error reconfiguring IDS => error installing ids rules [SOLVED] => Full re-instal

[MarieSophieSG]

Hello,
While doing try & error, I've checked and unchecked several times the IDS/IPS (to see if it was the cause to my access problems)

As I wanting to re-enable it, now I have this error message

Code Select Expand

error reconfiguring IDS => error installing ids rules (Error (1))

Did any of you came across this or am I the queen of breaking things ? (Not the first time I've been called so)

And most importantly, how do I solve this ? Will I need to do a complete re-install again ?

[MarieSophieSG]

I did a "reinstall" for Siraca in "System/Firmware/Packages" but I still have the error messages

I found this on the Internet:

• Disable IDS/IPS: Go to Services > IDS/IPS and toggle the switch to disable the module.
  2) Delete IDS/IPS configuration files: Manually delete the /usr/local/etc/opnsense/ids and /usr/local/etc/opnsense/ips directories. This will remove all custom configurations and rules.
  3) Reinstall IDS/IPS package: Go to Packages > Firewall > IDS/IPS and reinstall the package. This will restore the default configuration.
  4) Reset to factory defaults: If you want to start from a completely clean slate, you can reset the entire OPNsense configuration to factory defaults using the Initial Installation & Configuration menu (accessible via SSH or web interface). Follow the prompts to confirm the reset.
  5) Reconfigure IDS/IPS: After the reset, reconfigure the IDS/IPS module as needed, including setting interfaces, rules, and policies.
  

Found 5 iterations of IDS/ids,
/usr/local/opnesense/service/template/OPNsense/IDS
/usr/local/opnesense/mvc/app/views/OPNsense/IDS
/usr/local/opnesense/mvc/app/models/OPNsense/IDS
/usr/local/opnesense/mvc/app/controllers/OPNsense/IDS
/usr/local/lib/per15/5.36/inicore/lib/OPNsense/IDS

Couldn't locate any IPS/ips

Which one do I delete ? not all of them I guess ...

[Patrick M. Hausen]

Aren't you still trying to get basic routing and firewall working? Then why are you messing with the IDS? How shall anyone on this forum aid you in debugging your NAS access problem when you throw an IDS in the mix?

A couple of days ago I asked you to - reinstalling seems to be a hobby of yours, anyway - take a fresh installation and

- configure your three interfaces
- configure DHCP on all three
- duplicate and adapt the default "allow" rule on "LAN" for all your interfaces

then report back about the reachability of your various networks.

At which point did I mention IDS or ClamAV?

If you still want help, do the above and DONT INSTALL OR TOUCH ANYTHING ELSE FOR CRYING OUT LOUD!

Otherwise I'm out. Sorry, it's impossible to assist you.

[MarieSophieSG]

Aren't you still trying to get basic routing and firewall working? Then why are you messing with the IDS? How shall anyone on this forum aid you in debugging your NAS access problem when you throw an IDS in the mix?

Because my system is online, and so when I'm on the forum doing tests, I switch IDS off, and when I'm not, I switch it back on

A couple of days ago I asked you to - reinstalling seems to be a hobby of yours, anyway - take a fresh installation and

- configure your three interfaces
- configure DHCP on all three
- duplicate and adapt the default "allow" rule on "LAN" for all your interfaces

then report back about the reachability of your various networks.

Although I didn't see you asking, I did a fresh complete reinstall and reported (in the right thread) that I still don't have LAN-LAN access https://forum.opnsense.org/index.php?topic=43205.45

At which point did I mention IDS or ClamAV?

If you still want help, do the above and DONT INSTALL OR TOUCH ANYTHING ELSE FOR CRYING OUT LOUD!

Otherwise I'm out. Sorry, it's impossible to assist you.

These were set way before, and while doing the re-install I saw that clamAV was still present even though disabled through the GUI
Now that I'm running a fresh one, the clamav, c-icap, malware and such are not installed.

[cookiemonster]

Because my system is online, and so when I'm on the forum doing tests, I switch IDS off, and when I'm not, I switch it back on

Why? What do you think disabling IDS when you're on the forum and "doing tests" and switching it back on after will provide? Then you are doing "tests" that are then void to a large extent, because those tests will not be operating on the same environment setup.
Like testing antivirus behaviour when all machines are off.

Honestly it looks like you're trying to enable any and every possible capability on OPN before you have your basics understood and working correctly. Let's go back to the right thread with those basics and don't throw any more spanners in. No "trunking" as you were calling it, no services IDS, IPS, ClamAV, no VPNs, nothing other than a routing appliance. Please.

[MarieSophieSG]

Because my system is online, and so when I'm on the forum doing tests, I switch IDS off, and when I'm not, I switch it back on

Why? What do you think disabling IDS when you're on the forum and "doing tests" and switching it back on after will provide?

Because that's part of the overall protection I switched to OPNsense for
I think disabling IDS when I'm on forum doing tests will remove this part out of the equation, so if it works (it doesn't so far) then that means IDS is the reason/problem ... and switching it back on when I'm not in front of the computer bring back the protection (i.e: overnight)

Then you are doing "tests" that are then void to a large extent, because those tests will not be operating on the same environment setup.
Like testing antivirus behaviour when all machines are off.

That would be the second part of the tests, once we obtain an accepatable result with IDS off, next step would be trying with IDS on and removing/adding rules one by one to see exactlt which one is causing the problem

Honestly it looks like you're trying to enable any and every possible capability on OPN before you have your basics understood and working correctly. Let's go back to the right thread with those basics and don't throw any more spanners in. No "trunking" as you were calling it, no services IDS, IPS, ClamAV, no VPNs, nothing other than a routing appliance. Please.

Yes, I did install a bunch (definitely not "any and ever", as I was trying on my own to find a solution, but there are way too many possibilities, and thanks to this forum and expanations, I now know that clamAV, antimalware, etc are not usefull to my setup anyway, so they were not reinstalled after the last re-install

But the current problem I have with IDS, subject of this thread, is not a problem with my setup, it's an internal problem and I would like to clear it out so I can go back and resume working on the other problems, please.

BTW: I specifically tag [NOOB] those questions I ask about what seems to be basic set-up so it's easy to retrieve for anyone else in my situation, while problem that are more due to the system itself (like this one here) are not tagged such.
In my mind, those [NOOB] questions are not only for me, like a list of usual questions innexperienced persons would ask and make it easy for this forum (since there is no NOOB section) to relate and follow, hence me asking details or writing solution details

[Patrick M. Hausen]

A basic setup consists of internal interfaces, DHCP service, Unbound running, allow all outbound and nothing else.

It's very counter productive to enable or tinker with anything else before all of this is working perfectly. E.g. access to your NAS systems across VLANs etc.

And it's in no way less secure than any consumer NAT router/firewall, so you are perfectly fine with a setup like this.

[MarieSophieSG]

A basic setup consists of internal interfaces, DHCP service, Unbound running, allow all outbound and nothing else.

It's very counter productive to enable or tinker with anything else before all of this is working perfectly. E.g. access to your NAS systems across VLANs etc.

I didn't know until I knew, as I don't access all and everything at once.
The overall setup was working, so I explored to make full use of it, and that's when I decided to try other tings, like the NAS or some Android apps ... seeing it didn't work, I simply reverted and disabled those extra settings ... but apparently it's not as it looks, the simple "disable" switch doesn't disable it
Let's say it's part of the learning curve, to not trust what seems to be working for it to be working for everything

And it's in no way less secure than any consumer NAT router/firewall, so you are perfectly fine with a setup like this.

Thank you, now that you mention it, I recognize that the 22 automatic rules must be at least as "secured" as my previous consumer FW/router, thank you for pointing that out :)