English Forums > Intrusion Detection and Prevention
IDS block time
xinnan:
IDS has two modes on pfsense. Legacy and inline.
Legacy blocks an IP for a specified period of time if any rule is triggered.
Inline blocks each offense as it occurs without considering the IP unless the IP itself is the trigger...
Legacy blocks by IP.
Inline drops by offended rule.
Blocking by IP is not optimal.
dcol:
That leads me back to the original question. What is that specified period of time, and is it adjustable?
xinnan:
Inline? On opnsense or pfsense?
Either way, there is no time since no IP is placed on a block.
Each packet/connection is evaluated each time to see if it violates a rule. If so, it alerts or drops.
If you are in inline mode on pfsense and have a time set, that setting isn't doing anything.
dcol:
Not inline. Right now inline/IPS does not work for me. The link keeps going down when IPS is on the WAN.
My question is for legacy mode in OPNsense
xinnan:
In that case the block is per IP. Yes. It would have to be.
Not sure about setting times. I need another day or so to dig into the feature in opnsense.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version