diff --git a/source/manual/how-tos/ips-bypass.rst b/source/manual/how-tos/ips-bypass.rst index 66f20a3b..3feaa29b 100644 --- a/source/manual/how-tos/ips-bypass.rst +++ b/source/manual/how-tos/ips-bypass.rst @@ -1,21 +1,21 @@ ========================== -IPS Bypass local traffic +IPS - Bypass local traffic from inspection ========================== -This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external and internal networks. +This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external (WAN) networks and internal (LAN) networks. + +* Benefit: There will be faster routing performance between local attached networks when Intrusion Detection is enabled in IPS mode. +* Potential Risk: **Internal traffic** between local attached networks **WON'T be inspected anymore**, so use this with care! ------------- Prerequisites ------------- -.. Note:: - - Some features described on this page were added in version 27.X. - Always keep your system up to date. +* Some features described on this page were added in the latest version. Always keep your system up to date. +* Intrusion Detection should be **Enabled** and **IPS mode** selected. +* There should only be **internal networks** selected in **Interfaces** (LAN, OPT1 etc..), not the WAN interfaces. -To start go to :menuselection:`Services --> Intrusion Detection` - -|ids_menu| +To start go to :menuselection:`Services --> Intrusion Detection --> Administration`. ------------ User defined @@ -26,23 +26,35 @@ Select the tab **User defined**. |ids_tabs_user| ----------------- -Create a new Rule +Create new Rules ----------------- -Select |add| to add a new rule. -Create a rule for each of the RFC1918 Private IPv4 address ranges. If you use IPv6, create an additional rule for your IPv6 Prefix. +Select |add| to add a new rule. ------------------ -Example Rules ------------------ +* Input the **Source IP** as IP with CIDR-Suffix or Prefix, e.g. ``10.0.0.0/8`` or ``2003:a:a:a::/56`` +* Input the **Destination IP** as IP with CIDR-Suffix or Prefix, e.g. ``10.0.0.0/8`` or ``2003:a:a:a::/56`` +* Select the **Action** as *Pass* +* Enable the **Bypass** checkbox + +|ips_bypass_1| -.. image:: images/ips_bypass_rule_1.png +* Repeat the above step to create rules between each of the RFC1918 Private IPv4 subnets. (``192.168.0.0/16``, ``172.16.0.0/12``, ``10.0.0.0/8``). This will result in 9 rules. +* If you use IPv6, create additional rules between your IPv6 Prefixes. You can find them in :menuselection:`Interfaces --> Overview` at IPv6 prefix of the selected WAN interface. (e.g ``2003:a:a:a::/56``) +|ips_bypass_2| ------------------- Apply configuration ------------------- + First apply the configuration by pressing the **Apply** button at the bottom of the form. -.. image:: images/applybtn.png +.. + +.. |ids_menu| image:: images/ids_menu.png +.. |ids_tabs_user| image:: images/ids_tabs_user.png +.. |add| image:: images/ids_tabs_user_add.png +.. |ips_bypass_1| image:: images/ips_bypass_rule_1.png +.. |ips_bypass_2| image:: images/ips_bypass_rule_2.png +.. |apply| image:: images/applybtn.png