Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
Create rule to allow network scans
« previous
next »
Print
Pages: [
1
]
Author
Topic: Create rule to allow network scans (Read 20782 times)
nicovell3
Newbie
Posts: 12
Karma: 0
Create rule to allow network scans
«
on:
April 12, 2018, 09:08:22 am »
Hello,
I'm trying to setup a new rule at my firewall so it'll allow an specific host to scan all ports from other net.
The only problem I have is that, when the rule is already set and I launch a nmap like this:
nmap -Pn -sS -p- -T5 192.168.20.0/24
And then, the OPNsense state table collapses: I've set a max size of 815000, but if I launch three concurrent scans, it gets full. So what I want is to make a rule which allows the traffic to pass and prevents the firewall from storing every connection at the state table. I think I don't need that connections to be stored at the state table, as I don't need the firewall to perform NAT, the scans will only occur at internal networks.
I've tried different settings when creating a floating quick rule which affects to my "monitoring" interface:
State Type as none
State Type / NO pfsync activated
TCP flags with "Any flags." checked
No matter what I set, the state table keeps getting full with the scans. How can I allow network scans without disabling my firewall?
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Create rule to allow network scans
«
Reply #1 on:
April 12, 2018, 12:33:03 pm »
In theory there are three fixes: disable state tracking, use a full connect scan and run nmap directly on OPNsense.
Logged
nicovell3
Newbie
Posts: 12
Karma: 0
Re: Create rule to allow network scans
«
Reply #2 on:
April 12, 2018, 01:10:41 pm »
Hello fabian, thanks for your reply,
When you say "disable state tracking", are you talking about the entire firewall? How can that be done and which implications would that have?
Thanks for your help.
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Create rule to allow network scans
«
Reply #3 on:
April 12, 2018, 01:23:13 pm »
no, just the pass rule that allows the scan (and a reverse rule of course)
Logged
nicovell3
Newbie
Posts: 12
Karma: 0
Re: Create rule to allow network scans
«
Reply #4 on:
April 12, 2018, 01:39:30 pm »
And how can I disable state tracking for those two specific rules? I tried setting those rules with the field "State Type" set to "none", but the State table size keeps getting full.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
Create rule to allow network scans