Blocklist in multimachine setup

crowdsec
1

Hello,

I’m still new to crowdsec and a bit confused how blocklists are handled.

My setup, with 3 machines :

  • Lapi on a dedicated machine
  • parser on my reverse-proxy machine, with Caddy
  • bouncer+parser on my Opnsense firewall router

I have subscribed to some blocklists via the Hub, on “myCrowdsecLan” which is my multimachine name. I can see the blocklists synced on the Lapi with cscli metrics.

My issue : Decisions (from Caddy http-probing or http-crawl... ) are taken and I receive alerts on IPs that are on those blocklists.
I would’ve expected the IPs to be blocked by my firewall bouncer. But as I understand, blocklists are only made available to Lapi and not bouncers.

How can I block IPs as soon as they reach the firewall, instead of waiting for Caddy to trigger a decision+alert ?

2

If opnsense is connected to the internal LAPI then it will get the decisions to block the IP address, however, since this is on the HTTP layer do you use cloudflare or other CDN service? as if you are with "proxy’ enabled then opnsense can only see Cloudflare IP connecting at layer 3/4 hence why it can retrigger since its not blocked at that level.

3

Thanks for the quick reply !

Opnsense bouncer is correctly connected to the internal LAPI.

I’m not behind Cloudflare or any CDN. Opnsense has a public IPv4 address.
Opnsense is able to block IPs from some countries with a GeoLite2 list, so I guess the bouncer should be able to do the same.

The cscli metrics from opnsense doesn’t show the blocklist but I guess it’s expected since it’s only listed on the LAPI.
Though, the blocklist must be stored somewhere on Opnsense. Can I view it somehow ? I’m using the Opnsense plugin, so sqlite db I guess.

4

it will be directly in pf so you should be able to see the alias via opnsense gui by going to rules and selecting “show aliases” or “floating rules”

5

Ok, I confirm there is an alias for crowdsec blocked IPs and the firewall rules are there too.

I don’t know how to inspect more in details but the number of IPs in the alias suggests all my blocklists are correctly synced.

I guess I’m witnessing a cat and mouse game with IPs being removed and added often from Firehol blocklist and/or me getting an unknown amount of IPs from the community list. But that’s the free-plan trade-off I guess.

So everything seems to be working as expected. Sorry for the noise. I just need to figure out better alerts to avoid fatigue. Thanks for your help :folded_hands: