Messages

You can do that with AGuard Home already.

I'm more drawn to a lightweight solution that doesn't require installing the large AdGuard binary on my firewall.
I'm debating whether to install AdGuard Home on the firewall device, but Blocky is also a (big) binary.

That's why I prefer using extended blocklists as my solution.

@cgone can you post the panic backtrace too as a reference point?

Here is the trace back of the last crash. The crashes does not always give a crash dump.

Code Select Expand


ddb.txt06000014000014673124713  7102 ustarrootwheeldb:0:kdb.enter.default>  run lockinfo
db:1:lockinfo> show locks
No such command; use "help" to list available commands
db:1:lockinfo>  show alllocks
No such command; use "help" to list available commands
db:1:lockinfo>  show lockedvnods
Locked vnodes
db:0:kdb.enter.default>  show pcpu
cpuid        = 3
dynamic pcpu = 0xfffffe009e97b080
curthread    = 0xfffff8002d0bc740: pid 23521 tid 102231 critnest 1 "Eastpect Main Event"
curpcb       = 0xfffff8002d0bcc60
fpcurthread  = 0xfffff8002d0bc740: pid 23521 "Eastpect Main Event"
idlethread   = 0xfffff80001974000: tid 100006 "idle: cpu3"
self         = 0xffffffff83a13000
curpmap      = 0xfffff801c96ad600
tssp         = 0xffffffff83a13384
rsp0         = 0xfffffe0102b8c000
kcr3         = 0x80000003ae08d4b0
ucr3         = 0x80000003ae08ccb0
scr3         = 0x3ae08ccb0
gs32p        = 0xffffffff83a13404
ldt          = 0xffffffff83a13444
tss          = 0xffffffff83a13434
curvnet      = 0
db:0:kdb.enter.default>  bt
Tracing pid 23521 tid 102231 td 0xfffff8002d0bc740
kdb_enter() at kdb_enter+0x33/frame 0xfffffe0102b8b9e0
panic() at panic+0x43/frame 0xfffffe0102b8ba40
trap_fatal() at trap_fatal+0x40b/frame 0xfffffe0102b8baa0
calltrap() at calltrap+0x8/frame 0xfffffe0102b8baa0
--- trap 0x9, rip = 0xffffffff8108cf63, rsp = 0xfffffe0102b8bb70, rbp = 0xfffffe0102b8bb70 ---
pmap_pvh_remove() at pmap_pvh_remove+0x23/frame 0xfffffe0102b8bb70
pmap_enter() at pmap_enter+0xd1e/frame 0xfffffe0102b8bc50
vm_fault() at vm_fault+0xbb7/frame 0xfffffe0102b8bd70
vm_fault_trap() at vm_fault_trap+0x4d/frame 0xfffffe0102b8bdc0
trap_pfault() at trap_pfault+0x1be/frame 0xfffffe0102b8be10
trap() at trap+0x4ab/frame 0xfffffe0102b8bf30
calltrap() at calltrap+0x8/frame 0xfffffe0102b8bf30
--- trap 0xc, rip = 0x827eed850, rsp = 0x8414947a8, rbp = 0x841494860 ---


My guess is that it is more likely a hardware fault, since the backtrace is often different in a different thread.

@Franco: I have a similar problem and several crashes today. Should I install the debug kernel and send you a vmcore, too?

Durch ein Absturz von freeradius und einen fehlerhaften Behebungsversuch von mir fehlen meiner Installation
unter dem Verzeichnis /usr/local/etc/raddb ein paar Dateien. Insbesondere profile.d und Unterordner.

Die Dateien scheinen leider in kein Packet enthalten zu sein.

Gibt es ein Möglichkeit (ohne vollständige) Neuinstallation die Dateien zu regenerieren?

I still have the problem that mongodb is incomplete:

Code Select Expand

root@firewall:~ # mongod
ld-elf.so.1: /usr/local/bin/mongod: Undefined symbol "_ZN6snappy8CompressEPKcmPNSt3__112basic_stringIcNS2_11char_traitsIcEENS2_9allocatorIcEEEE"

I already reinstalled base, snappy, mongodb40 and sensei.

I had experience with high writes, too. For me the high amount of writes are caused by zenarmor.

I solved this by using a rotational hard disk for /var and move zenarmor from /usr/local/zenarmor to /var/zenarmor.

Do not set "minimum ttl" to high. Some server require the requesting the "new" response.

Better set "Serve Expired Responses", so the latency is still very low, but the cache is more accurate.

Another easy way is to do sni-inspection with nginx and using AdGuardHome to block:

Code Select Expand


    server {
        resolver 127.0.0.1;
        listen 1443;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass $ssl_preread_server_name:443;
    }

You put the ip-adress of your AdGuardHome installation at the 'resolver' directive and you need to do a port forward to 1443 for the client you want to filter.

nginx will extract the sni-part out of the stream and resolve the "real address" with the AdGuardHome (mostly to 0.0.0.0), which results in a denied connection.

Juridically, if we speak of pirated software, we are talking sense. It's illegal to use pirated software, i.e. software whose activation mechanism has been altered.

But nobody knows if an EULA violation by a consumer is juridically meaningful. It has not been tested in court, with the exception of GPL compliance, and GPL compliance is restricted to software makers.

My concern is not using pirated software. I want to use the (free) software legal.
My big concern is that the conditions of legal use are not clearly stated.

Meanwhile I asked a representative (Dave) from Sunny Valley Networks and he wrote me hat the free software is indented to use in a non-commercial context. In Germany usually the public schools are non-commercial, so I think that I am fine and the free software is legal to use in school, but a stale aftertaste is still there.

Since when for the free edition the number of protected devices is unlimited?
Does someone found a restriction in the license that disallow the use the free edition in an education context?

Former with the restricted number of protected devices the number of devices from the pupils are fast reached and the education reduction was not that great that a school was able to pay the price (in Germany).

...

And the kernel can be installed on 23.1 easily:

# opnsense-update -zkr 23.1-netmap
# opnsense-shell reboot

...

I coincidentally installed the original kernel by installation of 23.1_6 back and my problems reappeared.
So I am looking forward to make this fix permanent.

@Franco: Will this fix be included in 23.2 or earlier?

I installed the new kernel and it works!

The problems with registering the telephone by the fritzbox and the surfing by the rest of the family are gone.

Unfortunately both interface uses vlan and therefore the generic netmap driver...

I guess the package php81-pecl-mongodb-1.12.0 is missing.

Try:

Code Select Expand

pkg install php81-pecl-mongodb-1.12.0

Hi @cgone,

Yes, similarly, you'll need to supply servername parameter to simulate a browser behaviour:

Code Select Expand

$ openssl s_client -quiet -connect 185.60.216.35:443 -servername graph.facebook.com
4377019948:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/System/Volumes/Data/SWE/macOS/BuildRoots/5b2e67f8af/Library/Caches/com.apple.xbs/Sources/libressl/libressl-75.60.3/libressl-2.8/ssl/ssl_pkt.c:585:
$

I am still shocked to read this. Only a small variation of the protocol is needed to bypass Zenarmor?
I am not sure, if i should rerate Zenarmor and look for a more secure alternative.

Ahhh. I focused on the tcp stream and Zenarmor does a introspection of the http protocol.

With the host parameter I see a block in Zenarmour while using "telnet 185.60.216.35 80"!

But with ssl the request is still fullfilled:

Code Select Expand

openssl s_client -quiet -connect 185.60.216.35:443

Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = California, L = Menlo Park, O = "Facebook, Inc.", CN = *.facebook.com
verify return:1
GET / HTTP/1.1
Host: graph.facebook.com
Connection: close

HTTP/1.1 400 Bad Request
Vary: Origin
x-fb-rlafr: 0
Content-Type: text/javascript; charset=UTF-8
WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "Unsupported get request. Please read the Graph API documentation at https://developers.facebook.com/docs/graph-api"
Access-Control-Allow-Origin: *
facebook-api-version: v6.0
Strict-Transport-Security: max-age=15552000; preload
Pragma: no-cache
Cache-Control: no-store
Expires: Sat, 01 Jan 2000 00:00:00 GMT
x-fb-request-id: AOLNGCYUGORip4rQO1SwLE3
x-fb-trace-id: FtDm7H1ss36
x-fb-rev: 1005057900
X-FB-Debug: 82VX1gs1sPkv0Nr6nhyRXSWYENcnhgeJQuhVr9jpw07ebjQLFFfd71E4Ik3qZUgkkU5BK6SCVRM2hT/JyVQXtQ==
Date: Fri, 11 Feb 2022 11:18:49 GMT
Alt-Svc: h3=":443"; ma=3600, h3-29=":443"; ma=3600
Connection: close
Content-Length: 241

{"error":{"message":"Unsupported get request. Please read the Graph API documentation at https:\/\/developers.facebook.com\/docs\/graph-api","type":"GraphMethodException","code":100,"error_subcode":33,"fbtrace_id":"AOLNGCYUGORip4rQO1SwLE3"}}read:errno=0