Topics

1

General Discussion / "Allow DHCP clients in/on/ WAN" - Why are these automatically generated?

« on: September 12, 2019, 05:45:03 am »

Apologies if this is a stupid question but I can't figure out why these firewall rules were automatically generated or what they would be used for on a typical home network. I'm still learning OPNsense in a VM environment as I'm considering replacing my Sophos XG setup with it.

I have a clean install of OPNsense with just a few minor adjustments (IPS enabled, Web Proxy w/ ClamAV, etc.). OPNsense is also running a DHCP server for IPv4 (no DHCP server for IPv6). I noticed in the WAN firewall rules, there are several automatically generated rules (see attached screenshot).

I don't understand what these rules are for:
- allow dhcpv6 client in WAN (3 of them)
- allow DHCP client on WAN (2 of them)

On the LAN firewall rules, there are three automatically generated rules for "allow access to DHCP server" but that makes sense - those are such that clients on my LAN can access the DHCP server. However, I don't understand why there are rules on the WAN side.

2

Intrusion Detection and Prevention / Some rules in a ruleset not enabled by default?

« on: September 10, 2019, 03:04:34 am »

On the Intrusion Detection -> Administration page, I noticed when I select a Ruleset on the Downloads page, enable it and then select Download & Update Rules, it enables and downloads fine but when I look at the Rules tab, I see some rules are enabled and others are not. A few questions:

1. Why is this? If I enable a ruleset, I would have thought all of the rules would either be enabled or disabled but that doesn't seem to be the case. What determines which ones are enabled or disabled by default?

2. Is there a quick way to disable or enable all of the rules within a ruleset?

3

General Discussion / Firewall logs - how do you disable certain log entries?

« on: August 31, 2018, 10:22:01 pm »

I'm noticing a lot of log entries in my firewall log that I would like to disable (i.e. not logged) but I can't seem to figure out where to do this. The label for these entries are:

- "anti-lockout rule"
- "let out anything from firewall host itself"
- "pass loopback"

I've searched everywhere that would make logical sense to disable these log entries but I'm not finding anything. Any ideas?

4

Documentation and Translation / [SOLVED] Issues with User Manual - "Configure Spamhaus (E)DROP"

« on: November 01, 2017, 04:04:55 am »

I'm trying to configure Spamhaus DROP/EDROP using the guide on the OPNsense user manual that can be found here: https://wiki.opnsense.org/manual/how-tos/edrop.html. However, I'm running into some issues:

1. When creating the alias, the user manual states to set the update frequency to 1 for each day. However, there is no option in OPNsense to set an update frequency.

2. When creating the firewall rule to block, there is no way to set the alias I created (spamhaus_drop and spamhaus_edrop) as the source as directed in the user manual.

Is there another way to go about setting up Spamhaus DROP/EDROP?

5

17.7 Legacy Series / Intrusion Detection - Enabling/Disabling Rules

« on: October 31, 2017, 01:39:48 am »

Good afternoon,

I'm in the market to purchase some hardware to install a firewall such as OPNsense. I've spent several hours over the past few days messing with pfSense, OPNsense and SophosXG on VirtualBox to see which one I'd like to go with. So far I'm leaning towards OPNsense based on a number of different reasons but one thing I'm trying to understand is the Intrusion Detection. I've set it up the Intrusion Detection and downloaded/enabled the 'OPNsense/test rules' to make sure it works when I access http://www.eicar.org/download/eicar.com.txt and sure enough, I see it in the Alerts (this test method is great by the way and is probably worth adding into the User Guide... only discovered it by searching/reading the forums). After that, I started downloading/enabling several other ET open rules as well but when I view the 'Rules' tab, I'm a bit confused as to how each rule becomes enabled/disabled. I assumed that if I enabled the entire rule set from the 'Download' tab (i.e. ET open/malware), that it would enable all of the corresponding rules associated with it in the 'Rules' tab. However, I've noticed when I disable certain rule sets, the corresponding rules are still enabled. The opposite is true as well where I enable a rule set but the specific rules are not enabled. Hopefully that makes sense but I'm just wondering what I'm missing here...

Edit: As an example, I selected all of the rule sets under 'Download' and click 'Disable selected'. All of them are showing as being disabled (X under every rule set in the Enabled column). However, under the 'Rules' tab, I'm still seeing specific rules enabled (box is checked in the Info/Enabled column) and I'm seeing new alerts show up. Pictures attached.

Second question while I'm on this topic - One thing I liked about pfSense was the ability to suppress or disable the rule from the Alerts view. Is there any way to do this in OPNsense? When I click the info button, the only option I see that is close to what I'm trying to do is the 'Alert action/sid' drop down box that only lets me switch between Alert and Drop.

Anyways, thanks for everyone that is a part of this OPNsense platform and the work you've put in. It's definitely looking like the platform I'm going to end up going with.