Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
When the system updates the drop and edrop list from spamhaus ?
« previous
next »
Print
Pages: [
1
]
Author
Topic: When the system updates the drop and edrop list from spamhaus ? (Read 7922 times)
gonzo
Newbie
Posts: 38
Karma: 0
When the system updates the drop and edrop list from spamhaus ?
«
on:
February 13, 2018, 12:52:31 pm »
Hi
I have set up the drop and edrop list from this guide:
https://docs.opnsense.org/manual/how-tos/edrop.html
.
1) When the system updates the drop and edrop list from spamhaus ?
2) which means information "Default deny rule" that appears in the "Label" column in /Firewall -> Log Files -> Live View ?
3) How to create own alias, which content will automatically update at certain times ? ( every 12 hours )
I tried to update the alias content with cron, but it does not work
gonzo
«
Last Edit: February 13, 2018, 01:00:36 pm by gonzo
»
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: When the system updates the drop and edrop list from spamhaus ?
«
Reply #1 on:
February 14, 2018, 08:30:36 am »
Hi there,
1) Use "Url Table", not "Url". It will have an expiry setting for days and hours. It is currently enforced every half an hour, but will be bumped to a higher value soon. "Url" without the table imports the data *only once*.
2) It means no other rule could be found to match the traffic so it is blocked by default. It happens with unexpected and unwanted packets, sometimes when TCP streams violate the state tracking (someone may manipulate the stream).
3) See 1.
Cheers,
Franco
Logged
gonzo
Newbie
Posts: 38
Karma: 0
Re: When the system updates the drop and edrop list from spamhaus ?
«
Reply #2 on:
February 14, 2018, 09:47:51 am »
Hi Franco
In You the last hope. I made the alias and the firewall rule exactly as you say.
the IP_ataki list is empty, why ?
gonzo
Logged
arvis
Newbie
Posts: 3
Karma: 0
Re: When the system updates the drop and edrop list from spamhaus ?
«
Reply #3 on:
February 20, 2018, 04:15:39 pm »
Hi Franco,
Could you please also help will "Defaul deny rule" issue with the same server. We have configured OPNSence as transparent bridge. There are "allow all rules" on every interfaces but quite often we can see that "Default deny" is taking action. Why it is even reached at all is we have "Allow all rule"?
I'm attaching a couple examples of blocked packets. Why it happened and what to do fix this issue?
Logged
Oxygen61
Sr. Member
Posts: 350
Karma: 32
Der Weg zum Erfolg hat keine Abkürzung - (Tanaka)
Re: When the system updates the drop and edrop list from spamhaus ?
«
Reply #4 on:
February 21, 2018, 12:58:45 am »
Hi
I tried to open your ataki List to see if the format fits the Alias Table sheme... and i got this...
>> attachment 1
I don't think the URL is correct.
Besides that i don't think you got the Policy order right, when blocking with Alias Tables.
When using these rules you need to think "egress". Which means that originating local trusted network traffic should not reach one of the IP-addresses inside the Alias Table.
I don't know about your OPT1 interface, but in case it's a local trusted network (for example:192.168.10.0/24)
you would want to change the source to 192.168.10.0/24 and the destination to your Firehol_Level1 Alias. (same for ataki if it works some day
)
When looking at your WAN external Interface you would want to configure a policy, which stops originating traffic from your Firehol_Level1 traffic (Source) to any (*) as destination.
You should also think about lowering the time when these tables get refreshed to 1 hour (in case your CPU is doing a good job).
Best regards,
Oxy
Logged
gonzo
Newbie
Posts: 38
Karma: 0
Re: When the system updates the drop and edrop list from spamhaus ?
«
Reply #5 on:
February 21, 2018, 06:55:27 am »
I just changed the name of the file to a shorter one :
http://ip.jchost03.pl/ip_ataki.txt
Logged
Oxygen61
Sr. Member
Posts: 350
Karma: 32
Der Weg zum Erfolg hat keine Abkürzung - (Tanaka)
Re: When the system updates the drop and edrop list from spamhaus ?
«
Reply #6 on:
February 28, 2018, 10:05:22 pm »
Looks good. This file should work. Did it work?
Logged
gonzo
Newbie
Posts: 38
Karma: 0
Re: When the system updates the drop and edrop list from spamhaus ?
«
Reply #7 on:
March 01, 2018, 09:48:24 am »
did not work.
In firewall logs, I see only IP blocking according to a rule that I have never defined "Default deny rule".
No one can explain to me what this rule is and when it works.
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: When the system updates the drop and edrop list from spamhaus ?
«
Reply #8 on:
March 01, 2018, 09:51:09 am »
Default deny is implicit. It matches when no other rule that you defined matches your traffic. This can also happen on state tracking failures.
Cheers,
Franco
Logged
arvis
Newbie
Posts: 3
Karma: 0
Re: When the system updates the drop and edrop list from spamhaus ?
«
Reply #9 on:
March 01, 2018, 10:13:23 am »
I can't understand how can it don't match any rule if we have "allow all" on all interfaces... And if this is state tracking failures why they happens then? Something wrong in our firewall setup?
OK, then which settings should we change on our VPNSence firewall to avoid such cases?
«
Last Edit: March 01, 2018, 10:26:46 am by arvis
»
Logged
Oxygen61
Sr. Member
Posts: 350
Karma: 32
Der Weg zum Erfolg hat keine Abkürzung - (Tanaka)
Re: When the system updates the drop and edrop list from spamhaus ?
«
Reply #10 on:
March 01, 2018, 11:02:41 pm »
Hi arvis and gonzo,
Like any other firewall, OPNsense aswell matches the first rule, which fits the traffic it receives.
If you have not changed your rule order from your posts before then the configures "allow everything rule" matches AFTER your Alias State block rule. In case your list contains data and the traffic fits the block rule, your allow any rule will not ever match in the first place, because the traffic gets blocked way before this allow rule could ever match the traffic.
You could try to move this rule to the first position to see if there is no other "Basic" misconfiguration besides the firewall rules..
Is the alias working atleast? You can check if your new state table can download all the IP for your Alias:
Firewall: Diagnostics: pfTables
Does your ataki Alias lists or contains any IP's?
By the way did you configure floating rules? It get's more complicated if that is the case.
OPT1 seems to be an external interface aswell? you should rename your Interfaces otherwise noone will know, what this interface is supposed to do.
Besides that it's always helpful to draw or write down your network map somewhere to look at your configuration from another point of view.
Best regards,
Oxy
«
Last Edit: March 01, 2018, 11:04:18 pm by Oxygen61
»
Logged
arvis
Newbie
Posts: 3
Karma: 0
Re: When the system updates the drop and edrop list from spamhaus ?
«
Reply #11 on:
March 02, 2018, 02:03:28 pm »
Hi,
Yes, of course I understand that firewall rules order is important. But if it would match any of Alias State block rules shouldn't we see on firewall logs that something was blocked by this rule, not by Default deny?
However, at the moment on our server there are no other rules than Allow all. Also, there are no floating rules configure. But Default deny is constantly blocking something. We can see it appearing on Firewall logs live view.
OPT1 is our bridged interface with members WAN and LAN. Physical external interface is WAN and internal is LAN.
Attaching network scheme of our setup.
It would be good to solve that Default deny issue first. Then we could try to move on setting up alias blocking rules.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
When the system updates the drop and edrop list from spamhaus ?