Firewall appears to enforce 'default rules' or 'Crowdsec' rule inconsistently

Started by jonny5, February 14, 2025, 03:59:26 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 14, 2025, 03:59:26 AM
TLDR;
The issue is it appears at least the CrowdSec rule matches inconsistently, and I must admit, I wonder if other rules do too, or if this is due to alias <-> rule update sync/propagation, or some other elements of the pf/OPNSense management feature set?

The Long;
After 25.1, I noticed some oddity with the CrowdSec firewall rule entries and if they got matches or not

So I created two aliases, threatIPv4=CrowdSecIPv4+SpamhausIPv4 and threatIPv6=CrowdSecIPv6+SpamhausIPv6

Then I created two rules in Floating applied to both WAN and LAN that would match IPv4+IPv6 and In, one "Source Threatlist Block Inbound" for Source=threatIPv4+threatIPv6, the second "Destination Threatlist Block Outbound" for Destination=threatIPv4+threatIPv6

See the Floating Rules Screenshot_2025-02-13_20-42-38.png

What as happened since 25.1.1 is I am seeing blocks on the default "CrowdSec IPv4" list again, but, I am seeing my added "Source Threatlist Block Inbound" as well but not as many. Not sure if I have seen a default IPv6 show up in the Dashboard dial

See the Dashboard Firewall Screenshot_2025-02-13_20-41-03.png

In full transparency, I am logging this stuff to a data-lake, but the parsing of the hex rule eludes me and getting the matching rule text and applying it further eludes me. That said, our refreshed Dashboard is my source of detail and IMHO, appears correct and is currently my primary indicator of which rule is hitting
February 14, 2025, 07:19:13 AM #1
Quote from: jonny5 on February 14, 2025, 03:59:26 AM[...]
What as happened since 25.1.1 is I am seeing blocks on the default "CrowdSec IPv4" list again, but, I am seeing my added "Source Threatlist Block Inbound" as well but not as many. [...]

The two rules seem to have different address sets. To confirm rule bypass you could check the logs for your "Threatlist" rule hits where the address falls within the Crowdsec rule(s). Doing this manually could be a bit tedious.
But of course using rules on a firewall to check for rule bypass on the same firewall seems... unreliable.
Print
Go Up Pages1
User actions