Show Posts
1
Web Proxy Filtering and Caching / Urgent Prod system - OPNWAF + SURICATA Logs went full and Everything is blocked
« on: November 22, 2024, 08:55:49 am »
Dear OPNSense community,
we have a Business license, that's normally to receive a stable version after every update / upgrade, but it's not the case. Last Upgrade from the 24.4.3 to the version 24.10_7 (amd)
os-OPNWAF Version 1.6 - os-crowdsec 1.0.8_1 and Intrusion Detection is activated
After the upgrade the Logs from Suricata went full (and the disk too) -> Resource limit succeeded Service RootFs
Topology:
we have a bridge the firewall is in our DMZ behind the 1. HOP where there is an another router./firewall The OPNSense is there for his WAF / PROXY functions (OPNWAF / SURICATA / Crowdsec)
We have some Nextcloud and we are securing the traffic to Nextcloud with OPNSense.
Since the last upgrade the logs went full with Suricata. I've deleted some logs they were bigger than 100GB.
Now the Firewall is simply blocking the traffic from the Nextcloud to everything, event if I've made some rules like Nextcloud to everything with any ports.
All the services are green.
I cannot explain what is happen, but for a Business license, I think this version has a bug!
I've restarted already nothing is working and I don't where to beginning with this kind of Stuff. In the OPNWAF the logs won't show any problem. It seems to be a problem with the firewall!
example:
__timestamp__ 2024-11-22T08:31:43
ack 3809070810
action [block]
anchorname
datalen 0
dir [in]
dst XX.X.XXX.XXX (OPNSense Firewall/PROXY)
dstport 48012
ecn
id 4409
interface bridge0
interface_name BRG
ipflags DF
ipversion 4
label Default deny / state violation rule
length 52
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 4
seq
src XX.X.XXX.XXX (Nextcloud)
srcport 443
subrulenr
tcpflags A
tcpopts
tos 0x0
ttl 64
urp 506
The worst I've change nothing. Everything is going wrong after the ugprade of the version 24.10_7
Could please help me
Thank you in advance!
Regards,
Joel.
we have a Business license, that's normally to receive a stable version after every update / upgrade, but it's not the case. Last Upgrade from the 24.4.3 to the version 24.10_7 (amd)
os-OPNWAF Version 1.6 - os-crowdsec 1.0.8_1 and Intrusion Detection is activated
After the upgrade the Logs from Suricata went full (and the disk too) -> Resource limit succeeded Service RootFs
Topology:
we have a bridge the firewall is in our DMZ behind the 1. HOP where there is an another router./firewall The OPNSense is there for his WAF / PROXY functions (OPNWAF / SURICATA / Crowdsec)
We have some Nextcloud and we are securing the traffic to Nextcloud with OPNSense.
Since the last upgrade the logs went full with Suricata. I've deleted some logs they were bigger than 100GB.
Now the Firewall is simply blocking the traffic from the Nextcloud to everything, event if I've made some rules like Nextcloud to everything with any ports.
All the services are green.
I cannot explain what is happen, but for a Business license, I think this version has a bug!
I've restarted already nothing is working and I don't where to beginning with this kind of Stuff. In the OPNWAF the logs won't show any problem. It seems to be a problem with the firewall!
example:
__timestamp__ 2024-11-22T08:31:43
ack 3809070810
action [block]
anchorname
datalen 0
dir [in]
dst XX.X.XXX.XXX (OPNSense Firewall/PROXY)
dstport 48012
ecn
id 4409
interface bridge0
interface_name BRG
ipflags DF
ipversion 4
label Default deny / state violation rule
length 52
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 4
seq
src XX.X.XXX.XXX (Nextcloud)
srcport 443
subrulenr
tcpflags A
tcpopts
tos 0x0
ttl 64
urp 506
The worst I've change nothing. Everything is going wrong after the ugprade of the version 24.10_7
Could please help me
Thank you in advance!
Regards,
Joel.