Professional Documents
Culture Documents
E-Book_OPNsense_Mehr_als_eine_Firewall_Thomas-Krenn_ENG
E-Book_OPNsense_Mehr_als_eine_Firewall_Thomas-Krenn_ENG
E-Book_OPNsense_Mehr_als_eine_Firewall_Thomas-Krenn_ENG
2. Introduction to OPNsense 3|
Secure platform 4|
Versions and release cycle
OPNsense Business Edition 5|
3. Structure 5|
4. Interface 5|
Order of rules 7|
Setting up basic firewall protection 8|
Introduction to OPNsense
The software has its origin in 2015 and is a fork of the there are important technical differences, which
well-known open source firewall software pfSense, are explained in the technology blog produced by
which started in 2004 as a project fork of m0n0wall. m.a.x. Informationstechnologie AG3. The name
The basic idea of all these projects was to combine "OPNsense" is derived from the combination of
the functionalities and management of firewall "pfSense" and "open source". The founders of
rules under one graphical interface. However, OPNsense cite five central arguments for the fork:4
1
Installation (Thomas-Krenn-Wiki): https://www.thomas-krenn.com/en/wiki/Install_OPNsense
2
Installation (OPNsense Manual): https://docs.opnsense.org/manual/install.html
3
Unterschiede zwischen pfSense und OPNsense: https://techcorner.max-it.de/wiki/OPNsense_vs._pfSense_-_Im_Vergleich
4
Begründung für den OPNsense-Fork: https://docs.opnsense.org/history/thefork.html
thomas-krenn.com | 4
The OPNsense project is financially and technically to OPNsense. Though pfSense continues to exist
supported by the Dutch company Deciso B.V., which in parallel, its significantly more restrictive license
was already active as a sponsor and co-developer and lack of open plugin interface (along with
for the two OPNsense predecessors, pfSense and various controversial business decisions made by its
m0n0wall. The "original project" m0n0wall has founder) have seen it fall behind the competition.
been discontinued in the meantime. The founder OPNsense is now the more comprehensive and
of the latter has spoken out in favor of switching technically advanced solution.
Secure platform
Security software is supposed to protect the system FreeBSD, which a very active community
infrastructure and the privacy of users, but such has developed for decades. FreeBSD is already
software is increasingly becoming a gateway for considered a very secure operating system, while
attackers – sometimes with severe consequences. HardenedBSD introduces numerous additional
Therefore, it is vital that both the software itself features at the kernel level that make it even
and its development process are as secure and more difficult for an attacker to gain control of the
transparent as possible. This is generally the case operating system through loopholes in application
with long-standing and successful open source programs. HardenedBSD is not a true fork of
projects. FreeBSD, as all current FreeBSD developments are
OPNsense is based on the HardenedBSD operating also incorporated into HardenedBSD in a timely
system, a derivative of the Unix operating manner.
3. Structure
The key strength of OPNsense is its modular software packages. In many cases, these programs
structure, which can be easily extended by plugins. do not have a graphical administration interface
Plugins can be combined so that the Unix principle but are controlled via configuration files and the
of "one tool for one task" is implemented in an command line. Logic and syntax for management
exemplary manner. For example, one of the typical often differ considerably. OPNsense plugins unify
tasks of a web proxy is to scan data transmitted management. Though administrators still need
over the web for viruses. The built-in proxy uses to know their general functionality and features,
the ClamAV plugin for this purpose. The plugin they no longer have to deal with the intricacies of
can also be used by a mail server if OPNsense configuring, say, an intrusion detection system or a
is also used to run a mail relay. The plugins are VPN solution.
often interfaces to popular powerful open source
4. Interface
The OPNsense web interface should be intuitive for search function with auto-completion in the upper
most users of other commercial or open source right corner, which Figure 2 shows in action. From
firewalls. All system components and plugins are there, you can go directly to the corresponding
accessible via the vertical menu bar on the left. The configuration page. It is usually the fastest option
dashboard on the home page is configurable via for navigation as opposed to clicking through the
widgets (Figure 1). Especially useful is the intelligent menus.
5
OPNsense Business Edition: https://shop.opnsense.com/product/opnsense-business-edition/
thomas-krenn.com | 6
Figure 2: The search function allows quick navigation throughout the system.
table is used for the vast majority of traffic and packet filter works here with heuristics that work
packets rarely have to be checked on a rule basis. excellently in practice. The rules specify which of the
As a result, rulesets can become very complex following three actions the firewall should perform
without impacting performance. Even packets on a packet:
from stateless protocols end up in the table. The
Order of rules
When defining the rules, there are differences As a default value, OPNsense sets up a block-any
between the default behavior of the packet filter rule on the WAN side that blocks all packets that
and the defaults that OPNsense makes via its do not match any of the individual rules. This rule is
interface. defined as a floating rule, i.e. it takes effect before
the rules for the interfaces. It is implicit, so it does
The packet filter allows you to specify the order of not appear on the WAN side. On the LAN, on the
rule execution yourself. The default setting there is other hand, the default setting is pass-all, so that
that the last rule in a chain always takes effect. The all packets are initially allowed through from the
rules you define in the OPNsense GUI are so-called inside to the outside.
"quick rules", which the filter executes immediately
when a matching packet comes in, i.e. at the first These settings can be tightened with additional
match – in contrast to the default. This makes it rules, for example, by restricting ports to 80, 443
easier to keep track of things and takes some of the and 53 on the LAN side, allowing only web browsing
complexity out of firewall configuration. and name resolution via DNS. When setting up the
rules, one usually works with aliases, for example,
Some rules are bound to a specific interface and one assigns a list of ports to a variable for which
affect the incoming traffic at the interface, i.e. at a rule is then applied. In the same way, you can
the WAN from outside, at the LAN from inside. assign a list of IP addresses to another alias – for
The considerably more complex "floating rules" instance, to allow additional ports only for specific
work differently. They apply to multiple interfaces hosts via another rule.
and may also apply to traffic originating from the
interface. They have a higher priority than rules for The firewall also combats spam using the same
individual interfaces. Individual floating rules are logic. Various providers maintain dynamically
not essential for basic protection, so they should updated IP address lists of known spammers
only be used if you have sufficient experience with available on the internet. These can be assigned to
OPNsense. aliases just like local IP lists.
thomas-krenn.com | 8
Figure 3: Initially, no changes are necessary on the WAN side of the firewall.
From the LAN side, the firewall is completely open case, _PORTS for the aforementioned ports 80, 443,
at first. Since most attacks require the involuntary and 53 (Figure 4). In the second step, we create a
cooperation of users in their own network, additional pass rule in the corresponding LAN interface that
restrictions make sense here. applies to all IPs and set the previously created alias
The procedure is always the same. First, we set the for ports (Figure 5).
stage by creating the appropriate aliases, in this
Figure 4: As here for ports, aliases can also be created for other objects such as IP addresses.
thomas-krenn.com | 9
Figure 5: The port alias is inserted into the new rule for TCP and UDP packets.
Following the same pattern, we can also create spammers are already available as aliases and can
aliases for specific IPs, such as a network of a be used in rules according to the same principle.
remote office or a server at an external hoster, One should take care to update these regularly.
allow all protocols there, for example, and create The lists are restrictive in different ways, so it can
the corresponding rule. After saving the rule, we happen that legitimate requests are blocked. The
should not forget to activate it as well. Spamhaus list (second entry in Figure 6) contains
fewer potentially problematic entries than the more
Dynamic lists of known malware distributors and extensive FireHOL list.
Figure 6: Dynamic lists of malware spreaders as URL table aliases can be regularly updated via the expiration settings.
thomas-krenn.com | 10
The difference between a firewall and an IDS/IPS As a rule, an IDS/IPS requires much more knowledge
can be illustrated with the following imperfect and administrative effort than a firewall. With
but useful analogy: In a medieval city, the firewall Suricata, a command line program without a GUI,
rules would determine which gates (ports) should there is the added challenge of dealing with the
remain open for, say, foot soldiers, horsemen or syntax of the commands and options. However,
chariots (packets of network protocols), while the OPNsense does a surprising amount of work for
IPS/IDS would act as the guardian on the tower. the administrator here. The IPS can be put into
Based on his orders and experience, he assesses operation with a few clicks in the GUI.
the danger posed by a small group of walking
monks (application protocol) approaching the open If Suricata is deployed directly on the OPNsense
pedestrian gate. If he knows that robbers disguised firewall, the IPS mode is available. In IDS mode, all
as monks are currently on the loose, he will sound traffic is usually mirrored to a second interface to
the alarm in his capacity as NIDS, but as NIPS he decouple the analysis from the real-time traffic. As
will have the supposed monks intercepted. These an IPS, Suricata controls traffic directly on the firewall
would then be scanned for concealed weapons, if interfaces. However, it is strongly recommended to
necessary (deep packet inspection). run a longer test with alerting before arming the
IPS and to evaluate the generated alerts regarding
So an IDS/IPS needs signatures, rules and heuristics false positives.
to detect threats at the application level. These
must be kept constantly up to date. There is always Of course, an IDS/IPS only makes sense on the WAN
a risk of false alarms (with IDS) or even mysterious interface if the firewall has open ports. Therefore,
connection errors (with IPS) if too many false it makes sense to limit the IPS to the LAN at this
positives occur. On the other hand, an IPS that is point.
set too laxly creates a feeling of false security.
thomas-krenn.com | 11
Setting up IDS/IPS
With the default settings, it is possible to put the IPS enabled, no packets are dropped. However, the
into operation without any risk. This is done in the IPS already generates alerts, which are displayed
Settings tab of the Administration menu item, as in the corresponding tab. Here, Figure 9 shows
Figure 7 shows. In the Download tab, you can find obvious false positives (the suspected packets
a list of rulesets. To activate them, you just need come from the Google DNS). So, we need to disable
to select them and then click Download & Update the corresponding rules. After the alerts are clean,
Rules. As Figure 8 shows, the Filter table column we can begin to arm individual or all rulesets, i.e.,
is still empty. That is, even though IPS mode is actually discard packets (Figure 9).
Figure 9: False positive warnings occasionally occur after the rulesets are activated.
Figure 10: Packets are not discarded until input filters are activated.
thomas-krenn.com | 13
automatically. In the second step, we open the the local endpoint, we need to create a rule for it as
WAN interface for the port used by WireGuard using well, which in the simplest case allows all traffic to
a pass rule. UDP is sufficient as the protocol because pass for all protocols and destinations, as shown in
WireGuard tunnels all protocols via UDP (Figure 12). Figure 13.
Since WireGuard creates a separate interface for
Figure 11: The configuration of WireGuard starts with the local endpoint.
thomas-krenn.com | 15
Figure 12: The firewall for the WAN interface must allow WireGuard traffic to pass.
This concludes the basic configuration. Next, the client program installed and configured. For the
peers that are allowed to use WireGuard must be allowed IPs, we use the netmask suffix /32 to
configured. This is done in the Endpoints tab of the ensure that the peer always connects to a fixed
plugin configuration and can only be done when the IP (Figure 14). To complete the configuration, go
public key of the remote endpoint is known. The VPN back to the Local tab, where you can now add the
user must therefore already have the corresponding existing endpoints in the Peers menu item.
Figure 14: When adding WireGuard peers (endpoints), their public key must be known.
thomas-krenn.com | 17
Figure 15: All or selected peers are added to the local endpoint at the end.
All steps of this short tutorial can also be found in WireGuard peer7 and how to set up site-to-site
detail in the Thomas-Krenn wiki.6 It also describes connections with WireGuard8.
how to configure an Ubuntu computer as a
6
Setting up WireGuard step-by-step: https://www.thomas-krenn.com/en/wiki/OPNsense_WireGuard_VPN_for_Road_Warrior_configuration
7
WireGuard client configuration: https://www.thomas-krenn.com/en/wiki/Ubuntu_Desktop_as_WireGuard_VPN_client_configuration
8
WireGuard for site-to-site connections: https://www.thomas-krenn.com/en/wiki/OPNsense_WireGuard_VPN_Site-to-Site_configuration
9
OPNsense-optimized servers: https://www.thomas-krenn.com/en/products/application/opnsense-firewalls.html
10
Summary of OPNsense hardware requirements: https://www.thomas-krenn.com/en/wiki/OPNsense_hardware_requirements
thomas-krenn.com | 18
between the three levels "Minimal", "Reasonable" SSD storage. In practice, much more RAM and CPU
and "Recommended", though the specification is performance will often be required, especially when
very modest even for "Recommended" with 8 GB running IPS and VPN.
RAM, a multi-core CPU with 1.5 GHz and 120 GB
Figure 16: Three examples of OPNsense-optimized servers from Thomas-Krenn: The low-cost and power-saving LES compact 4L, the flexible
and powerful LES network+ and the RI 1102D-F infrastructure server with front IO, Xeon CPU and up to 128 GB of RAM.
thomas-krenn.com | 19
Performance estimates
The individual components of OPNsense place the packets before they reach the packet filter. As a
very different demands on the hardware. The result, Suricata can become a limiting factor.
packet filter itself is the most frugal and also the
easiest to estimate. RAM is the most crucial factor A VPN can also place a heavy load on the CPU and
here. However, an average state table with 1,000 become a bottleneck if the hardware is insufficient.
connections requires only 10 MB, so there are hardly The Thomas-Krenn wiki contains detailed
any limitations here with modern systems. The CPU performance measurements for WireGuard and
load due to the packet filter is also relatively low. other VPNs with the LES compact 4L and the LES
network+, which can serve as a basis for deciding
However, the Suricata intrusion detection/ on a hardware purchase. The test setup is described
prevention system is different: Here, the CPU load in detail so that it can also be used for comparisons
can become very high during heavy use. The load with other servers or with minor adjustments for
depends not only on the number of users but also other OPNsense modules.
on the number of rules. In addition, IDS/IPS checks
High availability
After OPNsense is configured to your satisfaction, Protocol (CARP) and firewall state synchronization,
you will usually want to secure it against failure. High are already built into the system. A detailed article
availability and failover are comparatively easy to in the Thomas-Krenn wiki demonstrates how to set
realize with OPNsense. Support for the appropriate up high availability in OPNsense.
technology, such as Common Address Redundancy
12 OPNsense webinar:
https://www.thomas-krenn.com/de/tkmag/webinare/opnsense-fuer-anwender-wie-sie-die-firewall-richtig-nutzen-und-absichern/
13 Setting up an HA cluster step-by-step: https://www.thomas-krenn.com/en/wiki/OPNsense_HA_Cluster_configuration
14 E-book on OPNsense: https://www.thomas-krenn.com/de/tkmag/allgemein/kostenloses-e-book-opnsense-firewall-in-der-praxis/
15 OPNsense in the Thomas-Krenn wiki: https://www.thomas-krenn.com/en/wiki/Category:OPNsense
Thomas-Krenn.AG
Speltenbach-Steinäcker 1
D-94078 Freyung
thomas-krenn.com