Messages

121

Intrusion Detection and Prevention / Re: wildcards in user defined Intrusion Detection rules

« on: February 17, 2021, 04:59:27 am »

The rules are not setup for that configuration (multiple segments).  1 rule -> 1 segment.  However, you can create a new rule for 1 segment.  Then click the 2 boxes at the rule you just created and you can create a new rule with the previous rules information.  Just change the segment to what you want.

122

Intrusion Detection and Prevention / Re: First Time User

« on: February 17, 2021, 04:48:14 am »

2) If I'm remembering correctly,  the rules are downloaded and enabled.  The action is dependent on the default action of the rule.  If a rule is in black, it is enabled.  If the rule is in gray, it is not enabled (not in use).  Also to the right of the rule are check boxes that coincide with the color I just mentioned.

3)I would also like to know.  I'm seeing different activity from what I remember with pfsense.  I think you select different times as to block an IP which has set  off a rule. From what I have been seeing, the traffic is blocked and the IP is not blacklisted for X amount of time.

4)There is no block tab.  I have only see alerts. Also make sure to pay attention to the tips / notes in the IPS documentation.  You will have problems due to incorrect cofiguration.

For the other post - marshalleq, I don't think suricata is a "black art".  It has been used with various other O.S.es.  The documentation for opnsense is not the best, but the forum has helped me when I needed it.
 Did you enable suricata, IPS mode, and Promiscuous mode?  You also have to make other changes to your FW.

123

Intrusion Detection and Prevention / Re: Chnage Action to Drop in bulk

« on: February 17, 2021, 03:57:36 am »

List all the rule you want to configure to drop.  Click the check box at the top of the list (to the left of sid).  This will select (check) all the rules listed below the sid checkbox and click on drop of the bottom of the rule list (below the last rule)

124

General Discussion / Re: How can a url be blocked? Not block a domain, subdomain, DNS - a URL

« on: February 17, 2021, 03:07:59 am »

Thanks

125

Web Proxy Filtering and Caching / Re: Block traffic to unresolved IP / Non-sni or "naked" IPv4 address

« on: February 17, 2021, 03:07:33 am »

Great, thank you.

126

21.1 Legacy Series / Re: [Solved] Services not starting after upgrade to 21.1

« on: February 17, 2021, 03:07:10 am »

Thanks for the tips, I have confirmed squid was the issue.  The large set of directories and sub-directories was so large, it cause what appeared to be latency in the startup process.  In actuality, it was squid taking ownership of all the files during each boot.  Until squid had completed the directory change, it had paused the remaining startup process.

127

21.1 Legacy Series / Re: Port Forwarding Across VPN

« on: February 16, 2021, 11:38:38 pm »

I also ran into a similar issue which was due to PBR.  Keep in mind I have not configured IPSEC; some of this information may not apply.

What you may need to look at are some other areas as well (below)


1. How are your FW rules configured (specifically the ones relating to your SMTP connection issue).  Look at the GW they have been assigned. If you have other connections that work from site A to site B back to site A, look at what settings they have and try to match as a test.

2. What GW is port forward set to (should match the one in the FW rules)? 
3. What NAT port forward, 1:1, Outbound rules have you configured if any, and what is the GW set (again, should match the one in the FW rules)?

4. Note:As you stated "Site A has a IPSec VPN to Site B",  I think this is the most important area for your issue;   use tcpdump or wireshark to see what exactly is happening.  The webgui is not the best source and will not display everything.
If you are using policy-based routing IPsec, make sure you can identify where the packets are going.  PBR can send your packets to another interface and does not follow the FW rules you have put in place creating this problem. 

If you are using Route-Based Routing, the first 3 I listed will play a larger roll in your troubleshooting.

128

21.1 Legacy Series / Firewall: Log Files: Live View Filters - Not filtering as set

« on: February 16, 2021, 08:38:32 pm »

On the Firewall: Log Files: Live View page, has anyone ran into an issue where the filtering ignores the set filters you have placed? 

I am running into the issue where setting the following ignores the filters with the "or" checked and the records are not related to the filter.

destination port contains 3129
destination port contains 443
destination ip does not contain 127.0.0.1

also noticed when using "or" by itself (with no other filters used) nothing is showing in the log.

Tested with following
destination port contains 443
destination does not equal 127.0.0.1
     webpage performance slows significantly.

DP contains 443
D not contains 127.0.0.1
OR checked
     webpage
     performance is normal
     shows blocked IPv6, igmp, 53, 60000, other various ports and Anti-lockout rule.
     shows allow 53, 123,  and others.

129

21.1 Legacy Series / Re: Port Forwarding Across VPN

« on: February 10, 2021, 12:20:14 am »

An easy thing to so is use is Interfaces: Diagnostics: Port Probe.  You can try with both firewall's and the interfaces on each firewall

Also, your explanation is convoluted.  Can you use site A ..... , site B.....

130

21.1 Legacy Series / Re: Multiple 1:1-NAT with multiple DHCP

« on: February 10, 2021, 12:14:15 am »

First off, I would pull the NIC plug on those synologys.  That configuration is asking for someone to breach your network quickly. 

Do you have multiple IP address from your ISP?  I'm guessing not; assuming I am correct, what you are trying to do is not intended for what your thinking.  I would recommend reading on basic networking specifically 1:1 NAT and port forward, and VPN. 
https://docs.opnsense.org/manual/nat.html
https://docs.opnsense.org/manual/vpnet.html

The FW protects your assets.  What you are configuring is exactly the opposite of this. 

131

21.1 Legacy Series / Re: Default deny rule change

« on: February 10, 2021, 12:01:38 am »

Can you post your rule(s)?  One thing I ran into is specifying the Source OS. 

Also, where are you allowing your LAN traffic to go?  Do you have rule(s) on that interface?  Have you check the direction of your rules? Need more background info.

132

21.1 Legacy Series / Missing buttons on Service web page

« on: February 09, 2021, 11:58:17 pm »

Looking at DNSCrypt (Services: DNSCrypt-Proxy: Configuration
) and Wireguard (VPN: WireGuard), the buttons for status (green with white arrow / red with white box), restart, and stop are missing. 

C-icap, and ClamAV has the status, but missing the restart, and stop.

Does anyone else have this issue?  Is this bug?

133

General Discussion / [Solved] How can a url be blocked? Not block a domain, subdomain, DNS - a URL

« on: February 07, 2021, 04:17:18 am »

I am trying to find a way to specifically block URLs.  The forum has various ways to block by IP, DNS, list, etc.  But I am looking for a way to block a URL. 

Why?  I want to have access to the domain, and most of the content on that site.  However, I don't want certain content from specific directories / files from that domain/site.

Example:  My browser is on https://www.instructables.com but I also want to block https://www.instructables.com/assets/img/pixel.png

This is just 1 example, there are different domains, file types, and names I will be adding. 

How can this be setup without having to use scripts (modifying through console), external downloads, just using the existing tools / functionality through the GUI.

Thank you

134

General Discussion / [Solved] Re: Monit HTTPD encryption https not working and other issues

« on: February 07, 2021, 03:36:20 am »

Thank you everyone.

135

Web Proxy Filtering and Caching / Re: Block traffic to unresolved IP / Non-sni or "naked" IPv4 address

« on: February 07, 2021, 03:32:44 am »

Anyone have info on this?