Turning OPNsense IDS from Passive to Active in 30 Minutes with AI — Stop Ignoring Your Firewall
Installing a firewall and enabling IDS is not the same as being protected. I enabled Suricata IDS on OPNsense and left it alone for months. When I finally checked, there were 65 alerts — every single one marked allowed. Attacks and legitimate traffic were passing through without distinction.
I used AI with the OPNsense REST API to go from that state to an active blocking posture — full system assessment, DROP rules applied, legitimate traffic suppressed, and cron automation enabled — in about 30 minutes.
22
Attacks Blocked
2,310
DROP Rules Active
30 min
Time with AI
Daily
Auto Rule Updates
1Is Enabling IDS Enough?
OPNsense ships with a Suricata-based IDS/IPS. You enable it in the menu, download rulesets, and alerts start accumulating. Many setups stop there.
The problem is that IDS only detects — prevention requires separate configuration. By default, suspicious packets are logged but allowed through. That is why months of IDS operation can produce zero actual blocks.
State Before Review
65 IDS alerts — all allowed. Attacks and legitimate traffic were receiving identical treatment. DROP rules: 0. Rule files: not updated in over 3 months.
2Three Reasons IDS Doesn’t Block Anything
Changing Policy Action to Drop doesn't apply to rule files
Switching the Policy Action from Alert to Drop in the OPNsense GUI saves the setting but does not regenerate the rule file. You must run configctl ids update for the change to take effect at the packet level. Saving a setting and applying it are two separate steps.
Automatic rule update cron is disabled by default
IDS effectiveness depends entirely on the freshness of its rule files. Without enabling the cron job at installation time, the original downloaded rules stay in place for months. New CVE detection signatures are never added.
Legitimate traffic isn't suppressed
SSH connections from backup servers and npm package downloads from GitHub CDN both trigger IDS rules. Blanket DROP enforcement without suppress rules blocks these too. Without classifying traffic first, an active IDS posture is unusable in production.
3Setup — SSH Key Registration and API Access
Giving AI direct control over OPNsense requires two access paths: SSH for running commands directly, and the REST API for configuration changes.
SSH Key Registration
Copy your public key, then paste it into the OPNsense web GUI under System → Access → Users → root → Authorized keys. Straightforward in principle, but OPNsense runs on FreeBSD which has a few gotchas.
FreeBSD Notes
sed -idoes not work (BSD sed differs from GNU sed)- Default shell is
csh, not bash — watch out when running shell scripts - Package manager is
pkg, notapt - Editing authorized keys through the GUI is the safest approach
API Key Generation
In the OPNsense web GUI, go to System → Access → Users and open the API tab to generate an API Key and Secret. The secret is shown only once at download time — store it immediately.
4Using the OPNsense API
Nearly every OPNsense function is accessible via REST API. Passing API_KEY and API_SECRET as environment variables lets AI query firewall state and apply changes with single curl calls.
# Base configuration
API="https://192.168.1.1/api"
AUTH="$API_KEY:$API_SECRET"
# Check firmware status
curl -sk "$API/core/firmware/status" -u "$AUTH"
# Query IDS alerts (latest 100)
curl -sk "$API/ids/service/queryAlerts" \
-u "$AUTH" -X POST \
-d '{"current":1,"rowCount":100}'
# Apply rule updates
curl -sk "$API/ids/service/updateRules" \
-u "$AUTH" -X POST
# Restart IDS service
curl -sk "$API/ids/service/restart" \
-u "$AUTH" -X POSTAI calls these endpoints in sequence — query current state, apply changes, verify results. The feedback loop is much faster and more consistent than clicking through the GUI.
Self-Signed Certificate
OPNsense uses a self-signed certificate by default. The -k flag in curl -sk skips certificate verification. Risk is low since access is restricted to the internal network.
5What AI Did Step by Step
I gave AI the API credentials and asked it to assess the firewall’s security posture and build an active blocking configuration. Over about 30 minutes of conversation, it worked through the following sequence.
Full System Assessment
Queried firmware version, interface configuration, gateway status, all 65 IDS alerts, NAT rules, WireGuard VPN status, and ZFS pool health in one pass.
Alert Classification — 65 Alerts Analyzed
Separated alerts into genuine external attacks (CVE exploits, port scans, Zmap) and legitimate traffic (internal backup SSH, GitHub npm CDN). Identified what to block and what to suppress.
Policy Change and Rule Update
Changed Policy Action from Alert to Drop, then called ids/service/updateRules to regenerate rule files. This activated 2,310 DROP rules.
Suppress Legitimate Traffic
Registered suppress rules for SSH connections from two external backup servers (sig_id 2001978) and GitHub Actions SSH (20.200.245.247) to eliminate false positive alerts.
Enable Automatic Rule Update Cron
Activated daily cron at 00:00 to auto-update IDS rules. New CVE detection signatures will now be applied automatically going forward.
6Results After Configuration
The before/after contrast is clear. 65 alerts all passing through became 22 blocked and 15 allowed — only legitimate traffic getting through.
| Item | Before | After |
|---|---|---|
| IDS Alert Handling | 65 alerts, all allowed | 22 blocked, 15 allowed |
| DROP Rules | None applied (0) | 2,310 active |
| Rule Updates | Manual (3+ months stale) | Daily at 00:00, automated |
| Legitimate Traffic | Unclassified | 3 suppress rules applied |
| Audit Records | None | Dated Markdown files |
Suppress Configuration Example
sig_id 2001978 is the “ET POLICY SSH session in progress on non-standard port” rule. Two external backup servers connect via SSH and consistently triggered this rule. Since this is legitimate traffic, only those specific destination IPs are exempted.
# OPNsense IDS Suppress Rules suppress gen_id 1, sig_id 2001978, track by_dst, ip 14.51.225.150 # Backup server A suppress gen_id 1, sig_id 2001978, track by_dst, ip 211.213.5.223 # Backup server B suppress gen_id 1, sig_id 2001978, track by_dst, ip 20.200.245.247 # GitHub SSH
7Real Attacks Blocked
Blocking started immediately after DROP rules were applied. The following attacks targeting our public IP (218.48.87.25) were blocked by IDS.
Blocked Attacks
| Source IP | Country / Origin | Attack Type | Result |
|---|---|---|---|
| 188.132.249.102 | Turkey | CVE-2020-10173 Command Injection | blocked |
| 86.183.56.241 | United Kingdom | CVE-2020-10173 Command Injection | blocked |
| 102.210.56.230 | Africa | CVE-2020-10173 Command Injection | blocked |
| 20.65.195.112 | Azure | Zmap Port Scan | blocked |
| 45.33.109.8 | Linode | Zmap Port Scan | blocked |
| 40.76.124.166 | Azure | Zmap Port Scan | blocked |
| 172.202.118.20 | Azure | Zmap Port Scan | blocked |
Legitimate Traffic (Allowed)
| Source IP | Purpose | Result |
|---|---|---|
| 199.232.162.172 | GitHub CDN (npm package downloads) | allowed |
| 3.129.187.38 | SSH on port 443 — informational detection, no block needed | allowed |
What is CVE-2020-10173?
A Command Injection vulnerability in the Comtrend VR-3033 router, disclosed in 2020. Scanning activity is still ongoing from Turkey, the UK, Africa, and elsewhere — five years after the CVE was published. Without an up-to-date rule file, this attack wouldn’t even be detected.
8Firewall Management Tips
Don’t put emerging-policy.rules in DROP
Emerging Threats’ emerging-policy.rules contains informational rules — SSH session detection, ZIP files containing EXEs, and similar. Including this ruleset in a DROP policy blocks normal SSH connections and file downloads. Keep it as Alert-only or exclude it entirely.
# Informational ruleset — Alert only, not DROP emerging-policy.rules → Action: Alert (not DROP) emerging-exploit.rules → Action: Drop (real attack signatures) emerging-scan.rules → Action: Drop (port scan detection)
Record Review Results in Dated Markdown Files
Keeping dated Markdown files for each firewall review session pays off in two ways: records are immediately available for security audits, and attack pattern changes become visible over time.
# Review log structure firewall-review/ ├── 2026-04-06.md ← IDS activated, 2310 DROP rules, 3 suppress entries ├── 2026-05-01.md └── 2026-06-01.md
IDS Review Cadence
Summary
There is a meaningful gap between having IDS enabled and having it actually work. Applying the policy change with a rule file regeneration, enabling the update cron, and handling suppress rules — skip any of these three and IDS is just a log collector.
All three can be done in 30 minutes with AI and the OPNsense API. Alert classification, suppress configuration, and cron activation all happen in sequence. Adding an AI-assisted review to a monthly maintenance routine cuts the overhead of firewall management significantly.
Comments
(0)Log in to leave a comment.
Related Posts
© 2026 TreeRU. All rights reserved.
All content is copyrighted by TreeRU. Unauthorized reproduction without attribution is prohibited.