Messages

The only problem is if you tie such data to a person. If it is anonymised, it is not a privacy matter.

I think that is not correct. The procedure is basically subject to the GDPR regardless of any subsequent "processing" on the server. Already the "collection" from the firewall (always with IP address, but according to text at Heartbeat also with "unique node identifier").

In addition, one must also see the legal regime separate from the GDPR, Article 5 Section 3 EU Directive 2002/58 (as amended in 2009), which regarding the "storage" and "readout" of information (regardless of the personal reference!) sees strict interpretations regarding "absolute necessity" and "expressly desired by the user".

Back to the personal reference of the GDPR:

There have been several ECJ rulings on personal reference (e.g. via IP address; like C-582/14), i.e. when there is basically the possibility of identification.
Arguments:

• Here one must see the IP address of the firewall.
• Also, a static/long-lived identifier (as in Heartbeat: "unique node identifier") is explicitly listed in Art. 4 paragraph as "identification number".
• In addition, a fingerprint could already be created via the interaction of the information transmitted during the "Heartbeat" event, which would make recognition possible.

In my view, there is no legal basis for "Heartbeat".

• There is no "necessity" for a contractual basis (6.1.b GDPR) (the Zenarmor firewall functions also work without notification that an instance is online; of course, cloud management does not work, but that is already optional). The supervisory authorities have a strict understanding of the "core" of the contract.
• Likewise, consent (6.1.a GDPR) lacks "voluntariness" (7.4 GDPR).
• "Legitimate interest" would be conceivable (6.1.f GDPR), but then it is irritating why a non-selectable checkbox (sounds like "opt-out") is offered. Also, I wonder what the "usual expectations" of the user are.
  
  For legitimate interests - cf. https://www.sunnyvalley.io/docs/opnsense/configuring/configuring-zenarmor-privacy-settings-on-opnsense-firewall#heartbeat-and-license-check :
  
  
  
  • There is reference to "license verification". But with the free license, this is not necessary.
  • Regarding "checks the state of packet processing worker" this is possibly a legitimate interest (low hurdles here), but in a weighing with the interests of the user I consider it very low and against it the interests of the user predominant.
    (Example: what does it help the user if the manufacturer finds out that his installation with free firewall license does not work anymore? There is no automatic help from the manufacturer).
  
  It might be the case - this is pure speculation - that the manufacturer wants to know about the number of running installations, but this potential "legitimate interests" of him is not listed (to my understanding) in the description of "Heartbeat". It would be preferable for the user if the manufacturer would allow a non-compulsory opt-out for the user (beside Art. 21 GDPR "on grounds relating to his or her particular situation"). Also I think the interests of the user are also predominant here.
  
  

I hope the manufacturer will check the current implementation.

Concerning the data flow for

"Send Heartbeat: Every Zenarmor installation sends heartbeat information 3-8 times a day.

Heartbeat is a required functionality for the correct operation of the software and cannot be disabled.

The information shared in a heartbeat message is unique node identifier, IP address, Zenarmor software versions, platform version info, important Zenarmor configuration parameters, and Subscription related information like active subscription plan and number of devices in use."

and the error message

"Heartbeat is a required functionality for the correct operation of the software and cannot be disabled."

In my opinion, Sunnyvalley should check the position of the data protection supervisory authorities https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en, in particular page 14 (section 3.1).

[I think the error that adguard does not start automatically occurs because the startup of adguard is quite late as a bootlevel]

But if you already ran "-s install" your are lost somewhere in the middle :(

...

can i force run it in some other startup script?...for some reason it wont start for me

I also have the issue of the service adguardhome not auto-starting, but able to run with "service adguardhome start".

I noticed, that according to "pkg list os-adguardhome-maxit-1.5" there should only be a "/usr/local/etc/rc.d/adguardhome" file. I removed the additional file with "rm /usr/local/etc/rc.d/AdGuardHome".

Also I set "service adguardhome enable". Although the file "/etc/rc.conf.d/adguardhome" exists, it still does not autostart according to "service adguardhome status".

=> Is there a logfile as an alternative to "During reboot watch the console for errors"?

--
update:

I had a change to look into serial output:

I think the error that adguard does not start automatically occurs because the startup of adguard is quite late as a bootlevel

The problem seems to be a delayed newwanip process, as a workaround it might be possible to change the bootlevel (point in time when adguard starts).
This also seems to delay/block the auto-start of wireguard.

Starting power daemon...done.
Configuring system logging...done.
>>> Invoking start script 'newwanip'
Reconfiguring IPv4 on igb1: error in configd communication %s, see syslog for de
Reconfiguring routes: OK
>>> Invoking start script 'freebsd'

• ifconfig wg create name wg0
  [!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument)
  
• wireguard-go wg0
  ┌─────────tun0: link state changed to UP
  ─────tun0: changing name to 'wg0'
  ───────────────────────────────────────┐
  │                                                      │
  │   Running wireguard-go is not required because this  │
  │   kernel has first class support for WireGuard. For  │
  │   information on installing the kernel module,       │
  │   please visit:                                      │
  │         https://www.wireguard.com/install/           │
  │                                                      │
  └──────────────────────────────────────────────────────┘
  (...)
  
• Backgrounding route monitor
  WARNING: attempt to domain_add(netgraph) after domainfinalize()
  setup igb0_vlan10
  setup igb0
  setup igb1 [egress only]
  Starting flowd_aggregate.
  Starting flowd.
  Starting adguardhome.
  >>> Invoking start script 'syslog-ng'
  Stopping syslog_ng.
  Waiting for PIDS: 90451.
  Starting syslog_ng.

[\]

Hi,

there seems to be a bug, that using Drill Down/Session Details of ipv6 addresses is not possible because of additional \ characters

Problem:
a) Selection of an ip6-address 2aaa:1234:1234:1234:1234:1234:1234:1234 in a chart of the Dashboard screen.
b) Source Hostname is now: 2aaa\:1234\:1234\:1234\:1234\:1234\:1234\:1234
c) => no results

Workaround:
manual filter Source-Hostname 2aaa:1234:1234:1234:1234:1234:1234:1234
=> expected results

Could you please fix this?

I would like to see in the Sensei Dashboard all connections, including of the firewall itself (like checking for updates, Cloud Reputation check, check for phone-home functionality of other plugins, etc.).

Privacy is my concern. I use Sensei for getting an overview over iOT devices, but also want to trust that Sensei itself does not do unwanted connections. For this i have disabled all settings inside Sensei for connections to the Sensei backend, including auto-update.

Could you please describe why the JS from stripe.com included in several Sensei Dashboard webpages is loaded and why it posts data to https://m.stripe.com/4?

I'm also wondering why I did get the notification "Engine 1.2.1" is available for update inside Sensei without auto-update. But I don't have facts here. Perhaps an error on my side.

Hi,

I would like to see in the Sensei Dashboard all connections, including of the firewall itself (like checking for updates, Cloud Reputation check, check for phone-home functionality of other plugins, etc.).

It is possible to see the packages in "Firewall: Log Files: Live View" for example.

=> How would I do this in Sensei?

In addition a feature proposal: please add a direct link to "Session Browser" from the menu bar and allow adding filters in this view. Charts are great, but not always useful.

Best regards,