OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: Beeblebrox on July 20, 2017, 10:44:22 am
-
Odd connection problem with re0
Hello. long time FreeBSD user, just installed OPNs and have a strange problem. Box is 32Bit, re0=LAN, vr0=WAN. no VLAN/OPT.
1. LAN (re0) looses connectivity and cannot send or receive pings (from box - ping: sendto invalid argument". Changing the NIC or PCİ slot or disabling pf made no difference. By same, web-gui is unreachable from LAN, but reachable from WAN with pf disabled. I see "Configuring PHP: unable to connect to configd socket (@/var/run/configd.socket)" IDK whether that's relevant. Strangely, LAN clients are able to get dhcp lease, but of course cannot connect outside.
Some other questions:
2. I have a slightly alternate HDD setup and need requires=mount before any OPNs scripts are called. rcorder is not available, where and how can I modify this (possibly related to #1)?
3. Already have /tmp as tmpfs & swap mounted via fstab. I assume selecting the same via Web-GUİ is redundant? Also, is it safe to set "clear_tmp_enable" in /etc/rc.conf?
4. I don't need syslogd to listen, but "-ss" flag in rc.conf has no effect.
5. Is it possible to disable IPv6 for all services, or will this break stuff?
6. The repo does not have packages for www/py-searx, security/obfsclient, security/tcpcrypt
7. I'd like to filter traffic exiting squid using www/privoxy. If I edit squid.conf for forward rule, I assume web-gui will overwrite any changes made. What's the solution?
Thanks for the help
-
I figured out the problem source for issues 1 & 2. It's the "pkg upgrade" process that pulls in one of the OPNs custom packages. System behaves normally without the upgrade.
uname: 11.0-RELEASE-p8 #0 e84bb9532(stable/17.1): Sun Mar 26 15:30:53 CEST 2017
Relevant pkg versions:
opnsense-17.1.4
opnsense-update-17.1.4
opnsense-lang-17.1.4
Looks like other threads refer to this problem as well.
-
Are you still on 17.1.4? There have been improvements to the Realtek stack in later versions. It is maybe worthwhile to image the current state and see if you can fix it with an upgrade to 17.1.10.
Bart...
-
The upgrade to 17.1.10 is exactly what caused the problem. 17.1.4 is running normally. I did 20 something re-installs before identifying the problem (thankfully I had a clean tar file to push).
* I direct your attention to problem #2 as well: Mount assets before invoking configd. I saw this in 17.1.10 but not a problem in 17.1.4
* I'm configuring some jailed services (ezjail) from tarred OPNsense folders and mounting /usr/local as null -ro to the jails. configd starts up in the jail because etc/rc.d/configd does not have enable option. IMHO should be as below so that configd_enable="NO" can be set:
@@ -12,1 +12,3 @@
- name=configd
+ name=configd
+ rcvar=configd_enable
+ : ${configd_enable="YES"}
-
Hi Beeblebrox,
https://github.com/opnsense/core/commit/e5b0401626
Thanks, merged. That also helps with builds in the future.
2. configd is started from here: https://github.com/opnsense/core/blob/master/src/etc/rc.syshook.d/10-configd.early
you can add your own script with a higher priority, just prefix with 0X-mount.early, but note there is also a 05-update.early script.
3. you don't need to set twice, right. /tmp is always cleaned from our scripts. clear_tmp_enable is not even evaluated maybe.
4. syslog integration is--- special-- see https://github.com/opnsense/core/blob/master/src/etc/inc/system.inc#L901 -- not sure what to do.
5. it breaks stuff. squid most notably. it's better to use the ipv6 all block feature inside pf set by firewall: settings: advanced.
6. please add a ticket to https://github.com/opnsense/tools/issues
7. squid has custom hook directories:
/usr/local/etc/squid/pre-auth/
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/squid.conf#L274
/usr/local/etc/squid/auth/
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf#L120
/usr/local/etc/squid/post-auth/
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/squid.conf#L284
Cheers,
Franco
-
Thank you for the info. Quite useful & helps a lot.
Sorry to bother the forum with another question, but I have limited experience on following topic: There seems to be capability overlap with IDS/IPS vs squid/c-icap for AntiVirus and malware protection.
Obviously IDS/IPS does not provide AV scanning, security/clamav & www/squidclamav do this, but clamd can protect against phising, do md5 document hash checks and a number of other things, hence my overlap comment.
I've read several forum threads re clamav and understand that it's not considered part of OPNs core mission. However, a plugin for it does not exist either. I've also seen suggestions to place the AV-scanner as a part of IPS and not use squid for this at all. Finally there's the razorback toolset that looks quite comprehensive, including AV scanning. In summary, I'm a bit confused on this topic.
BTW, the Setup Anti Virus Protection (https://docs.opnsense.org/manual/how-tos/proxyicapantivirus.html) how-to looks quite out-dated and installing Symantec Protection Engine is no way near "straight forward".
-
Hi Beeblebrox,
I'm not entirely sure I understood your question. Usage of those tools heavily depends on your requirements. To elaborate:
IDS/IPS is useful for bulk scanning and detection in larger streaming scenarios. It has limits but usually if you have (too) much traffic to push through a proxy or have to sustain better privacy that is a better option.
If you go further, you have the proxy for specific protocols and requests, but you intrude more on a specific subset of your traffic for (valid) reasons. It can also put more load on the server.
Finally, ICAP can come in where the proxy itself stops being useful, namely application content, files transferred over the internet. This goes for web pages and mails as well. Clamav is a solid solution. There are others, but you want free updates and a sustainable software underneath that is regularly updated.
We don't have these things in OPNsense directly, but there is no reason they wouldn't eventually start being taken up as plugins, given that users become contributors that help sketch and maybe maintain said plugins. While not being part of a core mission, they are very much security related.
Cheers,
Franco
-
Thanks Franco, I have limited experience with IDS systems, so I was a bit confused by the thing. I realize I ran a little off-topic with my questions and very kind of you to answer them. I'll open a separate thread for any further.
One small thing about re0:
re0_vlan1 (OPT1) has 192.168.1.230/28 and LAN is 192.168.1.1/25. Jails using interface re0_vlan1 start getting IP's from 192.168.1.231/32 and on up. The very first jail to start throws out below error. Subsequent jail starts have no problem. As example:
jail_enable="YES" \ jail_list="dns searx clamav"the dns jail fails to start but the subsequent two jails start normally. As a silly workaround:
jail_enable="YES" \ jail_list="dummy dns searx clamav"
ifa_maintain_loopback_route: insertion failed for interface re0_vlan1
ifconfig: ioctl (SIOCAIFADDR) file exists
This is supposedly a subnetting configuration error, but since remaining jails start... I think the first call to /32 subnet may be the issue.
Regards.