Open Vivekmauli14 opened 3 weeks ago
I have no idea if this integration is possible, but I doubt that OPNsense understands the SecRule language as it is. Let's wait for other comments...
@Vivekmauli14 OPNSense doesn't support ModSecurity, although it does support NAXSI it can't consume SecLang rules (which is what OWASP_CRS is written in). Somebody would have to create a ModSecurity package first for OPNSense before support for OWASP_CRS can be included in OPNSense.
Pfsense is based on FreeBSD, right? I'm sure libmodsecuirty3 and Nginx connector can be built on FreeBSD too.
Seems like here is a tutorial how to make a custom package - feel free to start it, and let me know if I can help you anything.
@airween OPNSense is a fork of pfSense, they're pretty similar outside of a newer FreeBSD version and fancier GUI
Thanks for the information Guys! You are right, OPNsense is based on FreeBSD 13.
although This pkg is not available for FreeBSD : modsecurity-crs,
I have come across these packages:
modsecurity3-nginx-1.0.3.pkg and modsecurity3-3.0.12.pkg
Would this be helpful for my needs of including CoreRuleset ?
I am concerned that Naxsi does not cover all the OWASP Top 10 mitigation rules. Although I have configured NAXSI on the WAF of my OPNsense, I am considering whether I can also add ModSecurity to enhance the security coverage.
Looking forward to your thoughts.
Thanks!
although This pkg is not available for FreeBSD : modsecurity-crs,
but you don't need to compile/build this source,
I have come across these packages:
modsecurity3-nginx-1.0.3.pkg and modsecurity3-3.0.12.pkg
Would this be helpful for my needs of including CoreRuleset ?
I assume yes, these would be enough. You just need to download the CRS and set up it.
The OPNsense has a caddy plugin. https://github.com/opnsense/plugins/tree/master/www/caddy
So you can compile caddy with https://github.com/corazawaf/coraza-caddy Compiling caddy with additional modules uses this file: https://github.com/opnsense/tools/blob/2bf7af2b6de365a260e1678a36010b579fd59792/config/24.1/make.conf#L95
That would enable the modsecurity coreruleset when using caddy as reverse proxy on OPNsense.
Please note that I have no plans to build it into the GUI of the plugin, nor offer it precompiled in the binary.
It would be an individual effort on your side. I just wanted to say that there is a framework ready that can work if somebody wants to contribute it via PR and test it all.
I wanted to include mod-security ruleset in the WAF (Nginx) of my OPNsense firewall for OWASP Top 10 Security risks. Any idea or reference on how to do it ??