Hello!

Maltrail doesn't block connections itself, it is just IDS. It can be set up to work together with block mechanism (https://github.com/stamparm/maltrail/wiki/Miscellaneous#1-setting-up-maltrail-as-an-intrusion-prevention-system-ips), but I think your case is not related.

Also have re-chehcked your IP in static trails for FP -- also clear. What environment do you use for Maltrail? Is it a plugin in OPNSense?

is 99.137.X.Y your external IP? if yes, that means that Maltrail detected your IP as a source of suspicious behavior - and that's perfectly normal. in such case you should inspect why are there such requests and if there is a need to be worry of

p.s. from what i can see, those are most probably benign (but marked as "suspicious" by Maltrail - not meaning "malicious")

Hello!

Maltrail doesn't block connections itself, it is just IDS. It can be set up to work together with block mechanism (https://github.com/stamparm/maltrail/wiki/Miscellaneous#1-setting-up-maltrail-as-an-intrusion-prevention-system-ips), but I think your case is not related.

Also have re-chehcked your IP in static trails for FP -- also clear. What environment do you use for Maltrail? Is it a plugin in OPNSense?

Yes, This is an OPNsense plugin. I have the following configuration ISP <===| OPNsense (Transparent FW) |===> Unifi UDM with IP Passthrough from ISP

. This was not an issue previously, but started getting dropped, via the Maltrail ACL on OPNsense. My question is around why I am getting tagged. I do not see a clear answer. I run internal unbound DNS with Pihole for my DNS request, so not sure why or how I am being flagged there either. I do host services internall and use cloudflare DNS/reverse proxy for access again that has been that way for some time.

p.s. from what i can see, those are most probably benign (but marked as "suspicious" by Maltrail - not meaning "malicious")

Yes that is my external IP. I realize that it is showing as suspicious but trying to understand the Trails References for the items...

Hello!
Maltrail doesn't block connections itself, it is just IDS. It can be set up to work together with block mechanism (https://github.com/stamparm/maltrail/wiki/Miscellaneous#1-setting-up-maltrail-as-an-intrusion-prevention-system-ips), but I think your case is not related.
Also have re-chehcked your IP in static trails for FP -- also clear. What environment do you use for Maltrail? Is it a plugin in OPNSense?

Yes, This is an OPNsense plugin. I have the following configuration ISP <===| OPNsense (Transparent FW) |===> Unifi UDM with IP Passthrough from ISP. This was not an issue previously, but started getting dropped, via the Maltrail ACL on OPNsense. My question is around why I am getting tagged. I do not see a clear answer. I run internal unbound DNS with Pihole for my DNS request, so not sure why or how I am being flagged there either. I do host services internall and use cloudflare DNS/reverse proxy for access again that has been that way for some time.

@mimugmail Hello! Could you, please, attend to our conversation? Need details how OPNSense firewall builds its blocking rules due to Maltrail's detections. Thank you!

Hello!
Maltrail doesn't block connections itself, it is just IDS. It can be set up to work together with block mechanism (https://github.com/stamparm/maltrail/wiki/Miscellaneous#1-setting-up-maltrail-as-an-intrusion-prevention-system-ips), but I think your case is not related.
Also have re-chehcked your IP in static trails for FP -- also clear. What environment do you use for Maltrail? Is it a plugin in OPNSense?

Yes, This is an OPNsense plugin. I have the following configuration ISP <===| OPNsense (Transparent FW) |===> Unifi UDM with IP Passthrough from ISP. This was not an issue previously, but started getting dropped, via the Maltrail ACL on OPNsense. My question is around why I am getting tagged. I do not see a clear answer. I run internal unbound DNS with Pihole for my DNS request, so not sure why or how I am being flagged there either. I do host services internall and use cloudflare DNS/reverse proxy for access again that has been that way for some time.

@mimugmail Hello! Could you, please, attend to our conversation? Need details how OPNSense firewall builds its blocking rules due to Maltrail's detections. Thank you!

This is my two cents on what I know on the blocks, there is an alias created that is associated with the fail2ban item and then an ACL on the interface.

NOTE: The rules above the Mailtrail blocks are to bypass the blacklisting the of the external IP.

Exactly, opnsense fetches the fail2ban url at Regularien intervall and builds an dynamic alias

Would suspect, that's the reason of blocking:

See FAIL2BAN_REGEX triggers list: https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L48

Exactly, opnsense fetches the fail2ban url at Regularien intervall and builds an dynamic alias

How do you exclude (allowlist) explicit IPs or domains because I have placed the IP in the config but not bypassing:

Due to CHANGELOG: MT from 0.65 version (https://github.com/stamparm/maltrail/blob/master/CHANGELOG#L43) has possibility to build custom blacklists (#19230):

. Looks like this mechanism allows to build bypass rule for defined filter (e.g. mass_scanner due to current case).

but not sure it is implemented in OPNSense plugin, in particular, in UI. @mimugmail ?

Due to CHANGELOG: MT from 0.65 version (https://github.com/stamparm/maltrail/blob/master/CHANGELOG#L43) has possibility to build custom blacklists (#19230):

. Looks like this mechanism allows to build bypass rule for defined filter (e.g. mass_scanner due to current case).

but not sure it is implemented in OPNSense plugin, in particular, in UI. @mimugmail ?

Is the plugin maintained by OPNsense then or is that part of the Maltrail project?

Is the plugin maintained by OPNsense then or is that part of the Maltrail project?

Plugin is maintained by OPNsense.

Is the plugin maintained by OPNsense then or is that part of the Maltrail project?

Plugin is maintained by OPNsense.

Thanks

Is the plugin maintained by OPNsense then or is that part of the Maltrail project?

Plugin is maintained by OPNsense.

Thanks

As the workaround I can propose to manually modify /maltrail.conf file by deleting string mass_scanner (see https://github.com/opnsense/plugins/blob/master/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf#L11) and restart the MT plugin. Hope, this will OK for you.

Is the plugin maintained by OPNsense then or is that part of the Maltrail project?

Plugin is maintained by OPNsense.

Thanks

As the workaround I can propose to manually modify /maltrail.conf file by deleting string mass_scanner (see https://github.com/opnsense/plugins/blob/master/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf#L11) and restart the MT plugin. Hope, this will OK for you.

No I do not think that is the right direction...If OPNsense maintains the plugin (thought is was handled by maltrail like other OPNsense plugins) , they should try to resolve, especially since I shoudl be whitelisted from the console perspective within OPNsense. Removing the mass_scanner is definitely good info for monitoring, which I do.

@MikhailKasimov on a side note, has there been a change in the way the known_attacker is handled? This may be another OPNsense related issue, but since I have gone to explicit FW to transparent FW, the known_attacker hits have completely disappeared, where I was averaging a few dozen a day previously.

on a side note, has there been a change in the way the known_attacker is handled?

As far I remember, there were no changes.

But, what I can see, when comparing "native" /maltrail.conf (https://github.com/stamparm/maltrail/blob/master/maltrail.conf) and OPNSense's one (https://github.com/opnsense/plugins/blob/master/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf), OPNSense one does not contain the option DISABLED_TRAILS_INFO_REGEX (https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L72-L73), which allows to supress "noisy" detections like known attacker.

Perhaps, @mimugmail would give a more thoughtful hint here...