CrowdSec - Automatically created $crowdsec_blacklists floating rules

[youngman]

G'day All,

Reading here https://homenetworkguy.com/how-to/install-and-configure-crowdsec-on-opnsense/ that "CrowdSec automatically creates floating rules to block all incoming IPv4/IPv6 malicious IP addresses". I can confirm that there are in fact two new floating rules... one for IPv4, the other for IPv6.

Any idea what interfaces these are applied to? Is it just "IN" on WAN or perhaps all non-LAN interfaces? (Specifically interested in CrowdSec here but in general is there a command I could use to review/verify other automatically generated rules as well?)

For the moment, I have created additional floating rules to cover my other external facing interfaces... but it would be nice to know whether they are actually necessary.

Thanks in advance!

[youngman]

Ok... so the following command appears to list what I need. The first two lines are the automatically generated rules, the second two are my IPv4 interface specific ones.

Does the lack of a specified interface on the automatically generated rules indicate 'any/all'? How should I be interpreting this output difference?

Code Select Expand

root@opnsense:~ # pfctl -sa | grep crowdsec
block drop in quick inet from <crowdsec_blacklists> to any label "xxxxxxxxxxxxxxxx"
block drop in quick inet6 from <crowdsec6_blacklists> to any label "yyyyyyyyyyyyy"
block drop in quick on ovpnc1 reply-to (ovpnc1 xx.xx.xx.x) inet from <crowdsec_blacklists> to any label "zzzzzzzzzzzzzzzzz"
block drop in quick on vmx2 reply-to (vmx2 xx.xxx.xxx.xxx) inet from <crowdsec_blacklists> to any label "zzzzzzzzzzzzzzzzz"