Messages

106

20.1 Legacy Series / Re: Custom rule scripts

« on: April 12, 2020, 10:42:42 pm »

There is really no magic in hosting blacklists on GitHub. There even exists lists hosted on GitHub like this DoH blacklist:
https://github.com/oneoffdallas/dohservers?files=1

You just have to take care that you use the RAW link as source for your URL table alias.

E.g.: https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt

107

German - Deutsch / Re: DNS Block ala pihole

« on: April 10, 2020, 10:42:33 pm »

Den Webport der OPNsense kann man doch in GUI ändern. Irgendwo bei System: Settings: Administration - TCP-Port

108

20.1 Legacy Series / Re: Custom rule scripts

« on: April 10, 2020, 10:08:08 pm »

Sure you can create own lists, but to be honest: why do work twice and care for updates?
There are so many blacklists, even lists that already implement various lists, just use those.

A good starting point is: http://iplists.firehol.org/

109

20.1 Legacy Series / Re: Custom rule scripts

« on: April 10, 2020, 09:38:03 pm »

Just read the docs/manual. There is an example with spamhaus blocklist.
https://docs.opnsense.org/manual/how-tos/edrop.html

110

Intrusion Detection and Prevention / Re: Suricata logs and what they mean??

« on: April 10, 2020, 06:18:10 pm »

You just need an alias from type geoIP. Check Ukraine, save and set as source for block rules.
But instead of blocking, I would whitelist to the countries that are allowed if no world-wide access is necessary.

https://docs.opnsense.org/manual/aliases.html

111

Intrusion Detection and Prevention / Re: Suricata logs and what they mean??

« on: April 10, 2020, 06:01:49 pm »

Then just geo-block Ukraine ips. But since suricata is run before filters, the alerts will continue.
The only way to stop alerts is to unplug your internet cable.
There are always port scans. You cannot prevent them. I have a Chinese ip that scans one of my ip6 segments (/48) since a week. But for this reason, I have a firewall that just allows specific ips to be accessed externally. This exactly is the reason you have firewalls.

And when you have a world wide open rdp port, then there will always be guys trying to get in.

112

Intrusion Detection and Prevention / Re: Suricata logs and what they mean??

« on: April 10, 2020, 09:23:06 am »

Sorry, I always forget about NAT, since only using public addresses. With public IPs and sensei, I think wan is correct for suricata.

113

General Discussion / Re: Var log folder contents

« on: April 10, 2020, 08:18:44 am »

Strange log directory content for an OPNsense. Looks like a Linux based Ubuntu installation - not OPNsense Freebsd.

OPNsense/Freebsd uses clog format, a binary circular rotation one. No deletions necessary due to fixed size and circular rotation.

114

General Discussion / Re: Network isolation setup

« on: April 10, 2020, 08:13:08 am »

Use different ssids and assign each its own vlan.

115

Intrusion Detection and Prevention / Re: Suricata logs and what they mean??

« on: April 10, 2020, 08:09:11 am »

I would say: time to change the VPN solution if performing is worse.
BTW 3389 like shown in screenshot is rdp standard port.

Additionally I would use 2FA and geo-blocking to increase security. If nobody from Ukraine needs to access rdp, restrict it to those countries where is is accessed from.

116

20.1 Legacy Series / Re: Wildcard hosts in Firewall alias

« on: April 09, 2020, 11:12:01 pm »

If these are webpages, you can block via proxy and regex.

syd[0-9][0-9]\.media\.com

117

20.1 Legacy Series / Re: Flush states on backup link after main link recover

« on: April 09, 2020, 11:05:32 pm »

For VPN, just restart service on backup, for clearing states use firewall - diagnostics - reset states

118

Intrusion Detection and Prevention / Re: Suricata logs and what they mean??

« on: April 09, 2020, 11:01:45 pm »

Usually you enable suricata on wan. And IPS is triggered before firewall. You will get these alerts even if you do not have any open rdp ports.
And nobody would run rdp without VPN or fixed source ip,  so you can set rule to block when using VPN.

119

Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL

« on: April 07, 2020, 03:15:29 pm »

@t.mayer:

ATM I have the problem that squid randomly bumps instead of splicing. Di you have similar issues? My setup is:

Code: [Select]

# configure bump
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump

The standard "log only" setting. But I just got a calls that ssl pages cannot be retrieved and when made teamviewer sessions, I saw that there was self-signed certificates issued. But why?

120

19.7 Legacy Series / Re: [Resolved] Updated to 19.7.5 theme cicada, has issues

« on: April 07, 2020, 10:31:48 am »

Can somebody issue a fix for https://github.com/opnsense/plugins/issues/1687

White on white is ... none contrast