block incoming wan on dest IP and allow domain names

[securid]

I have a fixed external IP, I own a domain name and I have setup several services I run from home, almost all of them behind an nginx reverse proxy with SNI setup based on sub domains.

My current port forwarding rules are set to destination WAN address, port 80/443 with a forward to nginx.

It gets hammered, obviously and nginx stops it, so no real issues. I could possibly setup fail2ban as well but I was wondering if I could setup opnsense to stop direct hits on IP address only? Same way nginx identifies fqdn's via SNI could opnsense possibly do the same and stop it if the destination domain is not allowed?

Thanks!

[Patrick M. Hausen]

It could if you run something that understands SNI on OPNsense - like NginX 

A firewall generally does not see application level information, only packets, IP addresses, port numbers. You can push the application filtering one step "outward" by implementing that on the firewall. NginX as well as HAproxy could do that.

I have not tried Zenarmor or Suricata for anything like this, so others might want to add some information on the question if IDS/IPS could do that, too. I prefer simple and straightforward setups.

[securid]

Thanks, yes simple and straightforward is the way to go  .

IPS / IDS is too complicated and way too much for my needs.
Zenarmor with its cloud based service based in the US is a no-go for me .

I cant / don't want to move my nginx, its running in a container with Acme scripts to provide automatic certificate generation and renewals.

I was hoping it could be as simple as creating an alias with hostnames and providing that to the NAT rule but alas, that didn't work.

Perhaps running nginx or haproxy specifically for this purpose in front of my internal nginx could work? Any thoughts on that?

[Patrick M. Hausen]

It still would need to do the SSL termination. But there is an ACME plugin in OPNsense so all of this can be put on your firewall instead of an internal system.

Theoretically one could just do SNI and then TCP relaying and leave SSL to your NginX. But there is no SNIproxy plugin for OPNsense yet, as far as I know.

https://github.com/dlundquist/sniproxy

FreeBSD package is available so you might want to try manual (CLI) installation.

https://www.freshports.org/net/sniproxy/

HTH,
Patrick

[securid]

Thanks!

I will look into sniproxy, see if its worth setting up.

I am using the acme plugin on opnsense, but only for opnsense itself. I could indeed move it all there, but it would require manual setup for each domain/service I setup with custom scripts to distribute certs (we wanted to keep it simple and straightforward right ). The container I am running is fully automated; I spin up a new app inside a container and it automatically gets setup. (Its jwilder/nginx-proxy with acme-companion, in case you're wondering).

Anyway, sniproxy . I'll look into it .

Thanks!

[cookiemonster]

You said that don't want to do IDS/IPS but Crowdsec might be of interest.
I've tested it and left it on. It's not resource-intensive. I set it up following their multi-server tutorial but in reverse. The main component is on OPN and it monitors a service in the LAN where I am forwarding a port, so it had only fail2ban protecting it.
Suricata also runs on the OPN WAN and it does catch some naughty scans.

[asimmian]

I have the same setup [ACME, NGINX (3 sub domains) and I use the combination of Geo-Blocking (block all countries you dont want your domains to be accessed, does filter 70-80% of traffic) and Suricata.

You will still get some hits and thats something NGINX BANNED comes handy.