Messages

76

20.7 Legacy Series / Re: Hyperscan and IPS Policy

« on: May 11, 2020, 12:52:09 pm »

Okay thank you!

How I can install ports on OPNSense? or get postsnap?

Downloading the Repo as ZIP and trying to recompile hyperscan gives me the following message:
===>  hyperscan-5.2.1 pkg( must be version 1.13.0 or greater, but you have

Did I miss something?

nvm, found it: https://docs.opnsense.org/manual/software_included.html

77

20.7 Legacy Series / Re: Hyperscan and IPS Policy

« on: May 10, 2020, 03:14:43 pm »

Created a patch myself and wrote/sent the maintainer on FreeBSD Ports.

Got updated: https://github.com/freebsd/freebsd-ports/commit/c245ea082c9920167f214d9755d1c0138717afaf

 @franco
Do you compile releases with "core2" or "native" cflags? Which cpu you use on the build machine?

EDIT: I saw you compile with "NATIVE":"off". Is it possible to get hyperscan with SSE4_2, POPCNT and AVX2 flags?

78

20.7 Legacy Series / Hyperscan and IPS Policy

« on: May 09, 2020, 07:24:34 pm »

Hello there,
first of all thx for all the time you invest in development.

Is it possible to get an upgrade of hyperscan, 4.7.0 is more than 3 years old and hyerscan got some performance improvements over time with currently 5.2.1.

5.0.0 is supported with suricata: https://github.com/OISF/suricata/blob/master/doc/userguide/performance/hyperscan.rst

Right now you compile it with "core2" (SSE3)which results in not benefiting from SSE4.2, AVX2 and POPCNT (starting Haswell). This would improve performance further. Or do you compile with 'NATIVE' ?

I'm not familar with pkg mgmt, chances to get multiple configurations for that? Like choosing the appropriate hyperscan package?

https://github.com/intel/hyperscan/blob/90cd1863d64135323cae44606c6eff5fc76a1532/doc/dev-reference/getting_started.rst#fat-runtime

For ex. right now I've an "old" i3 which would support SSE4.2 and AVX2 (Released Q4/2014)
-------

Second question, snort rules have an ips policy within the file, right now "balanced" seems to be the default thats activated with snortrules-snapshot-29151.tar.gz (seems to work best with suricata 5.0.3). Any chances to get a field to choose which policy will be activated (beside the rules I've choosen myself)?

https://www.snort.org/faq/why-are-rules-commented-out-by-default

TL:DR

• Update Hyperscan to 5.2.1
• Compile Hyperscan to benefit from SSE4 and/or AVX2
• Make use of policys in IDS/IPS Rulesets (balanced, max-detect, etc)

Thanks for reading and your hard work!

79

General Discussion / OPNSense Beginner - Wireguard- Firewall

« on: May 07, 2020, 02:51:13 pm »

Hello,
I've setup my OPNSense switching from UniFi. I've some basic questions.

1. I setup Wireguard via this:
https://wiki.opnsense.org/manual/how-tos/wireguard-client.html
and
https://www.thomas-krenn.com/de/wiki/OPNsense_WireGuard_VPN_für_Road_Warrior_einrichten#Firewall_Regel_f.C3.BCr_WireGuard
this guide.

I partly skipped configuration of Step 2c of the first guide.

Everything is setup and when the Wireguard Interface is not assigned, internal traffic isn't working.
Assigning the Interface allows me internal + external traffic via VPN even without the Firewall NAT Outbound Rule.
What am I doing wrong?

2. I'm using Pi-Hole as DNS. Works like a charm.

However I want to block all other DNS traffic, only pi-hole is allowed to connect to external dns.

- WAN-OUT <Pi-Hole> DST* TCP/UDP 53
- WAN-OUT * DST* TCP/UDP 53

With this rules Pi-Hole is blocked as well, why? Stop on first match is ticked.

Cheers