Messages

1

General Discussion / Re: cold reboot : network inactive

« on: March 11, 2019, 02:28:47 pm »

Hi,

Sorry for the late answer:
1) the laptop says : self assigned adres 169.254.11.30
2) Every computer on the lan tells me : no internet connection
3) i log on with the serial cable to the opnsense box
4) disconnecting the ethernet cables and reconnecting to the APU2c4 does not reactivate things
5) there is no other dhcp active on the lan

I do the following sequence, some remarks:
1) some arp things to show that after the down en up sequence everything starts to work...
2) i don't see any difference between the first and second ifconfig igb2
3) i changed the mac adresses to xxxx and yyy(a little bit paranoid)
4) igb0 is my wan port

Code: [Select]

# connect to the serial port with screen -L /dev/cu.usbserial 115200 –L

# arp -a
? (192.168.0.233) at xxxxxx:e8:10 on igb0 permanent [ethernet]
? (192.168.0.1) at yyyyyy:37:12 on igb0 expires in 1185 seconds [ethernet]

root@blue1:~ # ifconfig igb2
igb2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=1400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,NETMAP>
        ether xxxxxx:e8:12
        hwaddr 00:0d:b9:4d:e8:12
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        inet6 xxxxxxx:812%igb2 prefixlen 64 scopeid 0x3
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active

root@blue1:~ # ifconfig igb2 down
root@blue1:~ # ifconfig igb2 up

root@blue1:~ # ifconfig igb2
igb2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=1400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,NETMAP>
        ether xxxxxx:e8:12
        hwaddr xxxxxx:e8:12
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        inet6 xxxxxx:e812%igb2 prefixlen 64 scopeid 0x3
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active

root@blue1:~ # arp -a
Sw.home (192.168.2.10) at xxxxxx:83:c7:2d on igb2 expires in 1193 seconds [ethernet]
AP.home (192.168.2.11) at zzzzzz:17:a7 on igb2 expires in 1195 seconds [ethernet]
blue1.home (192.168.2.1) at xxxxxx:e8:12 on igb2 permanent [ethernet]
blue1.home (192.168.3.1) at xxxxxx:e8:11 on igb1 permanent [ethernet]
? (192.168.0.233) at xxxxxx:e8:10 on igb0 permanent [ethernet]
? (192.168.0.1) at xxxxxx37:12 on igb0 expires in 1178 seconds [ethernet]



 

2

General Discussion / cold reboot : network inactive

« on: February 25, 2019, 02:05:46 pm »

Hi,

apu2c4 , Opnsense 19.1.1, fresh install (I had same problem with previous version):

After a cold reboot (power cycle) the Lan interfaces do become active (they have the correct ip adres when i logon to the console with a serial cable) but al my devices get strange ip adresses. After a console logon with the serial cable i do a ifconfig igbx down, then ifconfig igbx up) and everything starts to work...

My lan interfaces have static adresses.

=> Is this a know problem ?

Best regards,

Wim

3

19.1 Legacy Series / syslogd uses not std syslog.conf

« on: February 22, 2019, 03:32:20 pm »

Hi,

I had some trouble with the syslog daemon, but opnsense uses /var/etc/syslog.conf instead of /etc/syslog.conf

Silly me for posting this non-issue 

Best Regards,

Wim

4

Development and Code Review / getpwnam_r always "*"

« on: February 21, 2019, 10:05:00 pm »

Hi,

In https://forum.opnsense.org/index.php?topic=11719.0 I was asking about users & pw.

I tried to read the users & pw from the system in C with getpwnam_r, and in perl with getpwuid but they keep returning "*" as pw, even executing as root user. The same code on a centos VM works as expected.

I'm obviously doing something wrong, where is the difference between a vm with linux and an embedded freebsd setup ?

Best regards,

Wim

5

General Discussion / Re: toor loginshell + value of pw

« on: February 20, 2019, 11:29:25 pm »

Hi Franco,

I'm just protecting myself from  logins with putty at port 22. (I know.. even on the LAN i should use another port, and on the wan this port is blocked by the default rules)

In the (very old) passwd layout, before the shadow thingy, i could very quickly check if the pw was '*'  : (no login possible), or a real password, or (heaven forbids !) an empty password...

Now with spwd.db , with the tool  chpw i allways see an '*' in the password field , even if i do the command as root. In the man pages i read that one should see the encrypted string when this command is executed as root. i do not see the encrypted string, even if i try this for a user that has a normal password (for example my own user ...)

So the question is  : How do i check that all the defined users in the passwd are properly locked ... There are 34 users => 31 of them are "technical users (isn't scripting fun    )

Code: [Select]


# cat /etc/passwd |cut -f 1 -d ":" | grep -v -e root -e wim -e "^#" | xargs echo -n ; echo
toor installer daemon operator bin tty kmem games news man sshd smmsp mailnull bind unbound
proxy _pflogd _dhcp uucp pop auditdistd www _ypldap hast nobody _flowd dhcpd ntopng squid
This is just asking. I think the OPNSense guys are doing a great job and  cannot know about each package and which users are created on the system by installing the packages that are already checked by the Freebsd guys.

Is there a security check script that inspects a running system for know problems like this ? I suppose you check this when prepping a new distro ?


Best regards,

Wim



 

6

General Discussion / toor loginshell + value of pw

« on: February 20, 2019, 11:56:19 am »

Hi,

I've got opnsense 19.1.1, 


1) toor loginshell
Most technical users have /usr/sbin/nologin as a loginshell: in my understanding this very save.
I see on my install that the toor user has a missing loginshell: Is there something missing ?

Code: [Select]

toor:*:0:0::0:0:Bourne-again Superuser:/root:
2) PW value
In the old unix's it was possible to force an "illegal" password in the passwd file so that no real password would match the encrypted string. How can i check this for al the "technical" users , or do i just set the value with chpass ?
The encrypted strings are stored in spwd.db => is there a simple tool to read this ?


Keep up the good work with OPNsense !!

Best Regards,

Wim

EDIT:
I know toor is a netbsd thing, and having a super user with another login shell can be a safety measure ...

7

General Discussion / Re: filesystems umount by reboot ?

« on: February 20, 2019, 12:21:48 am »

thx !

8

General Discussion / filesystems umount by reboot ?

« on: February 19, 2019, 03:25:21 pm »

Hi

I'm running opensense 19.1.1 on an apu2c4. Al the other filesystems are on the sd card

I added 2 filesystems (on ssd) in the /etc/fstab (the idea was to put var on a ssd to minimise wear & tear on the sd

Code: [Select]

/dev/ufs/OPNsense_Nano / ufs rw 1 1 # notrim
/dev/ada0p1 /var ufs rw 2       2
/dev/ada0p2 /home ufs rw 2       2

=> Is there anything more to be done (for example to properly dismount by a reboot=> some config to add in a confog file ) ?

Thank you

Wim