Messages

1

17.1 Legacy Series / Re: Transparent HTTP proxy SSL problem

« on: March 09, 2017, 03:45:42 pm »

Ok, Thank You for help. I will test it. For now as workaround I'm using proxy only for http and aliases/rules for blocking https webs like facebook

2

17.1 Legacy Series / Re: Transparent HTTP proxy SSL problem

« on: March 09, 2017, 01:07:10 pm »

This is a security feature of squid. Make sure your client and your proxy use the same DNS server, which returns the same IP.
On a mismatch, the connection is rejected.

So if I change Proxy DNS via General Proxy Settings -> Use alternate DNS-servers to the same as Windows client (for example) the connection will not be rejected?

3

17.1 Legacy Series / Re: Transparent HTTP proxy SSL problem

« on: March 08, 2017, 09:13:14 pm »

OpenSSL

4

17.1 Legacy Series / Re: Transparent HTTP proxy SSL problem

« on: March 08, 2017, 04:21:21 pm »

Unfortunately it dosen't work. I've added domains to the white list and Windows Update still don't work. If I add .microsoft.com and .windowsupdate.microsoft.com to the  SSL no bump sites Windows Updater searching a bit longer but finally it fail.

Logs:

Code: [Select]

2017/03/08 16:14:44 kid1| SECURITY ALERT: on URL: sls.update.microsoft.com:443
2017/03/08 16:14:44 kid1| SECURITY ALERT: Host header forgery detected on local=65.55.138.149:443 remote=192.168.8.3:51091 FD 15 flags=33 (local IP does not match any domain IP)
2017/03/08 16:09:41 kid1| SECURITY ALERT: on URL: sls.update.microsoft.com:443
2017/03/08 16:09:41 kid1| SECURITY ALERT: Host header forgery detected on local=157.56.96.58:443 remote=192.168.8.3:51059 FD 12 flags=33 (local IP does not match any domain IP)
2017/03/08 16:07:39 kid1| SECURITY ALERT: on URL: sls.update.microsoft.com:443
2017/03/08 16:07:39 kid1| SECURITY ALERT: Host header forgery detected on local=157.56.96.58:443 remote=192.168.8.3:51050 FD 37 flags=33 (local IP does not match any domain IP)

1488986048.938 60487 192.168.8.3 TCP_TUNNEL/200 4215 CONNECT vortex-win.data.microsoft.com:443 - ORIGINAL_DST/40.77.226.250 -
1488985966.531 188 192.168.8.3 TCP_MISS/200 453 GET http://service.weather.microsoft.com/appex/DesktopTile/PreInstallLiveTile? - ORIGINAL_DST/2.17.22.235 -
1488985907.502 1031 192.168.8.3 TCP_TUNNEL/200 4796 CONNECT watson.telemetry.microsoft.com:443 - ORIGINAL_DST/65.55.252.202 -
1488985864.087 6827 192.168.8.3 TCP_TUNNEL/200 12084 CONNECT watson.telemetry.microsoft.com:443 - ORIGINAL_DST/65.55.252.202 -

btw I see a lot of errors with ssl in logs from many webs and services. Is there any better solution to block websites without certificates?

5

17.1 Legacy Series / Transparent HTTP proxy SSL problem

« on: March 08, 2017, 11:01:28 am »

Hi,

I'm trying to block some https websites like facebook. I'm doing this by the book https://docs.opnsense.org/manual/how-tos/proxytransparent.html. I have enable proxy, Enable Transparent HTTP proxy, Enable SSL mode with generated certificate and created firewall rules. I've added facebook to the blacklist then export/import generated cert to windows and firefox. It works facebook is blocked but some services like windows update are blocked too and I don't know why? Is there other way to block https websites? maybe without certificate? What do I miss with configuration?

Logs:

Code: [Select]

1488923833.907 278075 192.168.8.3 TAG_NONE/409 0 CONNECT fe2.update.microsoft.com:443 - HIER_NONE/- text/html;charset=utf-8
1488923683.489 1234 192.168.8.3 TCP_TUNNEL/200 4780 CONNECT watson.telemetry.microsoft.com:443 - ORIGINAL_DST/65.55.252.202 -
1488923683.382 1128 192.168.8.3 TCP_TUNNEL/200 4796 CONNECT watson.telemetry.microsoft.com:443 - ORIGINAL_DST/65.55.252.202 -
1488923616.057 61580 192.168.8.3 TCP_TUNNEL/200 32042 CONNECT sls.update.microsoft.com:443 - ORIGINAL_DST/134.170.51.188 -
1488923381.233 0 192.168.8.3 TAG_NONE/503 0 POST https://watson.telemetry.microsoft.com/Telemetry.Request - HIER_NONE/- text/html
1488923375.749 1 192.168.8.3 TAG_NONE/503 4443 GET https://sls.update.microsoft.com/SLS/%7B7971F918-A847-4430-9279-4A52D1EFE18D%7D/x64/6.3.9600.0/0? - HIER_NONE/- text/html
1488923373.966 0 192.168.8.3 TAG_NONE/503 4443 GET https://sls.update.microsoft.com/SLS/%7B7971F918-A847-4430-9279-4A52D1EFE18D%7D/x64/6.3.9600.0/0? - HIER_NONE/- text/html
1488923350.566 61 192.168.8.3 TCP_DENIED/403 4976 GET https://ieonline.microsoft.com/ieflipahead/ie10/rules.xml? - HIER_NONE/- text/html
1488923347.482 0 192.168.8.3 TAG_NONE/503 4222 POST https://watson.telemetry.microsoft.com/Telemetry.Request - HIER_NONE/- text/html
1488923347.468 0 192.168.8.3 TAG_NONE/503 4447 POST https://watson.telemetry.microsoft.com/Telemetry.Request - HIER_NONE/- text/html
1488923341.795 0 192.168.8.3 TAG_NONE/503 389 HEAD https://fe2.update.microsoft.com/v10/3/windowsupdate/selfupdate/wuident.cab? - HIER_NONE/- text/html
1488923341.367 0 192.168.8.3 TAG_NONE/503 389 HEAD https://fe2.update.microsoft.com/v10/3/windowsupdate/selfupdate/wuident.cab? - HIER_NONE/- text/html
1488923340.940 0 192.168.8.3 TAG_NONE/503 389 HEAD https://fe2.update.microsoft.com/v10/3/windowsupdate/selfupdate/wuident.cab? - HIER_NONE/- text/html
1488923340.487 0 192.168.8.3 TAG_NONE/503 389 HEAD https://fe2.update.microsoft.com/v10/3/windowsupdate/selfupdate/wuident.cab? - HIER_NONE/- text/html
1488923315.705 134 192.168.8.3 TCP_MISS/304 498 GET https://iecvlist.microsoft.com/IE11/1434748155000/iecompatviewlist.xml - ORIGINAL_DST/93.184.221.200 -
1488922013.067 1269248 192.168.8.3 TAG_NONE/409 0 CONNECT sls.update.microsoft.com:443 - HIER_NONE/- text/html;charset=utf-8
1488922013.067 846177 192.168.8.3 TAG_NONE/409 0 CONNECT sls.update.microsoft.com:443 - HIER_NONE/- text/html;charset=utf-8
1488922013.067 968418 192.168.8.3 TAG_NONE/409 0 CONNECT sls.update.microsoft.com:443 - HIER_NONE/- text/html;charset=utf-8
1488921803.282 1070 192.168.8.3 TCP_TUNNEL/200 4796 CONNECT watson.telemetry.microsoft.com:443 - ORIGINAL_DST/65.55.252.202 -
1488921803.181 970 192.168.8.3 TCP_TUNNEL/200 4780 CONNECT watson.telemetry.microsoft.com:443 - ORIGINAL_DST/65.55.252.202 -
1488921542.401 62 192.168.8.3 TCP_MISS/200 14915 GET http://static.solvusoft.com/errors/images/logo-microsoft.png - ORIGINAL_DST/2.18.212.136 image/png
1488921542.260 103 192.168.8.3 TCP_MISS/200 52809 GET http://static.solvusoft.com/images/microsoft-award.jpg? - ORIGINAL_DST/2.18.212.136 image/jpeg
1488921542.106 92 192.168.8.3 TCP_MISS/200 43731 GET http://www.solvusoft.com/errors/images/download/pl_runtime-errors_80072EE2_80072ee2-microsoft-update-error-80072ee2_.png - ORIGINAL_DST/2.18.212.139 image/png
1488921542.102 86 192.168.8.3 TCP_MISS/200 10202 GET http://static.solvusoft.com/errors/images/microsoft-partner/pl.png? - ORIGINAL_DST/2.18.212.136 image/png
1488921541.623 214 192.168.8.3 TCP_MISS/200 21737 GET http://www.solvusoft.com/pl/errors/b%C5%82%C4%99dy-czasu-wykonania/microsoft-corporation/microsoft-update/80072ee2-microsoft-update-error-80072ee2/ - ORIGINAL_DST/2.18.212.139 text/html
1488921527.758 856 192.168.8.3 TCP_MISS/200 683 GET http://c.microsoft.com/trans_pixel.aspx? - ORIGINAL_DST/173.223.169.164 image/gif
1488921526.883 427 192.168.8.3 TCP_MISS/200 683 GET http://c.microsoft.com/trans_pixel.aspx? - ORIGINAL_DST/173.223.169.164 image/gif
1488921526.385 65 192.168.8.3 TCP_MISS/200 739 GET http://hs.windows.microsoft.com/scripts/4.2/helphub/ClientBiSettings.HelpHub.js? - ORIGINAL_DST/23.32.16.212 application/x-javascript
1488921526.309 82 192.168.8.3 TCP_MISS/404 291 GET http://hs.windows.microsoft.com/scripts/4.2/helphub/wol.hh.search.js - ORIGINAL_DST/23.32.16.212 text/html
1488921526.207 74 192.168.8.3 TCP_MISS/200 20055 GET http://hs.windows.microsoft.com/scripts/4.2/helphub/wol.common.helphub.js - ORIGINAL_DST/23.32.16.212 application/x-javascript
1488921525.842 183 192.168.8.3 TCP_MISS/200 24872 GET http://ajax.microsoft.com/ajax/4.0/4/MicrosoftAjax.js - ORIGINAL_DST/93.184.221.200 application/x-javascript
1488921525.425 62 192.168.8.3 TCP_MISS/200 378 GET http://res1.windows.microsoft.com/resbox/en/windows/main/55bf9201-0238-4ccf-8c80-44ad74319cf7_21.css - ORIGINAL_DST/23.211.158.3 text/css
1488921525.329 173 192.168.8.3 TCP_MISS/200 9057 GET http://res1.windows.microsoft.com/resources/4.2/helphub/shared/css/helphub_ltr.css - ORIGINAL_DST/23.211.158.3 text/css
1488921524.768 271 192.168.8.3 TCP_MISS/200 29099 GET http://hs.windows.microsoft.com/hhweb/content/m-pl-PL_en-US/p-6.3/id-search/? - ORIGINAL_DST/23.32.16.212 text/html
1488921428.787 60523 192.168.8.3 TCP_TUNNEL/200 4206 CONNECT settings-win.data.microsoft.com:443 - ORIGINAL_DST/40.77.226.249 -
1488921415.270 1106 192.168.8.3 TCP_TUNNEL/200 4796 CONNECT watson.telemetry.microsoft.com:443 - ORIGINAL_DST/65.55.252.202 -
1488921411.327 297 192.168.8.3 TCP_MISS/200 767 POST http://statsfe2.update.microsoft.com/ReportingWebService/ReportingWebService.asmx - ORIGINAL_DST/65.52.108.153 text/xml
1488921411.015 372 192.168.8.3 TCP_MISS/200 767 POST http://statsfe2.update.microsoft.com/ReportingWebService/ReportingWebService.asmx - ORIGINAL_DST/65.52.108.153 text/xml
1488921410.539 1503 192.168.8.3 TCP_TUNNEL/200 32074 CONNECT sls.update.microsoft.com:443 - ORIGINAL_DST/157.56.77.149 -
1488921313.153 670 192.168.8.3 TCP_MISS/200 23272 GET http://www.update.microsoft.com/windowsupdate/v6/shared/js/content.js? - ORIGINAL_DST/134.170.58.221 application/javascript
1488921312.651 169 192.168.8.3 TCP_MISS/200 3319 GET http://www.update.microsoft.com/windowsupdate/v6/shared/js/tgar.js? - ORIGINAL_DST/134.170.58.221 application/javascript
1488921312.446 337 192.168.8.3 TCP_MISS/200 4196 GET http://www.update.microsoft.com/windowsupdate/v6/thanks.aspx? - ORIGINAL_DST/134.170.58.221 text/html
1488921312.100 683 192.168.8.3 TCP_MISS_ABORTED/200 40451 GET http://windowsupdate.microsoft.com/windowsupdate/v6/shared/js/webcomtop.js? - ORIGINAL_DST/157.55.240.94 application/javascript
1488921312.095 676 192.168.8.3 TCP_MISS_ABORTED/200 17411 GET http://windowsupdate.microsoft.com/windowsupdate/v6/shared/js/resultslist.js? - ORIGINAL_DST/157.55.240.94 application/javascript
1488921312.094 677 192.168.8.3 TCP_MISS/200 38742 GET http://windowsupdate.microsoft.com/windowsupdate/v6/shared/js/commontop.js? - ORIGINAL_DST/157.55.240.94 application/javascript
1488921312.083 668 192.168.8.3 TCP_MISS/200 47126 GET http://windowsupdate.microsoft.com/windowsupdate/v6/shared/js/redirect.js? - ORIGINAL_DST/157.55.240.94 application/javascript
1488921311.929 509 192.168.8.3 TCP_MISS/200 8020 GET http://windowsupdate.microsoft.com/windowsupdate/v6/shared/js/spupdateids.js? - ORIGINAL_DST/157.55.240.94 application/javascript
1488921311.767 180 192.168.8.3 TCP_MISS/200 25596 GET http://windowsupdate.microsoft.com/windowsupdate/v6/shared/images/banners/favicon.ico - ORIGINAL_DST/157.55.240.94 image/x-icon
1488921311.584 170 192.168.8.3 TCP_MISS/200 3319 GET http://windowsupdate.microsoft.com/windowsupdate/v6/shared/js/tgar.js? - ORIGINAL_DST/157.55.240.94 application/javascript
1488921311.351 349 192.168.8.3 TCP_MISS/200 15776 GET http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx? - ORIGINAL_DST/157.55.240.94 text/html
Regards

6

17.1 Legacy Series / Web Filtering (schedule)

« on: February 15, 2017, 11:15:22 am »

Hi,

How to block some websites on specified time, example I want to block facebook from 7:00am to 4:00pm. Is there any possibility to do that?

Regards

7

16.1 Legacy Series / Re: Update failed on ALIX OPNsense 16.1.8-i386

« on: May 13, 2016, 12:00:54 am »

edit /usr/local/etc/pkg/repos/origin.conf
change url from http to https. url looks like this afterwards:
url: "pkg+https://pkg.opnsense.org/${ABI}/16.1/latest"

Thanks for the advice but still don't work. I tried upgrade from console and I found the cause

Code: [Select]

pkg-static: Not enough space in /var/cache/pkg, needed 61 MiB available 17 MiB


Code: [Select]

df -h
Filesystem            Size    Used   Avail Capacity  Mounted on
/dev/ufs/OPNsense0    1.8G    644M    1.0G    38%    /
devfs                 1.0K    1.0K      0B   100%    /dev
tmpfs                  18M    452K     18M     2%    /tmp
tmpfs                  33M     15M     18M    45%    /var
devfs                 1.0K    1.0K      0B   100%    /var/dhcpd/dev


Code: [Select]

mount
/dev/ufs/OPNsense0 on / (ufs, local, noatime, soft-updates)
devfs on /dev (devfs, local, multilabel)
tmpfs on /tmp (tmpfs, local)
tmpfs on /var (tmpfs, local)
devfs on /var/dhcpd/dev (devfs, local, multilabel)
4GB Flash Card is too small?

8

16.1 Legacy Series / [SOLVED] Update failed on ALIX OPNsense 16.1.8-i386

« on: May 11, 2016, 10:36:17 pm »

Hi,

I have OPNsense 16.1.8-i386 (OPNsense-16.1.8-OpenSSL-nano-i386) on ALIX. When I try to update the system get the message:

Code: [Select]

***GOT REQUEST TO UPGRADE: all***
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (88 candidates): .......... done
Processing candidates (88 candidates): ..... done
The following 53 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
opnsense-lang: 16.1.13
p7zip: 15.14

Installed packages to be UPGRADED:
suricata: 3.0_1 -> 3.0.1
strongswan: 5.3.5_4 -> 5.4.0
squid: 3.5.15_1 -> 3.5.17
sqlite3: 3.11.1 -> 3.12.1
smartmontools: 6.4_1 -> 6.4_2
python27: 2.7.11_1 -> 2.7.11_2
py27-Babel: 2.2.0_1 -> 2.3.3
php56-zlib: 5.6.19 -> 5.6.21
php56-xml: 5.6.19 -> 5.6.21
php56-sqlite3: 5.6.19 -> 5.6.21
php56-sockets: 5.6.19 -> 5.6.21
php56-simplexml: 5.6.19 -> 5.6.21
php56-session: 5.6.19 -> 5.6.21
php56-pdo: 5.6.19 -> 5.6.21
php56-openssl: 5.6.19 -> 5.6.21
php56-mcrypt: 5.6.19 -> 5.6.21
php56-ldap: 5.6.19 -> 5.6.21
php56-json: 5.6.19 -> 5.6.21
php56-hash: 5.6.19 -> 5.6.21
php56-gettext: 5.6.19 -> 5.6.21
php56-filter: 5.6.19 -> 5.6.21
php56-dom: 5.6.19 -> 5.6.21
php56-curl: 5.6.19 -> 5.6.21
php56-ctype: 5.6.19 -> 5.6.21
php56: 5.6.19 -> 5.6.21
perl5: 5.20.3_8 -> 5.20.3_12
pcre: 8.38 -> 8.38_1
opnsense-update: 16.1.8 -> 16.1.9_1
opnsense: 16.1.8 -> 16.1.13
openvpn: 2.3.10 -> 2.3.10_2
openssl: 1.0.2_11 -> 1.0.2_12
ntp: 4.2.8p6 -> 4.2.8p7
libedit: 3.1.20150325_1 -> 3.1.20150325_2
curl: 7.47.1 -> 7.48.0_2
bind910: 9.10.3P4 -> 9.10.4
apinger: 0.6.1_4 -> 0.6.1_9

Installed packages to be REINSTALLED:
openldap-client-2.4.44
lzo2-2.09
libyaml-0.1.6_2
libxml2-2.9.3
libucl-0.8.0
libnet-1.1.6_4,1
libmcrypt-2.5.8_3
libltdl-2.4.6
libhtp-0.5.18
libffi-3.2.1
libevent2-2.0.22_1
jansson-2.7_1
idnkit-1.0_5
gettext-runtime-0.19.7
GeoIP-1.6.9

The process will require 10 MiB more space.
61 MiB to be downloaded.
Restarting webConfigurator...done.
***DONE***
How to fix this?

9

16.1 Legacy Series / [SOLVED]Re: Proxy/Squid download is too large

« on: April 01, 2016, 07:51:46 pm »

I've disabled traffic mangement and it works. Now I can download files :-) Thank You

10

16.1 Legacy Series / [SOLVED]Proxy/Squid download is too large

« on: April 01, 2016, 06:54:36 pm »

Hi,

I have a problem with proxy. When I'm trying to download something I get error

If you are making a POST or PUT request, then the item you are trying to upload is too large.

If you are making a GET request, then the item you are trying to download is too large.

These limits have been established by the Internet Service Provider who operates this cache. Please contact them directly if you feel this is an error.

Your cache administrator is webmaster.

How to setup proxy/sqiud to get rid of this problem?

11

16.1 Legacy Series / Re: Captive Portal Add Mac or IP Address

« on: February 13, 2016, 01:03:11 pm »

Thank You, it works. I added MAC or IP address and CP didn't redirect me to my custom template but I have another issue, when I'm in the zone and open youtube (for example) CP redirect me to my template (that's good behavior) but when I disable CP I can't open youtube or any previous web sites unit I clear browsing data from the last hour. I tested this on google-chrome and firefox.

12

16.1 Legacy Series / Captive Portal Add Mac or IP Address

« on: February 12, 2016, 04:28:23 pm »

Hi,

I moved from M0n0wall to OPNsense everything works great but I need to run CP with Pass-throught MAC and Allowed IP addresses. How to add them?