detection and Prevention / Integration with Mail, Joomla, Wordpress security

« on: April 02, 2018, 02:52:32 pm »

Hi,

I host hundreds of Wordpress, Joomla and other web sites behind OPNSense firewall. Beside those, I also have few MAIL servers here.
Now, some of web sites have good security measures via plug-ins, which detect brute-force attacks, some web sites use public black lists of compromised IP addresses to prevent access from...while other web sites do not have any of those.

My idea is to somehow connect those best security mechanisms of Wordpress, Joomla and others and then use "I don't know which mechanism" to block those  attackers at OPNSense entry level, so I would prevent those hackers to attack ANY of my web sites and to access to ANY of mail servers, which are behind my OPNSense.

Any ideas?

9

17.7 Legacy Series / Reverse traffic problem

« on: December 29, 2017, 12:14:55 am »

Hi,

does anybody have a clue about my specific problem.
It's about DNS (or any other traffic), where packets origin from within LAN, then go to WAN adapter and return back into LAN for destination - it seems those are rejected.

For example, I have 3 DNS servers:
- DNS 1 is on LAN, behind OpnSense
- DNS 2 is on LAN, behind OpnSense
- DNS 3 is on different WAN subnet
I have ALL DNS servers configured to sync to each other PUBLIC WAN IP address.
- Syncing inbetween DNS1 or DNS2 and DNS3 (and vice versa) is OK.
- But between DNS1 and DNS2 does not happen. I must configure manually DNS1 and DNS2 to sync using LAN IP addresses, not WAN...then sync is OK.

I guess OPNSense blocks the DNS traffic on port 53, if it originates from LAN and is setined via WAN back to LAN.

Any idea, what rule must I add to allow such traffic? (for DNS 53 port only)

10

17.1 Legacy Series / How to handle IPS properly

« on: June 27, 2017, 11:46:42 pm »

Hi,

I am looking at IPS rules and I am a bit confused. I do not expect IPS being plug-n-play solution, and I know you need to watch the logs and alerts for weeks and months to select proper rules.
But still...this seems an enormous project!

Correct me if I am wrong:
- first, you need to ENABLE IPS and download rules
- they are all in ALERT only mode
- then you need to watch ALERT logs
- ...and click on EACH SUSPICIOUS log entry, switch rule from Alert to Drop, and click APPLY
- now I've got 1 of gozillion rules in real action

- then also many rules have direction $HOME_NET any -> $EXTERNAL_NET... I do not need those, because I protect only incoming traffic. But I can only see the rule direction when I click on rule, then click on description link. That's time consuming, very time consuming.

Do I really need to go through all IPS alert entries, one by one, day by day and click on each rule action from Alert to Drop? Aren't there any preconfigured set of rules for, say, "webhosting" or "home user" or such?

11

17.1 Legacy Series / Protect websites from brute force password guessing

« on: June 27, 2017, 10:10:13 pm »

Hi,

I use OPNSense as main firewall for my webhosting servers. NOT for browsing, as behind OPNSesne there's only a bunch of servers, hosting web sites, like Wordpress, Joomla, Magento and others.
Among 300+ websites there's a dozen of my own sites and I can see hundreds of Brute Force attacks and vulnerability scans from all over the world. I can fight and protect by installing some Wordpress or Joomla security plugins, but I would like to mitigate attacks before they reach website engine - I'd like to configure some protection on OPNSense firewall for incoming attacks.

I do have most of IPS rules active, but here's problem no.1:
If I put rule on ALERT, I need to know exact source IP to find the alert in IPS log. I cannot search for, say "1.2.3.*" or "brute force". Is there some other way to see IPS alerts?

Now problem no.2:
Is there some better plugin or protection method to fight against brute force, password guessing and other attacks at firewall level, without impacting performance too much?

12

General Discussion / [SOLVED] Outbound binding to specific WAN IP

« on: May 28, 2017, 01:45:27 am »

Hi,

I've asked this question elsewhere, so hoping maybe I get answer here.

What's the proper method to specify, for example LAN server with IP xy to use outbound masquerade using WAN IP xz? I have multiple WAN IP addresses and I want each local server to use it's own public IP (not all going out via the same IP...especially I want to specify outbound WAN IP for mail server).
I have 17.1.6 and I've tried OUTBOUND NAT using Virtual WAN IP, but no joy.Tried also with floating NAT rule, direction out, use different Wan IP as a gateway...but this does not pass traffic to real Wan gateway, instead traffic is stuck at WAN port.

I know this is one of hte basic functions, but how to approach?
...or is maybe 17.1.x buggy?

### EDIT ###
It was obviously a bug in FreeBSD kernel, as update to 17.1.8 solved the problem instantly:
https://forum.opnsense.org/index.php?topic=5229.msg21189#msg21189

13

17.1 Legacy Series / [SOLVED] Outbound NAT not working?

« on: May 23, 2017, 01:39:17 am »

Hi,

I have been struggling with setting up OUTBOUND traffic binding to different WAN IP aliases.
I own /28 subnet of Public IP addresses, which are all configured as VIRTUAL IPs on WAN adapter.

Now, I want to configure which LAN server or LAN subnet will use specific WAN IP alias for outgoing traffic. But without success. I've tried a lot, no results:
- Tried with OUTBOUND NAT, but no joy
- Created additional GATEWAYS for each WAN IP
- Created FLOATING firewall rule to use one of those gateways for OUT traffic....but no success
- followed some of this document, but no joy either: https://docs.opnsense.org/manual/how-tos/multiwan.html?highlight=multi%20wan#step-4-policy-based-routing

Any idea what am I missing?

14

17.1 Legacy Series / Setup Passive FTP server behind OPNSense

« on: May 21, 2017, 11:05:53 pm »

Hi,

I am trying to setup most secure Passive FTP server setup behind OPNSense. For the moment I have WORKING temporary solution:

On OPNSense I have NAT Port forwarded:
- port 21 from WAN to LAN FTP server IP
- passive ports range 10000-11000 from WAN to LAN FTP server IP
This works fine.

...BUT I do not want passive port range 10000-11000 to be statically opened from WAN to LAN.
So, as I understand, OPNSense/PFSense can use a kind of "FTP Helper" which intercepts FTP server response, in which FTP server instructs FTP client which passive port to use for data connection.
Communication goes like this:
1.) FTP client initiates connection on port 21
2.) In case of Explicit FTP over TLS, both then switch to TLS, exchanging certificates
3.) Then FTP client asks FTP server for PASV PORT
4.) Server answers and includes WAN IP address and PASV PORT on which FTP client should send/receive data
And this answer is here also recognized by OPNSense, which opens the requested data port for the client only.
5.) FTP client then sends and receives data on this data port and given WAN IP (not necessarily the same WAN IP as initial FTP connection was started on)

Now, within my FTP server I see the settings for:
- PASV port range
- and PASV WAN IP to be responded

But how/where to setup this on OPNSense?

15

17.1 Legacy Series / [SOLVED] Cannot get NAT rules to work

« on: May 17, 2017, 12:09:46 am »

Hi,

I've just installed OPNSense 17.1.4 on VMWare 6.5 host. I used VMXNET3 type NIC adapters on both LAN and WAN sides.
Test setup as router --> OK
Test as Web Proxy --> OK
Pinging from OPNSense WAN and LAN destinations --> OK
Test with or without IPS/IDS --> both OK

Now, fine, excellent!
BUT no... I stuck with NAT rules.
Simple NAT rule on WAN interface, from WAN IP to LAN IP, port 80 (HTTP) no go?!

Interface: WAN
Proto: TCP
Destination: WAN Address (or Wan alias IP)
Destination from: HTTP to: HTTP
Redirect target IP: one of LAN server's IP
Redirect target port: HTTP
Pool option: default
NAT Reflection: Default/Enable/Disable (tried all of them)
Filter Rule association: None/Pass (tried both)

Ok, then I changed OPNSense port from HTTP to HTTPS and to 12345 instead of 443.
But NAT still does not work.

Then I took A LOT OF TIME and tried all possible combinations, FROM Any/Wan/Lan, then NAT Redirect On/Off, Roule Pass/none...also tried from public 81 to local 80.... nothing works!!?
Also tried to change OPNSense WAN IP and added WAN IP ALIAS, then NAT redirect FROM WAN Alias, then I upgraded to 17.1.6 without problems, BUT.... no go, simply NAT does not work whatever I do.

Any idea?