New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
External IP Flagged in Blocklist in Maltrail and Appears to also be affecting blocks on other sites... #19249
Comments
Hello! Maltrail doesn't block connections itself, it is just IDS. It can be set up to work together with block mechanism (https://github.com/stamparm/maltrail/wiki/Miscellaneous#1-setting-up-maltrail-as-an-intrusion-prevention-system-ips), but I think your case is not related. Also have re-chehcked your IP in static trails for FP -- also clear. What environment do you use for Maltrail? Is it a plugin in OPNSense? |
is |
p.s. from what i can see, those are most probably benign (but marked as "suspicious" by Maltrail - not meaning "malicious") |
Yes, This is an OPNsense plugin. I have the following configuration ISP <===| OPNsense (Transparent FW) |===> Unifi UDM with IP Passthrough from ISP |
Yes that is my external IP. I realize that it is showing as suspicious but trying to understand the Trails References for the items... |
@mimugmail Hello! Could you, please, attend to our conversation? Need details how OPNSense firewall builds its blocking rules due to Maltrail's detections. Thank you! |
This is my two cents on what I know on the blocks, there is an alias created that is associated with the fail2ban item and then an ACL on the interface. |
Exactly, opnsense fetches the fail2ban url at Regularien intervall and builds an dynamic alias |
Would suspect, that's the reason of blocking: See |
Due to CHANGELOG: MT from 0.65 version (https://github.com/stamparm/maltrail/blob/master/CHANGELOG#L43) has possibility to build custom blacklists (#19230): . Looks like this mechanism allows to build bypass rule for defined filter (e.g. mass_scanner due to current case). but not sure it is implemented in OPNSense plugin, in particular, in UI. @mimugmail ? |
Is the plugin maintained by OPNsense then or is that part of the Maltrail project? |
Plugin is maintained by OPNsense. |
Thanks |
As the workaround I can propose to manually modify |
No I do not think that is the right direction...If OPNsense maintains the plugin (thought is was handled by maltrail like other OPNsense plugins) , they should try to resolve, especially since I shoudl be whitelisted from the console perspective within OPNsense. Removing the |
@MikhailKasimov on a side note, has there been a change in the way the |
As far I remember, there were no changes. But, what I can see, when comparing "native" Perhaps, @mimugmail would give a more thoughtful hint here... |
Question
For some reason Maltrail is blocking my external IP See below:
I have added an allow rule within the firewall above the maltrail block, so I am able to get exetrnal access now, but when I have gone to other sites, it appears my IP is still flagged for some reason. most appear to be associated with DNS for some reason as seen in the image...
Support
Any thoughts on what would cause this or why it is getting flagged?
The text was updated successfully, but these errors were encountered: