"
If you use such methods to suppress unwanted posts, you don't have to talk at all.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
General Discussion / VERY VERY strange behavior of 18.1
March 05, 2019, 11:55:29 AM
Hello
Its about a opnsense 18.1 on a vmware esxi 6.5.
During tests we have noticed that some IP packets are fragmented by 1434 bytes.
To test the maximum MTU the underlying interface can deliver, I exceuted the command:
ifconfig em0 hwfeatures
This causes the interface to crash somehow and come suddenly up again, always with the fixed ip address of: 195.49.42.34
ALWAYS. Tested it three times, with reboots between.
The interface had the originally configured ip of: 10.1.110.251/24
There is absolutely no DHCP Server is in the that network nor on the firewall.
We have no (absolutely no) relationship in any form to this IP address or the network that belongs to it,
nor with the owner of the network.
I have already experienced many strange, weird and disturbing things with pfsense and opnsense.
Things that contradict any common sense.
This, however, surpasses it by far.
Based on whois, this ip belongs to:
inetnum: 195.49.42.0 - 195.49.42.255
netname: TOOLPARK-VIACH-NET
descr: Toolpark Cooperation AG
country: CH
admin-c: MS6444-RIPE
tech-c: MS6444-RIPE
status: ASSIGNED PA
mnt-by: AS1836-MNT
created: 2003-10-24T14:59:20Z
last-modified: 2003-10-24T14:59:20Z
source: RIPE
person: Markus Schaerer
address: Toolpark Cooperation AG
address: Buehlstrasse 1
address: CH-8125 Zollikerberg
address: Switzerland
phone: +41 1 396 26 66
fax-no: +41 1 396 22 60
nic-hdl: MS6444-RIPE
mnt-by: CH-GREEN-MNT
created: 2003-10-24T14:59:17Z
last-modified: 2012-09-29T02:40:14Z
source: RIPE # Filtered
Its about a opnsense 18.1 on a vmware esxi 6.5.
During tests we have noticed that some IP packets are fragmented by 1434 bytes.
To test the maximum MTU the underlying interface can deliver, I exceuted the command:
ifconfig em0 hwfeatures
This causes the interface to crash somehow and come suddenly up again, always with the fixed ip address of: 195.49.42.34
ALWAYS. Tested it three times, with reboots between.
The interface had the originally configured ip of: 10.1.110.251/24
There is absolutely no DHCP Server is in the that network nor on the firewall.
We have no (absolutely no) relationship in any form to this IP address or the network that belongs to it,
nor with the owner of the network.
I have already experienced many strange, weird and disturbing things with pfsense and opnsense.
Things that contradict any common sense.
This, however, surpasses it by far.
Based on whois, this ip belongs to:
inetnum: 195.49.42.0 - 195.49.42.255
netname: TOOLPARK-VIACH-NET
descr: Toolpark Cooperation AG
country: CH
admin-c: MS6444-RIPE
tech-c: MS6444-RIPE
status: ASSIGNED PA
mnt-by: AS1836-MNT
created: 2003-10-24T14:59:20Z
last-modified: 2003-10-24T14:59:20Z
source: RIPE
person: Markus Schaerer
address: Toolpark Cooperation AG
address: Buehlstrasse 1
address: CH-8125 Zollikerberg
address: Switzerland
phone: +41 1 396 26 66
fax-no: +41 1 396 22 60
nic-hdl: MS6444-RIPE
mnt-by: CH-GREEN-MNT
created: 2003-10-24T14:59:17Z
last-modified: 2012-09-29T02:40:14Z
source: RIPE # Filtered
#3
18.1 Legacy Series / Wrong remote syslog log format
April 05, 2018, 04:29:18 PM
Hello
I tried to build up a centralized log server which analyses the syslog messages from a brunch of opnsense firewalls connecting diffrent segments together as a kind of centralized downstreamed intrusion detection system which sends alarm sms. After a very lot of testing diffrent products which always generated only waste data out from the sent syslog messages started to analyse the sent syslog data from opnsense self via netcat (nc -l -u -p 514)
and what do I see:
<134>Apr 5 16:02:19 filterlog: 59,,,0,em0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,xx.1.xx.1,xx.1.xx.100,29402,10050,0,S,812657615,,65228,,mss;nop;wscale;sackOK;TS
Whats missing here: right, the hostname
It should be:
<134>Apr 5 16:02:19 vm-fwgw-01 filterlog: ....
see here: https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/bsdsyslog-header.html
and here: https://en.wikipedia.org/wiki/Syslog, https://de.wikipedia.org/wiki/Syslog
Strangely the log files on the filesystem are correct:
Apr 5 16:02:43 vm-fwgw-01 openvpn[28872]: MANAGEMENT: CMD 'quit'
seems some wrong compile option.
Then to have a real information whats going on on all the firewalls, it would be nice if the suricata logs could also be transmitted to a remote syslog server.
I tried to build up a centralized log server which analyses the syslog messages from a brunch of opnsense firewalls connecting diffrent segments together as a kind of centralized downstreamed intrusion detection system which sends alarm sms. After a very lot of testing diffrent products which always generated only waste data out from the sent syslog messages started to analyse the sent syslog data from opnsense self via netcat (nc -l -u -p 514)
and what do I see:
<134>Apr 5 16:02:19 filterlog: 59,,,0,em0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,xx.1.xx.1,xx.1.xx.100,29402,10050,0,S,812657615,,65228,,mss;nop;wscale;sackOK;TS
Whats missing here: right, the hostname
It should be:
<134>Apr 5 16:02:19 vm-fwgw-01 filterlog: ....
see here: https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/bsdsyslog-header.html
and here: https://en.wikipedia.org/wiki/Syslog, https://de.wikipedia.org/wiki/Syslog
Strangely the log files on the filesystem are correct:
Apr 5 16:02:43 vm-fwgw-01 openvpn[28872]: MANAGEMENT: CMD 'quit'
seems some wrong compile option.
Then to have a real information whats going on on all the firewalls, it would be nice if the suricata logs could also be transmitted to a remote syslog server.
Pages1
