mirror of https://github.com/opnsense/docs
Update ips-bypass.rst - Improved Styling and content
Monviech
9 months ago
committed by
GitHub
parent
8bd50e6633
commit
abd8a2a9c2
@ -1,60 +1,69 @@
|
||||
==========================
|
||||
IPS - Bypass local traffic from inspection
|
||||
==========================
|
||||
=============================================
|
||||
IPS Bypass local traffic from inspection
|
||||
=============================================
|
||||
|
||||
This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external (WAN) networks and internal (LAN) networks.
|
||||
|
||||
* **Benefit**: There will be faster routing performance between local networks when Intrusion Detection is enabled in IPS mode.
|
||||
* **Potential Risk: Internal traffic WON'T be inspected anymore, so use this with care!**
|
||||
.. Note:: This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external (WAN) networks and internal (LAN) networks. With bypass enabled, routing performance is improved significantly between local networks while IPS is used.
|
||||
.. Tip:: If you only have 1 interface selected in Intrusion Detection, you don't have to follow this tutorial. There won't be any performance benefit.
|
||||
.. Warning:: Traffic between local networks won't be inspected anymore, so use this with care!
|
||||
|
||||
-------------
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
* Some features described on this page were added in the latest version. Always keep your system up to date.
|
||||
* Intrusion Detection should be **Enabled** and **IPS mode** selected.
|
||||
* There should only be **internal networks** selected in **Interfaces** (LAN, OPT1 etc..), not the WAN interfaces.
|
||||
|
||||
To start go to :menuselection:`Services --> Intrusion Detection --> Administration`.
|
||||
|
||||
------------
|
||||
User defined
|
||||
------------
|
||||
|
||||
Select the tab **User defined**.
|
||||
- Some features described on this page were added in the latest version. Always keep your system up to date.
|
||||
- Intrusion Detection should be **enabled** and **IPS mode** selected.
|
||||
- Only **internal networks** should be selected in **Interfaces** (LAN, OPT1 etc..), **not the WAN interface**.
|
||||
|
||||
-----------------
|
||||
Create new Rules
|
||||
-----------------
|
||||
|
||||
Select **+** to add a new rule.
|
||||
|
||||
* Input the **Source IP** as IP with CIDR-Suffix or Prefix, e.g. ``10.0.0.0/8`` or ``2003:a:a:a::/56``
|
||||
* Input the **Destination IP** as IP with CIDR-Suffix or Prefix, e.g. ``10.0.0.0/8`` or ``2003:a:a:a::/56``
|
||||
* Select the **Action** as *Pass*
|
||||
* Enable the **Bypass** checkbox
|
||||
* Set the **Description** as "Bypass net 10.0.0.0 to 10.0.0.0"
|
||||
To start go to :menuselection:`Services --> Intrusion Detection --> Administration` and select the tab :menuselection:`User defined`.
|
||||
|
||||
Select **+** to create additional new rules
|
||||
|
||||
* Repeat the above steps to create rules between each of the RFC1918 Private IPv4 subnets. (``192.168.0.0/16``, ``172.16.0.0/12``, ``10.0.0.0/8``). This will result in 9 rules.
|
||||
* If you use IPv6, create additional rules between your IPv6 Prefixes. You can find them in :menuselection:`Interfaces --> Overview` at IPv6 prefix of the selected WAN interface. (e.g ``2003:a:a:a::/56``)
|
||||
|
||||
The finished IPv4 ruleset should include the following rules:
|
||||
Select **+** to add a new rule.
|
||||
|
||||
* ``Bypass net 10.0.0.0 to 10.0.0.0``
|
||||
* ``Bypass net 10.0.0.0 to 172.16.0.0``
|
||||
* ``Bypass net 10.0.0.0 to 192.168.0.0``
|
||||
* ``Bypass net 172.16.0.0 to 10.0.0.0``
|
||||
* ``Bypass net 172.16.0.0 to 172.16.0.0``
|
||||
* ``Bypass net 172.16.0.0 to 192.168.0.0``
|
||||
* ``Bypass net 192.168.0.0 to 10.0.0.0``
|
||||
* ``Bypass net 192.168.0.0 to 172.16.0.0``
|
||||
* ``Bypass net 192.168.0.0 to 192.168.0.0``
|
||||
- Input the **Source IP** with CIDR-Suffix, e.g. ``10.0.0.0/8``
|
||||
- Input the **Destination IP** with CIDR-Suffix, e.g. ``10.0.0.0/8``
|
||||
- Select the **Action** as *Pass*
|
||||
- Enable the **Bypass** checkbox
|
||||
- Set the **Description** as "Bypass net 10.0.0.0 to 10.0.0.0"
|
||||
|
||||
Select **+** or **clone** to create additional new rules.
|
||||
|
||||
* Repeat the above steps to create rules between each of the RFC1918 Private IPv4 subnets, ``192.168.0.0/16``, ``172.16.0.0/12``, ``10.0.0.0/8``. Don't forget to adjust the description.
|
||||
|
||||
.. Note:: The finished ruleset for IPv4 should include the following rules:
|
||||
|
||||
================== ================== ========== ========== ======================================
|
||||
**Source IP** **Destination IP** **Action** **Bypass** **Description**
|
||||
================== ================== ========== ========== ======================================
|
||||
10.0.0.0/8 10.0.0.0/8 Pass X Bypass net 10.0.0.0 to 10.0.0.0
|
||||
10.0.0.0/8 172.16.0.0/12 Pass X Bypass net 10.0.0.0 to 172.16.0.0
|
||||
10.0.0.0/8 192.168.0.0/16 Pass X Bypass net 10.0.0.0 to 192.168.0.0
|
||||
172.16.0.0/12 10.0.0.0/8 Pass X Bypass net 172.16.0.0 to 10.0.0.0
|
||||
172.16.0.0/12 172.16.0.0/12 Pass X Bypass net 172.16.0.0 to 172.16.0.0
|
||||
172.16.0.0/12 192.168.0.0/16 Pass X Bypass net 172.16.0.0 to 192.168.0.0
|
||||
192.168.0.0/16 10.0.0.0/8 Pass X Bypass net 192.168.0.0 to 10.0.0.0
|
||||
192.168.0.0/16 172.16.0.0/12 Pass X Bypass net 192.168.0.0 to 172.16.0.0
|
||||
192.168.0.0/16 192.168.0.0/16 Pass X Bypass net 192.168.0.0 to 192.168.0.0
|
||||
================== ================== ========== ========== ======================================
|
||||
|
||||
.. Tip::
|
||||
|
||||
- If you use IPv6 - e.g. with *Track Interface* or *Static IPv6* - create an additional rule.
|
||||
- You can find your *IPv6 prefix* in :menuselection:`Interfaces --> Overview --> WAN` - e.g ``2001:db8:a:aa00::/56``.
|
||||
- You only have to create 1 rule, because all of the *Track IPv6 Interface - IPv6 Prefix ID* networks - e.g. ``2001:db8:a:aa01::/64``, ``2001:db8:a:aa02::/64`` - are already included in the ``/56`` Prefix.
|
||||
- Please note that this only works if your Prefix is static.
|
||||
|
||||
-------------------
|
||||
Apply configuration
|
||||
-------------------
|
||||
|
||||
First apply the configuration by pressing the **Apply** button at the bottom of
|
||||
Apply the configuration by pressing the **Apply** button at the bottom of
|
||||
the form.
|
||||
|
||||
-------------------
|
||||
External Resources
|
||||
-------------------
|
||||
- https://docs.suricata.io/en/suricata-6.0.0/rules/bypass-keyword.html
|
||||
- https://docs.suricata.io/en/suricata-6.0.0/performance/ignoring-traffic.html
|
||||
|
||||
Loading…
Reference in New Issue