Topics

Hello  :)

I was logged into my OPNsense firewall and found that under Insight, it displays "No Data."  Searching the forum, I found a couple references about clearing cache as that sometimes is the fix but unfortunately, it did not work.  Under the cache tab, I do see destinations, sources, packet counts increasing.  Now the one thing to note is that my LAN is a VLAN configured on a parent interface and I'm not sure if that is the issue or not.  Is anyone else seeing this with VLANs enabled?  I have hardware CRC, TSO, and LRO are disabled and VLAN hardware filtering is set to disabled.  I can submit an issue on github but figured I would check here first.

Thanks

Hello  :)

While testing Suricata, I noticed it does not seem to monitor traffic destined for the firewall itself.  What I did to find this was enabled the ET_DNS rules and attempted to resolve a .tk domain using nslookup.  When using an external DNS server (such as Google), I receive alerts in Suricata.  But when I use OPNsense itself as the DNS server, and attempt to resolve the same domain, I receive no such alerts.  Is this normal?  Is it possible to configure Suricata to monitor the firewall itself for certain alerts (not just DNS)?

Hi,

Was browsing the opnsense reddit page and came across a discussion reguarding UnboundBL

https://www.reddit.com/r/OPNsenseFirewall/comments/9rtwsd/found_this_on_github_unboundbl/

https://github.com/alectrocute/UnboundBL

It looks like the repo hasn't been updated in 4 months.  Has anyone heard of any news on this plugin?

Thanks

Hi everyone,

What is the general consensus on snort rule compatibility with suricata?   Is purchasing the VRT rules worth it being not all rules are compatible?

thanks

EDIT: This may be a similar question -  https://forum.opnsense.org/index.php?topic=10501.0


Hi,  Another question about alias and firewall rules.  I'm experimenting with rules and was wondering if it's possible to block traffic by using an dns alias.  For example, if I wanted to block all traffic to google.com except 443 TCP, I create the following rules:

Rule 1:
Source: Internal
Source Port: Any
Source Protocol: Any
Destination: google.com  <-- Alias
Destination Port: 443
Destination Protocol: TCP
Action: Allow

Rule 2:
Source: Internal
Source Port: Any
Source Protocol: Any
Destination: google.com  <-- Alias
Destination Port: Any
Destination Protocol: Any
Action: Block

Will the alias for google.com auto resolve all IPs for google.com?

I tried searching the forum and docs but did not find much.  One bit of information I did find from the pfsense docs is below but I was unsure if this also applies to opnsense.  If the aliases function the same in both products, I'm thinking this might not be possible with just firewall rules unless I manually find all IPs for google.com

https://www.netgate.com/docs/pfsense/firewall/blocking-websites.html

Using Firewall Rules

If a website rarely changes IP addresses, access to it can be blocked using firewall rules. This is not a feasible solution for sites that return low TTLs and spread the load across many servers and/or datacenters, such as Google and similar very large sites. Most small to mid sized websites can be effectively blocked using this method as they rarely change IP addresses.

A hostname may be entered in a network alias, and then that alias may be applied to a block rule. Note the hostname will only be resolved every 5 minutes, but that may be changed under System > Advanced on the Firewall/NAT tab (Aliases Hostnames Resolve Interval).

Another option is finding all of a site's IP blocks, creating an alias with those networks, and blocking traffic to those destinations. This is especially useful with sites such as Facebook that spread large amounts of IP space, but are constrained within a few net blocks.

Hi  :)

When creating a URL table alias in opnsense, is it possible to have multiple feeds under one alias?  It looks like I can enter multiple URLs but is the alias backend able to process multiple feeds and download/consolidate them under one alias?

Also, is it possible to nest multiple URL table aliases ?  For example, if I create three separate URL table aliases with different feeds (i.e. MalwareList1, MalwareList2, MalwareList3), can I create a fourth alias and add the three malware aliases to it? 

I'm trying to avoid having to create a firewall rule for each feed.  That way, if I use ten feeds, I don't have ten separate firewall rules. 

Thanks