Messages

I have upgraded to 21.1.3 this morning and tried the new health-check feature. One line in the output caught my attention:

python37-3.7.10: checksum mismatch for /usr/local/lib/python3.7/lib-dynload/_sha1.so

I SSH'd into the box and run "ls -l" for this file:

-rwxr-xr-x  1 root  wheel  23200 Mar  8 18:56 /usr/local/lib/python3.7/lib-dynload/_sha1.so

SHA256 of it is 5766a1b659b7e022cbdeeaf6a7a43f6e537ddefbd3dd420ade6a37edf86abc71

I ran the file through VT and it came back clean - https://www.virustotal.com/gui/file/5766a1b659b7e022cbdeeaf6a7a43f6e537ddefbd3dd420ade6a37edf86abc71/detection

After reinstalling python37 package, the issue went away. The size and timestamp of the file did not change, but the checksum is now 972e976dfd77b703ed0104723f12db94d5f0fdcb92761e0ca5e380d65cc6b10e

Running both files through strings command results in the exact same output. Binary diffing the suspicious and valid files shows some odd bytes being different here and there, but the diffs do not look too suspicious to my untrained eye.

Did anyone see the same issue by any chance? Do you think I should be concerned?

Thank you

I had similar symptoms and it turned out my firewall was turning itself off due to a cooling issue and CPU overheating. There were log entries in the BIOS log, but nothing at the OS level. Once I corrected the airflow and the CPU stopped overheating the issue went away.

Thank you! Do you know what API command can be used to enable certain rule and to disable it?

Tried reading the documentation at https://docs.opnsense.org/development/api/core/firewall.html but it's very limited.

Bumping this thread from 2.5 years ago.

Was the functionality to enable/disable firewall rules via API ever implemented? If not, does anyone know if it's on the roadmap ?

Thanks!

Yeah, ETA is like a Bentley, and I'm looking for an aftermarket Accord that does the same thing but cheaper, or, ideally for free :)

Thanks for the tip, I'll play with Sensei and may be reach out to the team that works on it.

I know that this is a cat&mouse game with no guarantee of reliable 100% detection.

I was looking for something that would flag obviously suspicious TLS sessions - long running, low traffic with sporadic traffic bursts, weird metadata, and other characteristics of a tunnel. Normal HTTPS connections look very different on the wire as opposed to the pseudo-VPN over TLS, and most of these VPN/tunnel solutions take no measures to disguise themselves, they are using TCP 443 only because it's almost always guaranteed to be allowed out.

Obviously, detecting malware/backdoor/APT traffic is a totally different game, and I understand that no easy or cheap solutions exist for that. This is about preventing low tech users from circumventing "no tunnels" policy.

There's another limitation I did not mention - I can't touch the endpoints, the solution has to be implemented on the firewall only. My understanding is that transparent proxying of HTTPS requires deploying custom trusted certificate on the endpoints that connect through it, isn't it the case?

Looks very promising, thank you.

Can anyone in the community vouch for the authors? I'm a bit wary of installing such fresh code on production firewalls for both security and stability reasons.

Hi,

One of the networks I administer has a requirement to try and prevent tunneling out. I know that it is impossible to do reliably, but there must be some "best effort" solutions. This net has all ports besides 80 and 443 blocked for connecting out. I can't require everyone on the inside to use web proxy, so forcing everyone through the proxy is not an option.

Does anyone know of a plugin or an easily scripted solution that would terminate "suspicious" TLS sessions - ones lasting long time and exhibiting other "suspected tunneling" characteristics?

Thank you,

Aleksey

Fixed this by reinstalling isc-dhcp44-server package.

Hi,

After the upgrade from 18.7 to 18.7.1 DHCP server stopped working with the following error message in the log: "dhcpd: no such user: dhcpd"

Did anyone run into it? Any troubleshooting tips?

Thank you.

Franco,

I don't want to disable local logging, just want to disable the circular nature (fixed size files) of it and deal with the risk of running out of space. Is it by any chance possible, maybe as an advanced setting of some kind?

Thank you.

Hi,

I'm trying to make Splunk forwarder for FreeBSD work on OPNsense and it seems to be working ok, except for the fact that it gets really confused by the circular logs.

Does anyone know if it is possible to disable circular logging and save log events to disk files in an old-fashioned way?

Thank you.

Franco,

I am migrating Squid web proxy functionality from a Linux server to OPNsense, and on the old Linux-based proxy /etc/hosts is used for a dirty one-off URL rewriting hack (certain hostname in the host portion of the URL needs to always be resolved by the proxy to specific IP, no matter what DNS points to).
I know I can probably do it in the squid.conf somehow, but just wanted to copy the existing functionality as-is, and optimize it later.

JasMan, thanks for the cron trick, it worked for now, although I would prefer a cleaner interface.

Hi,

Is there any way to edit /etc/hosts entries via UI? I know, similar functionality exists when enabling Unbound or DNSMasq, but I am using neither and just need to alter name resolution on the firewall for one hostname.

Thank you.