OPNsense_Setup.md
OPNsense Setup
This document outlines the steps to add a DMZ and the necessary firewall rules to an OPNsense firewall to allow the honeypot to function correctly.
Prerequisites
- OPNsense firewall with at least 3 network interfaces
DMZ Setup
- On Interfaces → Assignments add a new interface for the DMZ
- On Interfaces → [DMZ] enable the interface and set a static IP address that is not in use by any other device on the network (e.g.
172.16.0.1/24) - If the Honeypot doesn't have a static IP address, enable a DHCP server on the DMZ interface under Services → Dnsmasq DNS & DHCP or Services → Kea DHCP
NAT Rules
For the WAN interface add a NAT rule under Firewall → NAT → Outgoing to redirect all traffic from the WAN to the DMZ.
| Interface | Protocol | Source | Port | Destination | Port | Description |
|---|---|---|---|---|---|---|
| WAN | * | * | * | DMZ | * | Redirect all traffic from the WAN to the DMZ |
Firewall Rules
For the DMZ create the following rules:
| Action | Protocol | Source | Port | Destination | Port | Description |
|---|---|---|---|---|---|---|
| Pass | TCP | * | 443 | WAN | 443 | Allow all traffic from the DMZ to the WAN on HTTPS |
| Block | TCP | * | * | LAN | * | Block all traffic from the DMZ to the LAN |
| Pass | UDP | * | 53 | Firewall | 53 | Allow traffic to port 53 (DNS) from the DMZ to the firewall itself |
| Pass | UDP | * | 123 | Firewall | 123 | Allow traffic to port 123 (NTP) from the DMZ to the firewall itself |
Add firewall rules to block traffic to the honeypots SSH and dashboard ports from the WAN interface.
| Action | Protocol | Source | Port | Destination | Port | Description |
|---|---|---|---|---|---|---|
| Block | TCP | * | * | DMZ | 54321 | Block all traffic from the WAN to the DMZ on SSH |
| Block | TCP | * | * | DMZ | 54322 | Block all traffic from the WAN to the DMZ on dashboard |
| Allow | TCP | * | * | DMZ | * | Allow all traffic from the WAN to the DMZ |
For using the blocklist feature of the honeypot, you will need to create an alias containing the blocklists entries.
Add an alias of type URL Table (IPs) in Firewall → Aliases. As content set the honeypots blocklist URL (e.g. http://172.168.0.2:54322/api/blocklist)
and set the refresh frequency to a suitable value (e.g. 0.02 hours = 1.2 minutes).
Add a firewall rule to block traffic from the malicous IPs to the honeypot.
| Action | Protocol | Source | Port | Destination | Port | Description |
|---|---|---|---|---|---|---|
| Block | TCP | Alias | * | * | * | Block traffic from the malicous IPs to the honeypot |