crowdsec - only show logs from the internal nic

Started by sp33dy, December 04, 2023, 11:03:31 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 04, 2023, 11:03:31 AM Last Edit: December 04, 2023, 11:33:28 AM by sp33dy
If i enable setting "Enable log for rules" i get log entrys both on wan and lan not matter if the rule even exists on the wan interface

i have a "block" on lan port for dst: crowdsec but i dont want it filled with crowdsec hits from wan.

is it possible to not have hits on wan and only on hits originating from lan?
Qotom i7-7500u 16gb 128ssd
December 31, 2023, 12:38:06 PM #1 Last Edit: December 31, 2023, 12:43:06 PM by iMx
Just started having a play with this myself....

Maybe if you leave 'Enable log for rules' disabled, then enable regular logging on your dst drop rule?

The default rules match IN on any interface, with a source of crowdsec_blacklists:

Code Select
pfctl -s rules | grep crowd
block drop in quick inet from <crowdsec_blacklists> to any label "6fc904ee8f33bb90e1c73147d55cd852"
block drop in quick inet6 from <crowdsec6_blacklists> to any label "7de971956cb806447b5f10bdb3d4d9bb"

Perhaps this is a good case for a floating rule, with a dst of crowdsec_blacklists - if you want to make sure your devices behind opnsense are not trying to 'talk' to the crowdsec_blacklists IPs.
January 02, 2024, 02:36:30 PM #2
Instead of this messing, why just not leave 'Enable log for rules' enabled and create a template with "Label contains Crowdsec" and "Interface is not WAN" and save it in the live view?
Print
Go Up Pages1
User actions