Messages

@ marjohn56, while I do agree to you that VPN is stronger, it probably don't matter now since he's behind a second router and could be for testing only ;)

@ badwestguy,

You don't have option 'Block private networks' enabled on the WAN interface?

Greetings, mark

I only wrote "TOPT" once out of 4 tries. :D

That's enough .. ;D

[zapp] it rarely (if ever) happens.

Once I know of...  :P

Btw. @z0rk, maybe revise your idea about SSH a little?

Greetings, mark

Hello OPNsensers,

I'm (very) curious of other users scripts and shell adaptions
With that I mean: do you tweak your shell, what does your .cshrc.mine look like, did you add some useful code/script to OPNsense?
I could find a BSD forum and ditch it there, but that don't seem right and besides that OPNsense is my only BSD ATM.
So moderators, I hope this is allowed and we can share some shell/scripting code for OPNsense here?, this could have some value for all of us, thanks.
If you decide to join in and add scripts, please, rather add SH code than BASH, I have it installed but most of us don't, thanks.

Let me do the kickoff right away  :P

My .cshrch.mine

Code Select Expand


# $FreeBSD$
#
# .cshrc.mine - csh resource script, read at beginning of execution by each she
ll
#
# see also csh(1), environ(7).
# more examples available at /usr/share/examples/csh/
#
# few aliases I like to have
#alias sum       'cksum /usr/local/share/certs/ca-root-nss.crt | sort | diff sum.txt -'
alias tm        tmux attach
alias vim       vi

# Tab completion and - correction
if ($?prompt) then
        set autocorrect =       ambiguous
        set complete    =       enhance
        set correct     =       cmd
endif

# some extra program completions
complete sysctl 'n/*/`sysctl -Na`/'
complete man 'p,*,c,'

# BSD is functional but pretty colorless, let's change that

# Let 'ls' have some color
setenv CLICOLOR yes

# Basic colors
set     red="%{\033[1;31m%}"
set   green="%{\033[0;32m%}"
set    blue="%{\033[1;34m%}"
set  yellow="%{\033[1;33m%}"
set magenta="%{\033[1;35m%}"
set    cyan="%{\033[1;36m%}"
set   white="%{\033[0;37m%}"
set     end="%{\033[0m%}"

# Colored prompt
set prompt="${cyan}%n${red}@%m ${white}%~ ${cyan}%%${end} "

# Colored man pages, I dislike the undelining of everything..
setenv LESS_TERMCAP_mb `echotc md; echotc AF 4`
setenv LESS_TERMCAP_md `echotc md; echotc AF 4`
setenv LESS_TERMCAP_me `echotc me`
setenv LESS_TERMCAP_se `echotc me`
setenv LESS_TERMCAP_so `echotc md; echotc AF 1; echotc AB 4`
setenv LESS_TERMCAP_ue `echotc me`
setenv LESS_TERMCAP_us `echotc md; echotc AF 2`

# Unset used colors
unset red green blue yellow magenta cyan white end


My .tmux.conf

Code Select Expand


set -g default-terminal "screen-256color"

# interval is up to you, but it may use precious cpu time if set to 1
set-option -g status-interval 30
set-option -g status-right-length 60
set-option -g status-left-length 120

set -g status-bg colour237
set -g status-fg colour237
set -g mouse on

set -g status-left '#[fg=blue] #(hostname -s) #[fg=colour41]*#[fg=blue] #(sh bin/tmx temp)C #[fg=colour41]* #[fg=blue]#(sh bin/tmx mem) #[fg=colour41]* #[fg=blue]#(sh bin/tmx sum)  '
set -g status-right '#[fg=blue]#(sh bin/tmx avg)#[fg=colour41]* #[fg=blue]%H:%M'

# Attach a running session or create a fresh one
new-session -n $HOST


Script called by tmux, I use it for the statusbar,

Code Select Expand

#!/bin/sh
set -xe

temp () {
  var1=$(sysctl -n dev.cpu.0.temperature | awk '{printf "%3.0f\n",$1}')
  var2=$(sysctl -n dev.cpu.1.temperature | awk '{printf "%3.0f\n",$1}')

  echo "scale=1; ($var1 + $var2) / 2" | bc
}

mem () {
  mem_real=$(sysctl -n hw.realmem)
  pagesize=$(sysctl -n hw.pagesize)

  inact_count=$(sysctl -n vm.stats.vm.v_inactive_count)
  free_count=$(sysctl -n vm.stats.vm.v_free_count)

  mem_inact=$(printf "%s\\n" "$inact_count *$pagesize" | bc)
  mem_free=$(printf "%s\\n" "$free_count * $pagesize" | bc)

  mem_avail=$(printf "%s\\n" "$mem_inact + $mem_free" | bc)
  mem_used=$(printf "%s\\n" "$mem_real - $mem_avail" | bc)

  printf "%s\\n" "$(("$mem_used * 100 / $mem_real"))"%
  exit 0
}

avg () {
  sysctl -n vm.loadavg | sed 's/{//g;s/}//g'
}

sum () {
  if [ "$(cksum /usr/local/share/certs/ca-root-nss.crt | \
      awk '{printf "%-1s %s\n", $1 , $2}')" \
      != "$(awk '{printf "%-1s %s\n", $1 , $2}' ~/sum.txt)" ]; then
    echo nss-mismatch
  fi
}

if [ "$1" = temp ]; then
  temp
elif [ "$1" = mem ]; then
  mem
elif [ "$1" = avg ]; then
  avg
elif [ "$1" = sum ]; then
  sum
else
  printf "Usage: sh tmx (temp mem or avg) \\n"
fi

exit 0


That's it, enjoy
Greetings, mark

edit:remove hard enter (CR)
edit2:add function sum to script

Your welcome, and to be clear on this, especially to future readers:
You normally install a backup with TOTP enabled, and this of course works  :P

Greetings, mark

edit: if you would, please add solved to your post, thanks.

Well, what you could do after you have tested if TOTP works you make a backup without it being enabled.
Then you enable TOTP and there is at least a backup you know works.
You can always diff the non-TOTP- vs. TOTP-config.xml and strip it out in case of problems.

Just, I run it for a few months now and it's running fine since..  :)

Greetings, mark

Hello z0rk, just some additions, franco already said most if not all of it..

You should not disable SSH access, at least I won't, but instead of a password use KEY authentication, like franco said.
This can prove a way in if nothing else works, even if the console is locked up (it shouldn't I know).
There is a very good wiki about that on Arch https://wiki.archlinux.org/index.php/SSH_keys.

About TOTP ( not TOPT you guys )  ;D, don't use it unless you know it's workings.
The downside of using this tool is you can lock yourself out to never gain access again also after restoring a backup (which is a feature not a bug).
That is, depending on further actions you took to 'secure the building', which you should of course, otherwise what would be it's purpose...
Be sure everything on the TOTP authenticator device (smartphone) is setup and working correctly before you set it to be the only way to log in.
I happened to get myself in this nasty situation where the smartphone was not able to get a timeserver update, there is a 30 second window...
Before I was able to anticipate to that fact I had already restored a backup, so keep that in mind.
Btw. if setup correctly you'll never look back, and the family will be happy once again.  ;)

Greetings, mark

Hi Nekromantik, you didn't try hard enough   :P

Anything below the header field can be added, even parts of it.
opba, would show the loopback interface
WLN; my wireless interface connections
tcp shows all TCP connections

Well and so on  ;)

Greetings, mark

Yeah, they had them too, pre compiled images but I wanted something like 2.0.* on Debian, there were no pre compiled images you had to compile yourself..

Back to 2018 hehe  8), really, I have no idea about the stability of these Qotom boxes, but, I generally read good things about them. I'm more of a ugh* Supermicro ugh* guy myself never had problems with it but that says nothing of course.

If it is for testing also, I would say go for the i5 but that would be overkill if it's sole purpose would be the 'homewall', that's my vision on it anyway.

Greetings, mark

Hi HC, oh IPCop, I remember compiling the thing, it was busy for over a week, but than you had something...
I'm glad m0n0wall came along btw. it was kinda cumbersome to configure the whole thing correctly  :P

The machines you listed there will probably all do the job. It depends a little where you would use the device, at home I would say choose the Celeron or i3 (not listed), in you company the i5 or i7 would (probably) be a better choice.

My board has a D410 atom on it and has no problem reaching 100Mbit on my home setup, to give an idea.

Greetings, mark

Thanks.... 3 answers.... I am hoping for 10 to be sure :)

I help you, 1 down 6 to go  ;D

1. No
2. Dpinger
3. Don't matter for me.
4. I trust your expertise
5.I'm on a home net, Dpinger is monitoring, but, do I need it...

Obviously it does not concern people. They had the chance. : :P

Now that's not entirely true,  just I trust the designers/devs to make the 'right' choice, whichever one that may be  :P

Hi Luis, well no, I mean you can use jails to containerize a FreeBSD OS, though, you don't want that..

What you want is to  emulate a complete computer, including hardware.

So, what you are looking for is a software/system like Virtualbox(oracle) or ESXi (VMware) or even XEN(Citrix), or a compairable one  :P

Good luck, mark

Hi franco,

I did run 'make clean' .. for all ports I installed.

But, I didn't know you had too because you get in trouble installing new ports ;D

Thanks, mark

Yes, indeed you do need to be root.
Anyway, I see you dove in changed things the admin is gone and of course you made backups?
If so no problem otherwise someone else may have some solution but I don't ..

Good luck, mark  ;)

Undo?  :o no idea, could you explain what you mean or refer to?

Greets mark

edit: Oh, I guess you meant literally, well like I said get access to your cosole or SSH terminal.

Log in as root and choose number 13 to restore to certain config presented to you as a list.

Choose one and restore.  ;)

Hi Georgi27, I don't know how to change it with a shell.

However, you can try to restore (13) your settings to before your edit.  ;)

Good luck, mark