Messages

1

17.1 Legacy Series / Re: Scripting Aliases to OPNsense

« on: July 27, 2017, 01:05:58 pm »

ifconfig is used for network card (NIC) aliasing.
Firewall (PF) aliasing is something else (but you did not specify than in OP)
So we were talking about different things.

Why are you aliasing the google DNS in the Firewall? Place it in the DNS resolver instead?
I really don't understand what you're trying to do, sorry.

2

17.1 Legacy Series / Re: Scripting Aliases to OPNsense

« on: July 27, 2017, 10:56:01 am »

1 & 2. Yes,

Code: [Select]

ifconfig <nic> alias 192.168.x.y/subnetRemove:

Code: [Select]

ifconfig <nic> -alias 192.168.x.y
3. You might want to expand on what the aliases are used for - what purpose do they serve? The subnet selection is relevant here. If subnetting is done sanely, NAT & PF would take care of the rest.

Normally in PF you would pre-define certain values, ex: 

Code: [Select]

dns="192.168.1.100", and write rules using syntax $dns. IDK how it's handled in OPNs.

3

17.1 Legacy Series / Scanning IMAP traffic without user credential storage

« on: July 27, 2017, 09:56:35 am »

Hello.
There isn't much documentation on email scanning for OPNsense gateway. I'm more interested in incoming IMAP4s (port 993, gmail) than outgoing mail and no POP3 necessary. Unless I'm completely missing something obvious,

* Is mail scanning relegated to IDS Suricata?
* Certain view points argue against mail scanning if the spam engine is doing a good job, but I don't find it convincing.
* Looks like I'll have to setup a mail proxy, but I don't want an MTA that requires user credential maintenance or caching. The proxy should directly pass credentials from client (ex mobile device) on to the main server, and handoff to ClamAV for scanning.
* I found proxies that can do this: mail/perdition & of course www/nginx (which was initially designed as a mail proxy). There's mail/mailscanner, but looks like it requires an MTA back-end and not sure if its able to scan in-flight.

I welcome any thoughts & ideas...

Some Resources:
Configuring Perdition for Gmail IMAPS
Comparison of Perdition vs Nginx (slideshow)

4

17.1 Legacy Series / Re: Odd connection problem with re0

« on: July 26, 2017, 01:25:05 pm »

Thanks Franco, I have limited experience with IDS systems, so I was a bit confused by the thing. I realize I ran a little off-topic with my questions and very kind of you to answer them. I'll open a separate thread for any further.

One small thing about re0:
re0_vlan1 (OPT1) has 192.168.1.230/28 and LAN is 192.168.1.1/25. Jails using interface re0_vlan1 start getting IP's from 192.168.1.231/32 and on up. The very first jail to start throws out below error. Subsequent jail starts have no problem. As example:

Code: [Select]

jail_enable="YES"  \  jail_list="dns searx clamav"the dns jail fails to start but the subsequent two jails start normally. As a silly workaround:

Code: [Select]

jail_enable="YES"  \  jail_list="dummy dns searx clamav"

Code: [Select]

ifa_maintain_loopback_route: insertion failed for interface re0_vlan1
ifconfig: ioctl (SIOCAIFADDR) file exists
This is supposedly a subnetting configuration error, but since remaining jails start... I think the first call to /32 subnet may be the issue.

Regards.

5

17.1 Legacy Series / Re: Jails and privilege isolation

« on: July 26, 2017, 01:04:29 pm »

* Good point on IDS/IPS, apparently I had not thunk it through. OP's question included openvpn (which would/should normally be placed in a jail) but IDS/IPS layer on an openvpn jail is beyond my knowledge.

* ZFS: The user should be able to choose the FS (UFS/ZFS) at install stage - problem solved. I agree with the "small box requirements", in which case user would choose UFS. On amd64 ZFS, unless you intend to have hundreds of datasets 4GB is sufficient btw.

* I would suggest the first service to be moved to a jail would be Squid rather than the web-gui, unless some users intend to expose web-gui to the WAN. Also remember that HardenedBSD which OPNsense partially (for the time being) uses is one step ahead of FreeBSD when it comes to privilege escalation problems.

* I already have, with a minor hiccup,  (unbound-DNSSEC + dnscrypt-proxy), searx & ClamAV running in separate jails on a 32Bit 2GB box.

Regards.

6

17.1 Legacy Series / Re: Jails and privilege isolation

« on: July 22, 2017, 08:52:31 pm »

My $0.02 here and hope I'm not necro posting.

1. First off, a solid firewall configuration is going to add more security than any other measure. That's been done on OPNs, so services not exposed to the WAN are not the primary concern (unless the sysadmin does something stupid like offer dhcp to WAN)

2. Any service directly exposed to WAN should be jailed, period. That means DNS (unbound + dnscrypt-proxy), Squid, Privoxy, IDS/IPS. This implies that dnsmasq may not be a wise choice since it bundles dns+dhcp, but I don't know enough about dnsmasq to claim anything.
I'd include any service doing dirty work to the list to be jailed; the likes of CamAV/Symantec, or whatever risky service is being considered.

3. The bad news: I've found that PF cannot filter on a per-alias basis. For example, if the Privoxy jail is on VLAN1 with alias <IP>/32 and we wish to filter that specific IP, PF can't do it. I've yet to look into IPFW which was claimed to have this capability.

4. The difficulty for OPNs web-gui would come from any ifconfig change as far as I can tell. If VLAN or jail IP settings were to be changed down the road or if iniital setup was not very well thought through, I assume web-gui could have difficulties with shuffling ip addresses and firewall rules. A dedicated subnet for jails and default VLAN creation could facilitate this problem (ex 192.168.10.0/26) or some other potentially unused subnet.

5. Otherwise creating and configuring jails is pretty easy specially with qjail or ezjail (which is a single script btw). I just copied the script and config file to my box and created my jails. web-gui would have to have some kind of interface to set which services should be enabled for the particular jail - or just expose <jail>/etc/rc.conf

6. Consider ZFS (not advised on 32Bit) with snapshot rollback feature. Create a pristine ZFS snapshot at first start of jail. The snapshot is periodically called for rollback to restore the jail to pristine. Any undetected compromise of jail is thus wiped out. You mount /usr/local as "nullfs -ro" to <jail>/usr/local so that package upgrades are low maintenance and individual jails do not need package maintenance. If world gets updated, jails will require an etcupdate run to bring them to same level as host.

HTH.

7

17.1 Legacy Series / Re: Odd connection problem with re0

« on: July 21, 2017, 07:41:26 pm »

Thank you for the info. Quite useful & helps a lot.

Sorry to bother the forum with another question, but I have limited experience on following topic: There seems to be capability overlap with IDS/IPS vs squid/c-icap for AntiVirus and malware protection.

Obviously IDS/IPS does not provide AV scanning, security/clamav & www/squidclamav do this, but clamd can protect against phising, do md5 document hash checks and a number of other things, hence my overlap comment.

I've read several forum threads re clamav and understand that it's not considered part of OPNs core mission. However, a plugin for it does not exist either. I've also seen suggestions to place the AV-scanner as a part of IPS and not use squid for this at all. Finally there's the razorback toolset that looks quite comprehensive, including AV scanning. In summary, I'm a bit confused on this topic.

BTW, the Setup Anti Virus Protection how-to looks quite out-dated and installing Symantec Protection Engine is no way near "straight forward".

8

17.1 Legacy Series / Re: Odd connection problem with re0

« on: July 21, 2017, 10:12:01 am »

The upgrade to 17.1.10 is exactly what caused the problem. 17.1.4 is running normally. I did 20 something re-installs before identifying the problem (thankfully I had a clean tar file to push).

* I direct your attention to problem #2 as well: Mount assets before invoking configd. I saw this in 17.1.10 but not a problem in 17.1.4

* I'm configuring some jailed services (ezjail) from tarred OPNsense folders and mounting /usr/local as null -ro to the jails. configd starts up in the jail because etc/rc.d/configd does not have enable option. IMHO should be as below so that configd_enable="NO" can be set:
@@ -12,1 +12,3 @@
- name=configd
+ name=configd
+ rcvar=configd_enable
+ : ${configd_enable="YES"}

9

17.1 Legacy Series / Re: Odd connection problem with re0

« on: July 21, 2017, 07:53:00 am »

I figured out the problem source for issues 1 & 2. It's the "pkg upgrade" process that pulls in one of the OPNs custom packages. System behaves normally without the upgrade.
uname: 11.0-RELEASE-p8 #0 e84bb9532(stable/17.1): Sun Mar 26 15:30:53 CEST 2017
Relevant pkg versions:
opnsense-17.1.4
opnsense-update-17.1.4
opnsense-lang-17.1.4
Looks like other threads refer to this problem as well.

10

17.1 Legacy Series / Odd connection problem with re0

« on: July 20, 2017, 10:44:22 am »

Odd connection problem with re0

Hello. long time FreeBSD user, just installed OPNs and have a strange problem. Box is 32Bit, re0=LAN, vr0=WAN. no VLAN/OPT.

1. LAN (re0) looses connectivity and cannot send or receive pings (from box - ping: sendto invalid argument". Changing the NIC or PCİ slot or disabling pf made no difference. By same, web-gui is unreachable from LAN, but reachable from WAN with pf disabled. I see "Configuring PHP: unable to connect to configd socket (@/var/run/configd.socket)" IDK whether that's relevant. Strangely, LAN clients are able to get dhcp lease, but of course cannot connect outside.

Some other questions:
2. I have a slightly alternate HDD setup and need requires=mount before any OPNs scripts are called. rcorder is not available, where and how can I modify this (possibly related to #1)?

3. Already have /tmp as tmpfs & swap mounted  via fstab. I assume selecting the same via Web-GUİ is redundant? Also, is it safe to set "clear_tmp_enable" in /etc/rc.conf?

4. I don't need syslogd to listen, but "-ss" flag in rc.conf has no effect.

5. Is it possible to disable IPv6 for all services, or will this break stuff?

6. The repo does not have packages for www/py-searx, security/obfsclient,  security/tcpcrypt

7. I'd like to filter traffic exiting squid using www/privoxy. If I edit squid.conf for forward rule, I assume web-gui will overwrite any changes made. What's the solution?

Thanks for the help