Firewall config confusion

faris · Unread post by **faris** » Fri Jul 25, 2014 7:03 am

Right at the top of Firewall section in the ASL config, there are two options:

Enable ASL Network Firewall

and

Enable ASL Network Firewall IPS

On screen it says the default for both is YES, although for 3.x to 4.x upgrades I've done, "Enable ASL Network Firewall IPS" seems to be set to No.

My question is what is "Enable ASL Network Firewall IPS" supposed to control? My take was that it was for shunning/blacklisting/ossec/mod_sec side of things. But even on the upgraded systems where it was set to No, shunning still seemed to occur and everything was working as it should. So if it isn't that, what it is?

There doesn't appear to be anything on these options in the wiki (that I could find).

Unread post by **scott** » Fri Jul 25, 2014 12:34 pm

FW_IPS is a planned feature, currently disabled by default. It is designed to implement packet level IPS for specific classes of network attacks, like heartbleed, or amplification attacks against dns or ntp.

faris · Unread post by **faris** » Fri Jul 25, 2014 12:39 pm

It there any harm in setting it to "yes" at the moment? Does it do anything?

Unread post by **scott** » Fri Jul 25, 2014 12:50 pm

I'd recommend leaving it off unless you can afford to use the system for R&D. The rules are not fully vetted. A rule update will automatically disable the setting

faris · Unread post by **faris** » Sat Jul 26, 2014 1:15 pm

ok. Thanks.

I would suggest changing the text in the GUI so that it says "Default: no" rather than "yes" though

Atomicorp

Firewall config confusion

Firewall config confusion

Re: Firewall config confusion

Re: Firewall config confusion

Re: Firewall config confusion

Re: Firewall config confusion