[OPNsense] Disabling Autogeneration of Floating Rules

[Ramalama2]

What would you like to be added?

/kind enhancement

Why is this needed?

EDIT: On PFsense its possible, OPNsense is just missing it.
Im on OPNsense 24.1.8.

I would like to define the Rules, based on the Crowdsec Alias, where i need them.
For example i could whitelist IP-Ranges from Blocking easilly with aliases on Opnsense, before the Crowdsec Blocking Rule.
Not because im a hacker, because if a have a parser on my mailserver, that blocks failed login attempts pretty aggressively, and i dont't want to ban myself out.
Or for example, i want to whitelist for example Germany with GEO Based ip list.

That doesn't work with the whitelist package, additionally im not sure if the whitelist package gets updated from time to time on opnsense and replaces my entries.
Managing the whitelist in CLI is uncomfortable as hell either + GEO is not possible.

[github-actions]

@Ramalama2: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[github-actions]

@Ramalama2: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

• /kind feature
• /kind enhancement
• /kind refactoring
• /kind bug
• /kind packaging

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

@Ramalama2 the kind hook only currently runs for crowdsec team can you stop opening and closing issues if that is what your trying to achieve

[Ramalama2]

@Ramalama2 the kind hook only currently runs for crowdsec team can you stop opening and closing issues if that is what your trying to achieve

Sorry, i stopped, but the message from the bot is somewhat missleading/Confusing.
Sorry xD

[LaurenceJJones]

@Ramalama2 the kind hook only currently runs for crowdsec team can you stop opening and closing issues if that is what your trying to achieve

Sorry, i stopped, but the message from the bot is somewhat missleading/Confusing. Sorry xD

Yeah, we just need to find time to fix it the hook

[Ramalama2]

May i ask, why thats available for pfsense, but not opnsense at the moment...
Is there generally a reason you prefer pfsense?
For me its basically the same, so i could just switch and doesn't matter about this here, because it looks to me like anyway no one is interested in that except me, lol
Otherwise this would have been requested much earlier.

Cheers

[LaurenceJJones]

May i ask, why thats available for pfsense, but not opnsense at the moment...
Is there generally a reason you prefer pfsense?
For me its basically the same, so i could just switch and doesn't matter about this here, because it looks to me like anyway no one is interested in that except me, lol
Otherwise this would have been requested much earlier.

Cheers

OPNSense was developed first, so we don't have any biased towards any of them. The reason is simply it was just added as an option in pfsense, but then we never back ported to opnsense since they both use different code bases.

[Ramalama2]

May i ask, why thats available for pfsense, but not opnsense at the moment...
Is there generally a reason you prefer pfsense?
For me its basically the same, so i could just switch and doesn't matter about this here, because it looks to me like anyway no one is interested in that except me, lol
Otherwise this would have been requested much earlier.
Cheers

OPNSense was developed first, so we don't have any biased towards any of them. The reason is simply it was just added as an option in pfsense, but then we never back ported to opnsense since they both use different code bases.

May i ask, why thats available for pfsense, but not opnsense at the moment...
Is there generally a reason you prefer pfsense?
For me its basically the same, so i could just switch and doesn't matter about this here, because it looks to me like anyway no one is interested in that except me, lol
Otherwise this would have been requested much earlier.
Cheers

OPNSense was developed first, so we don't have any biased towards any of them. The reason is simply it was just added as an option in pfsense, but then we never back ported to opnsense since they both use different code bases.

I understand, thanks for clarifying!
Then I'll wait till you guys have time for that.

As that may take very long i have just one last question, if i use the whitelist parser, is it persistent or is there a possibility that the yaml get replaced on updates?
If its persistent, then i gonna simply use that in the meantime.
Thanks Laurence for your effort and fast replies here :-)

[mmetc]

sure - package updates don't overwrite the configuration, safe for a few parameters

[Ramalama2]

sure - package updates don't overwrite the configuration, safe for a few parameters

Thanks! But Since Juni i found that out either xD
In the meantime im even pretty okay with the autogenerated rules :-)

Thank you for the effort :-)