I see the current release of OPNsense has a banner to warn you about custom proxy settings on the HA Settings page. Great to see :)
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Show posts Menu14:14:35.094594 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.097248 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.097250 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.097520 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.097566 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.097813 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.097815 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.097816 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.097817 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.097817 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.097846 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.097847 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098106 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098107 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098108 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098109 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098110 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098111 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098112 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098112 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098135 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098387 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098389 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098389 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098390 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098391 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098392 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098393 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098394 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098394 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098708 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098710 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098711 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098712 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098713 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098713 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098714 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098715 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098743 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098744 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.098791 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099046 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099047 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099048 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099049 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099050 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099051 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099051 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099052 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099053 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099083 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099084 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099341 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099342 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099343 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099344 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099345 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099346 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099347 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099348 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099348 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099349 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099376 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099618 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099619 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099620 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099621 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099622 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099623 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099624 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099624 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099625 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099626 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099627 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099686 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099913 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099914 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099915 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099916 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099917 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099918 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099918 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099919 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099920 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.099957 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100211 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100212 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100213 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100214 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100215 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100216 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100217 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100218 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100218 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100219 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100220 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100221 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100222 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100253 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100532 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100533 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100534 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100535 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100536 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100537 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100537 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100538 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100539 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100568 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100826 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100827 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100828 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100829 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100830 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100830 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100831 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100832 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100833 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100834 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100869 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.100870 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.101140 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.101142 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.101143 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.101144 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.101145 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
14:14:35.101145 IP 10.x.x.11 > 10.x.x.1: ICMP echo request, id 42659, seq 26, length 9
{
"status": "error",
"message": "parse error. not well formed"
}
Quote from: franco on March 12, 2025, 12:13:47 PMCVE-2025-27516 affecting Jinja2 was fixed in community yesterday and isn't much older than that if at all exploitable. I already planned to hotfix business, but we also need to ensure that these things don't cause regressions first. But also:
plugins % git grep '|[^a-z]*attr' */*/src/opnsense/service/templates | wc -l
0
core % git grep '|[^a-z]*attr' src/opnsense/service/templates | wc -l
0
For CVE-2025-26466 it's a bit different. Medium score and DoS warrant patching and I agree it needs patching in the next release, though that's also where it would be patched at the latest anyway. By default SSH is not exposed and you can even use IPS or firewall to rate limit.
Cheers,
Franco
Quote from: newsense on March 12, 2025, 12:39:59 PMVulnerability scanners are blunt instruments, and context always matters. Your security team should adjust for that.
Based on your description, you already had the mitigations in place before either vulnerability was announced.
Priority wise, should you actually have an attacker on the management network there is an argument to be made that higher value targets exist there. Bringing down a bunch of FWs would hardly be a financially rewarding endeavour.
{% if helpers.exists('interfaces.'+int+'.ipaddr') %}
{% set interface_ip = helpers.getNodeByTag('interfaces.'+int+'.ipaddr') %}
{% if '.' in interface_ip %}
--- do stuff here ---
{% endif %}
{% endif %}
Quote from: Patrick M. Hausen on November 08, 2024, 03:14:17 PM
That would be awesome!
./opnsense-version -o
FreeBSD|SMP|amd64|OPNsense|24.7.8|vmware|
{% if OPNsense.netsnmp.general.enableobservium == '1' %}
extend .1.3.6.1.4.1.2021.7890.1 distro /usr/local/sbin/opnsense-version -o
extend .1.3.6.1.4.1.2021.7890.2 hardware /bin/kenv smbios.planar.product
extend .1.3.6.1.4.1.2021.7890.3 vendor /bin/kenv smbios.planar.maker
extend .1.3.6.1.4.1.2021.7890.4 serial /bin/kenv smbios.planar.serial
{% endif %}