Hello everyone.
Three days ago I installed OPNsense 22.7-amd64 and would like to make changes to the squid.conf file.
I read that you can do this in the squid directory: /usr/local/etc/squid/squid.conf
I have a problem, I don't know how to do it ;-(
Can my friends explain it to me like a child?
What should I do next. How to get to this path - /usr/local/opnsense/service/templates/ - where to find it and make changes to the squid.conf file.
Please give me a hint.
Quote from: ohara on February 19, 2023, 09:02:01 PM
Hello everyone.
Three days ago I installed OPNsense 22.7-amd64 and would like to make changes to the squid.conf file.
I read that you can do this in the squid directory: /usr/local/etc/squid/squid.conf
I have a problem, I don't know how to do it ;-(
Can my friends explain it to me like a child?
What should I do next. How to get to this path - /usr/local/opnsense/service/templates/ - where to find it and make changes to the squid.conf file.
Please give me a hint.
For OPNSense setting
System: Settings: Administration: Secure Shell
Secure Shell Server: true
Login Group: wheel, admins
Root Login: true
Authentication Method: true
SSH port: 22
Listen Interfaces: LAN
Download Putty (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) and use it to connect to your router
If you familiar with vi editor in linux (https://www.linuxjournal.com/content/how-use-vi-editor-linux), after login with putty
sudo vi /usr/local/etc/squid/squid.confIf you are not familiar with vi editor, you may install nano (https://www.howtogeek.com/42980/the-beginners-guide-to-nano-the-linux-command-line-text-editor/) and use it as editor
pkg install nanosudo nano /usr/local/etc/squid/squid.confIf you want to edit /usr/local/opnsense/service/templates/squid.conf
Simply change the path above
Quote from: ohara on February 22, 2023, 01:29:04 AM
Hi Bunch, thank you very much for the clear hint. :)
Everything worked!
I am new to OPNsense, can I ask you for help in the future?
I am very interested in the topic: VPN -> OpenVPN: (like IP masquerading). Can I ask (you) questions on this topic?
I am also interested in topics related to Firewall -> Rules (when and how to use it)?
postscript:
I'm 16 and just learning about this topic. :)
For VPN related topic. I only use IPSec and Wireguard now, and it is better to create another topic in VPN board (https://forum.opnsense.org/index.php?board=36.0)
For firewall rules. Since I don't know where should be posted (maybe General discussion?), I will keep answering here. WAN interface will block all incoming connections by default (except those sessions that start by your clients)
When you open a port in WAN interface (for example you open a port for web hosting), there is a chance that a new vulnerability for the protocol being found and you're attacked before hotfix applied (zero-day attack). You want to reduce the chance, so you will limit the IPs that can reach to your services by using WAN rules.
For example, the list of IP: https://rules.emergingthreats.net/blockrules/compromised-ips.txt
This list of IP are found to be compromised, you can create a new alias in Firewall: Aliases
Name: IPBlocklists
Type: URL Table (IPs)
Refresh Frequency: Any time you like, for example every 12 hours
Content: https://rules.emergingthreats.net/blockrules/compromised-ips.txt
(You may add more if you want)
Description: IP Blocklists
Then you create a rule in WAN:
Action: Block
Quick: true
Interface: WAN
Direction: in
TCP/IP Version: IPv4 (since I only have IPv4 connection from ISP and the list is IPv4 too)
Protocol: any
Source: IPBlocklists
Destination: any
Log: true (if you want to see how many connections are blocked by this rule)
Category: Block using Blocklist
(This is the name that shows in firewall log if you enabled log)
Description: Block using Blocklist
Then move the new block rule on top of the rule port opening rule.
You may also reject LAN IPs to access those IPs.
Action: Reject
Quick: true
Interface: LAN
Direction: in
TCP/IP Version: IPv4
Protocol: any
Source: any
Destination: IPBlocklists
Log: true (if you want to see how many connections are blocked by this rule)
Category: Reject using Blocklist
(This is the name that shows in firewall log if you enabled log)
Description: Reject using Blocklist
The follow are the lists that I used, some of them might be duplicated, and it could be too aggressive in some cases
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset
https://cinsarmy.com/list/ci-badguys.txt
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
https://sslbl.abuse.ch/blacklist/sslipblacklist.txt
https://feodotracker.abuse.ch/downloads/ipblocklist.txt
https://lists.blocklist.de/lists/all.txt
https://reputation.alienvault.com/reputation.generic
https://www.dan.me.uk/torlist/
https://www.spamhaus.org/drop/drop.txtAnother example is to limit the countries that can access to your service (VPN for example)
My family will only travel between HK, UK and AUS, and I only allow them to access VPN service.
You may subscribe GeoIP according the opnsense manual (https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html)
Then create a alias using geo IP and select all countries, except HK, UK and AUS.
Create a firewall rule that block the GeoIP alias like the blocklist above (you can limit the destination port to your VPN port if you think that's too aggressive) and place it before the rule that opening port for VPN.
*Don't create LAN rule for GeoIP
There are some advanced usage using port forward etc.
You may take a look in Tutorials and FAQs (https://forum.opnsense.org/index.php?board=24.0)
Quote from: ohara on February 22, 2023, 11:58:36 AM
Bunch - you explain very clearly and extensively (big plus for you). :)
Once I digest what you wrote, I'll come back to the forum.
In the case of VPN, I will create a separate topic, but it has a short question: do you need to buy a VPS in the cloud to change the IP?
poscriptum: I was looking for someone like you. You have the patience to write and can explain clearly.
I don't think you need to do something like this.
The chance of VPS servers being attack is not lower than a home network. Thus, it won't bring you extra security with VPS as relay server.
If you are having dynamic IP from ISP, and you afraid you cannot access your VPN after IP change. You only need to setup DDNS.