So I checked the plugins on both my workstation and the clean computer, they are perfectly identical, and I then reset my cache on the workstation and rebuilt again. But still this machine produces the firewall popup, and is 120MB larger!
I've tested the IPs in firewall rules and they are getting denied. However I'm still receiving emails saying this IP is trying to log in to the honeypot admin. To do that, they have to be able to reach the page in the first place, then submit the form, which they shouldn't be able to do.
I am assuming that is why the IP is not blocked by the firewall. I've done a bit of a deep dive into the code for the honeypot site (which I'm not the author of), and it appears the IP address is obtained by ip_address=self.request.META.get('REMOTE_ADDR').
You can configure AWS Network Firewall logging for your firewall's stateful engine. Logging gives you detailed information about network traffic, including the time that the stateful engine received a packet, detailed information about the packet, and any stateful rule action taken against the packet. The logs are published to the log destination that you've configured, where you can retrieve and view them.
Firewall logging is only available for traffic that you forward to the stateful rules engine. You forward traffic to the stateful engine through stateless rule actions and stateless default actions in the firewall policy. For information about these actions settings, see Stateless default actions in your firewall policy and Defining rule actions in AWS Network Firewall.
You can use the same or different logging destination for each log type. You enable logging for a firewall after you create it. For information about how to do this, see Updating a firewall's logging configuration.
If the firewall that's associated with the log uses TLS inspection and the firewall's traffic uses SSL/TLS, Network Firewall adds the custom field "tls_inspected": true to the log. If your firewall doesn't use TLS inspection, Network Firewall omits this field.
A log file or log stream generally contains information about the requests that your firewall received during a given time period. The timing of Network Firewall log delivery varies by location type, averaging 3-6 minutes for Amazon CloudWatch Logs and Amazon Kinesis Data Firehose and 8-12 minutes for Amazon Simple Storage Service buckets. In some cases, logs may take longer than these averages. When log entries are delayed, Network Firewall saves them and then logs them according to the date and time of the period in which the requests occurred, not the date and time when the logs are delivered.
You must have the following permissions to make any changes to your firewall logging configuration. These settings are included in the permissions requirements for each logging configuration type, under AWS Network Firewall logging destinations.
You are charged for Amazon CloudWatch vended logs, on top of the basic charges for using Network Firewall. Vended logs are specific AWS service logs published by AWS on your behalf at volume discount pricing. Your logging costs can vary depending on factors such as the destination type that you choose and the amount of data that you log. For example, flow logging sends logs for all of the network traffic that reaches your firewall's stateful rules, but alert logging sends logs only for network traffic that your stateful rules drop or explicitly alert on. For information on CloudWatch vended log pricing, see Logs on the Amazon CloudWatch pricing page.
The images are a dead giveaway, these devices seem to just be a branded version of PCEngines APU1 (the ones with black USB 2.0 ports) and PCEngines APU2 (the ones with the blue USB 3.0 ports) mini-PC firewall/routers.
These devices are labeled SW301DA or SW302DA but it is unclear if that relates to the hardware inside, the only 100% sure way to tell them apart is the USB ports on the back. Since you probably want the APU2 ones because they are better, ALWAYS watch the photos and send a message to the seller to confirm that you are getting the ones with BLUE USB 3.0 ports.
PC Engines APU devices are generic mini PC firewalls with a BIOS so it's a good candidate for reuse with OpenWrt or pfSense OPNSense or IPFIre.
This is APU1 board
and this is APU2 board
The case also acts as a heatsink so it's a fanless device
afaik that just means that on BSD you can split the load of multiple connections on more than one core.
For example with i211AT you have two queues and this means that if you have two connections each gets executed by a different core. No you cannot split a single connection on multiple cores.
In this specific case (see below) each CPU core is strong enough to do the job with 2 cores with power to spare, so you don't really need more than two queues unless you somehow have some very large firewall rule list or something.
I linked up in the OP a couple articles from teklager (a seller of custom firewalls in EU) where both OpenWrt and IPFire (a Linux-based Firewall distro) are just routing at Gbit, single connection, multiple connections, no **** given.
While with the same APU2 on pfSense there is an article about "tweaks" like enabling the multiqueue support since by default it uses a single core and here a single core can only route like 600 Mbit with stock BIOS, and then installing Bios update to enable CPU boost to get more performance out of a single core, and even then a single connection is still capped at 850 Mbit regardless of queue size of the ethernet controller because that's the max a single core can do in this device even with CPU boost.
And the official docs here -firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/Architecture.html
say
XGS series appliances have a dual-processor architecture, which combines a multi-core x86 CPU with a dedicated Xstream Flow Processor for hardware acceleration. The Xstream Flow Processor is a Network Processing Unit (NPU), which accelerates trusted traffic flow, freeing up resources on the host CPU for resource-intensive tasks, such as TLS inspection and deep packet inspection. After inspecting the initial packets in a connection, the x86 CPU offloads trusted traffic to Xstream FastPath, which runs on the dedicated Xstream Flow Processor specifically designed for FastPath operations.
If anyone else gets a model other than SG-105, please send PRs similar to this: -- the ports on the enclosures are marked in the weird order and the decision was made to keep the OpenWrt WAN/LAN ports according to markings on the enclosure.
AWS Network Firewall is a managed service that makes it easy to provide fine-grained network protections for all of your Amazon Virtual Private Clouds (Amazon VPCs) to ensure that your traffic is inspected, monitored, and logged. The firewall scales automatically with your network traffic, and offers built-in redundancies designed to provide high availability.
AWS Network Firewall offers a flexible rules engine that gives you the ability to write thousands of firewall rules for granular policy enforcement. It supports inbound and outbound web filtering for unencrypted web traffic. For encrypted web traffic, AWS Network Firewall inspects the domain name provided by the Server Name Indicator (SNI) during the Transport Layer Security (TLS) handshake. Also, it offers an intrusion prevention system (IPS), which provides active traffic flow inspection to help you identify and block vulnerability exploits.
By following this blog post, part 1 in a 2-part series, you will deploy a demo AWS Network Firewall within your AWS account to interact, first-hand, with its rules engine. In part 2 of this series, we will discuss how you can incorporate stateful rule groups with strict rule order and ability to set one or more default actions.
Stateful rule inspection works differently. The stateful rules engine processes your rules in the order of their action setting, with pass rules processed first, then drop, then alert. The engine stops processing when it finds a match. The firewall also takes into consideration the order that the rules appear in the rule group, and the priority assigned to the rule, if any.
This is because the stateful engine is making a decision for the entire flow, not just for individual packets. After the flow is dropped, no other rules are evaluated for that flow. This behavior means rules that only match during later parts of a flow will not be evaluated.
Now, when your request to aws.amazon.com is made, the firewall will let the TCP handshake complete before evaluating the TCP drop rule. At this point, the rule action order will take precedence and the pass rule will match, allowing the rest of the traffic through for that flow.
When you launched the AWS CloudFormation template during the initial deployment steps, the firewall was pre-configured to send alert logs to Amazon CloudWatch Logs. You can see any filtering done by its stateful rule groups. The AWS Network Firewall can also be set up to use other logging destinations, such as Amazon Simple Storage Service (Amazon S3) and Amazon Kinesis Data Firehose.
Whenever I try to download Unreal Engine 5 through the Epic Games launcher it gets stuck at 21% saying there is a network error. I am currently on Epic Games support but I'm 90% sure this is something with our firewall. Any help would be greatly appreciated.
I suspect that the download is broken into multiple chunks that get downloaded separately. There are many ways this can be done, one of which is called a Range Request. The XG does not support range request because they are partial file downloads that cannot be virus scanned. In the activity log for web filter are there any status code 416?
If this still occurring the Exception listed should resolve it.
I would be curious if the setting here would also fix it. Please let us know if it does.
forums.unrealengine.com/.../380608