Messages

1

22.1 Legacy Series / Re: Can i create firewall rule from a wildcard dns entry

« on: March 07, 2023, 02:43:38 pm »

Also curious about this, i have a number of hosts to insert and wildcard support would be great

Somehow this is a dupe. I found a solution here: https://forum.opnsense.org/index.php?topic=27650.0

2

General Discussion / Re: Can i create firewall rule from a wildcard dns entry?

« on: March 03, 2023, 09:17:46 am »

Well, hindsight is almost always 20-20 (my concoction is from march, Modest's from august)
but good point, yeah

3

22.1 Legacy Series / Idea: Reporting: Traffic

« on: July 21, 2022, 02:13:58 pm »

Hi,

currently, in Reporting > Traffic my opnsense seems to show traffic from the interface'is point of view. I.e. if you select LAN and WAN, LAN IN and WAN IN are shown on the same graph as well as LAN OUT and WAN OUT:


At least for me, it would make much more sense to compare the used bandwitdh from the opnsense's point of view, ie:
put LAN IN on the same graph as WAN OUT and vice versa.

4

General Discussion / Re: Can i create firewall rule from a wildcard dns entry?

« on: March 25, 2022, 06:19:15 pm »

I know I am essentially replying to myself here, but maybe someone else needs this. It appears that dnsmasq ipset functions work (albeit totally undocumented) in BSD as well and write to a pf table using the same configuration syntax. So all i needed to do is:

add to /usr/local/etc/dnsmasq.conf.d directory a file ALLOWTHIS.conf:

Code: [Select]

ipset=/somedomain.com/ALLOWTHIS
then I created an empty host(s) alias ALLOWTHIS from opnsense GUI and created appropriate firewall rules in the gui on this alias. I chose to disable the alias from GUI as a disabled alias seems to be enough to allow me to use it in firewall rules.

The result is the same as i described:
- client asks for asfgsgagasdgfarfarerf.somedomain.com
- dnsmasq looks it up, returns to client and adds it to a pf table ALLOWTHIS
- the rule i created eralier, applies instantly

There are some caveats:
- currently the ip addresses seem to be discarded from the pf table ALLOWTHIS. I have not yet figured out if it is dnsmasq cleaning up according to the TTL, but for my purposes it is no biggie
- the client might cache the dns response and not ask opnsense at all

5

General Discussion / Can i create firewall rule from a wildcard dns entry?

« on: March 25, 2022, 01:36:36 pm »

I would like to define a firewall rule from a wildcard DNS entry. This can be achieved in linux iptables.

Lets consider the scenario where I would like to block all outgoing traffic from a host, but allow only *.update.microsoft.com. I do not know the ip addresses, i do not even know the host name, only wildcard match. The ip address<>host name may change in time.

In linux this can be achieved in the following way:
1) client asks for somerandomstring.update.microsoft.com from dnsmasq
2) dnsmasq looks up the name, returns it to the client and adds it to an ipset list according to its whitelist
3) firewall iptables rule is configured to allow traffic according to the ipset list

ipset lists can be updated "behind the scenes" without any firewall reload.

Can something similar be achieved in opnsense pf?

6

22.1 Legacy Series / Can i create firewall rule from a wildcard dns entry

« on: March 24, 2022, 12:23:54 pm »

I would like to define a firewall rule from a wildcard DNS entry. This can be achieved in linux iptables.

Lets consider the scenario where I would like to block all outgoing traffic from a host, but allow only *.update.microsoft.com

In linux this can be achieved in the following way:
1) client asks for somerandomstring.update.microsoft.com from dnsmasq
2) dnsmasq looks up the name, returns it to the client and adds it to an ipset list according to its whitelist
3) firewall iptables rule is configured to allow traffic according to the ipset list

ipset lists can be updated "behind the scenes" without any firewall reload.

Can something similar be achieved in opnsense pf?

7

22.1 Legacy Series / Re: zabbix agent not working

« on: March 03, 2022, 05:45:55 pm »

Ok, it seems i found the reason for zabbix agent not responding, but not the underlying cause yet.

It seems to be blocked by firewall:

Code: [Select]

<134>1 2022-03-03T18:15:09+02:00 ##### filterlog 88758 - [meta sequenceId="14242"] 10,,,02f4bab031b57d1e30553ce08e0ec131,lo0,match,block,in,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,65087,10050,0,S,2442566319,,65228,,mss;nop;wscale;sackOK;TS
This machine does not have Firewall > Rules > Loopback in the GUI which i have on other hosts where it contains automatically generated rules to allow anything from lo0.

I do not think that i have done any allow rules on lo0 (127.0.0.1) on any opnsense machines, but on this one, the section is missing, automatically generated rules are missing and i cannot choose Loopback interface when creating a "Floating" rule.

Also, verified with pfctl that on this host lo0 pass rules are missing.

I managed to create a floating rule to allow traffic from 127.0.0.1 to 127.0.0.1 ip on any interface and this seems to alleviate the original problem. Zabbix agent now responds.

However, the updated issue is now different - how come the Loopback section is missing and how do i get it back?

8

22.1 Legacy Series / zabbix agent not working

« on: March 03, 2022, 04:45:46 pm »

I feel stupid, but I cannot get zabbix agent to function on a particular opnsense machine. It works fine on several of them, but not at all in one.

Opnsense 22.1.2_1
os-zabbix-agent 1.11

I have also tried to install other zabbix version (os-zabbix54-agent), same behaviour
Zabbix agent conf is pretty basic:


Zabbix agent starts up with no errors, seems to listen to port 10050:

Code: [Select]

# sockstat | grep 10050
zabbix   zabbix_age 39652 4  tcp4   127.0.0.1:10050       *:*
zabbix   zabbix_age 39642 4  tcp4   127.0.0.1:10050       *:*
zabbix   zabbix_age 39623 4  tcp4   127.0.0.1:10050       *:*
zabbix   zabbix_age 39546 4  tcp4   127.0.0.1:10050       *:*
zabbix   zabbix_age 39464 4  tcp4   127.0.0.1:10050       *:*
However, when i run (it should immediately return zabbix agent version), it just lags until a timeout:

Code: [Select]

root@mono:~ # zabbix_get -s 127.0.0.1 -p 10050 -k agent.version
zabbix_get [93235]: Timeout while executing operation

it just hangs. Tcpdump on lo0 shows only packets going to port 10050, nothing returns:

Code: [Select]

17:08:08.858071 IP 127.0.0.1.27937 > 127.0.0.1.10050: Flags [S], seq 2348730218, win 65228, options [mss 16344,nop,wscale 7,sackOK,TS val 1000361919 ecr 0], length 0
17:08:09.868097 IP 127.0.0.1.27937 > 127.0.0.1.10050: Flags [S], seq 2348730218, win 65228, options [mss 16344,nop,wscale 7,sackOK,TS val 1000362929 ecr 0], length 0
17:08:12.095885 IP 127.0.0.1.27937 > 127.0.0.1.10050: Flags [S], seq 2348730218, win 65228, options [mss 16344,nop,wscale 7,sackOK,TS val 1000365157 ecr 0], length 0
Zabbix agent log with extended debugging seems normal, seems to loop on its own stuff, nothing "extra" gets added when i run zabbix_get:

Code: [Select]

99440:20220303:172553.024 In update_cpustats()
 99440:20220303:172553.024 End of update_cpustats()
 99440:20220303:172553.024 zbx_setproctitle() title:'collector [idle 1 sec]'
 99440:20220303:172554.074 zbx_setproctitle() title:'collector [processing data]'
 99440:20220303:172554.074 In update_cpustats()
 99440:20220303:172554.074 End of update_cpustats()
 99440:20220303:172554.074 zbx_setproctitle() title:'collector [idle 1 sec]'
 99440:20220303:172555.085 zbx_setproctitle() title:'collector [processing data]'
 99440:20220303:172555.085 In update_cpustats()
 99440:20220303:172555.085 End of update_cpustats()
 99440:20220303:172555.085 zbx_setproctitle() title:'collector [idle 1 sec]'
 99440:20220303:172556.149 zbx_setproctitle() title:'collector [processing data]'
 99440:20220303:172556.149 In update_cpustats()
 99440:20220303:172556.149 End of update_cpustats()
 99440:20220303:172556.150 zbx_setproctitle() title:'collector [idle 1 sec]'
 99440:20220303:172557.159 zbx_setproctitle() title:'collector [processing data]'
 99440:20220303:172557.159 In update_cpustats()
 99440:20220303:172557.159 End of update_cpustats()
 99440:20220303:172557.159 zbx_setproctitle() title:'collector [idle 1 sec]'

I am totally at a loss what to try next.

On another host, same settings, same software versions, all works well:

Code: [Select]

# zabbix_get -s 127.0.0.1 -p 10050 -k agent.version
5.0.19

9

21.7 Legacy Series / Dash in cron job description not accepted

« on: February 08, 2022, 10:33:00 am »

I have stumbled upon the fact that dash character (-) is not accepted in a cron job description field. Is this intentional? Have not tried on 22.1 yet, but on 21.7:



Works fine without a dash.

10

20.7 Legacy Series / Re: Make dnsmasq NOT listen to localhost and ipv6

« on: November 25, 2020, 10:19:22 am »

Thanks, ill try that.
But the udp6 wildcard part? Any idea? The opnsense gui help text is misleading to say the least.

11

20.7 Legacy Series / Make dnsmasq NOT listen to localhost and ipv6

« on: November 24, 2020, 01:16:39 pm »

Hi,

for reasons I would rather not go at the moment, I would like to bind dnsmasq to specific interfaces. However no matter what i do, according to netstat it binds additionally to:
udp6       0      0 ::1.53
udp4       0      0 127.0.0.1.53

I have selected two interfaces on my system and enabled Strict Interface Binding which says: If this option is set, Dnsmasq will only bind to the interfaces containing the IP addresses selected above, rather than binding to all interfaces and discarding queries to other addresses. This option does not work with IPv6. If set, Dnsmasq will not bind to IPv6 addresses.

12

20.7 Legacy Series / Re: [Solved] Ipsec does not log anything

« on: September 22, 2020, 10:58:04 am »

Hard to check after the fact, but i don't think syslog crashing was the issue. Other logs were behaving normally.

13

20.7 Legacy Series / Re: Ipsec does not log anything

« on: September 21, 2020, 05:42:15 pm »

I think it was either 20.7.0 or 20.7.1.
Anyway, did an update to 20.7.2 and the stuff started to appear in ipsec.log during the update, even before reboot.
Go figure.

14

20.7 Legacy Series / [Solved] Ipsec does not log anything

« on: September 21, 2020, 03:46:58 pm »

Hi,

I feel completely stupid, but I cannot get ipsec to log anything on a certain opnsense machine. I have turned everything to Raw under VPN->IpSec->Advanced Settings->IPsec Debug and still nothing - /var/log/ipsec.log remains empty.

15

Development and Code Review / Re: DNSBL and additional features Plugin for Unbound

« on: April 26, 2020, 03:00:36 am »

Do you of any plans to make it available on only a subset of the interfaces ?

As a sort of a workaround you could bind unbound (with blacklists) only to one interface and dnsmasq on the others.