Messages

1

21.7 Legacy Series / Re: Why is custom options for Unbound removed in 21.7 ?

« on: February 11, 2022, 06:32:14 pm »

Nice try for a technical discussion with validity and security concerns, but won't bite. If software development for Unbound and OPNsense stood still I would agree but it does not.


Cheers,
Franco

Maybe you are right, but at the moment Unbound Configuration of DOH is less flexible than DnsCrypt proxy.
for example for add a dns in dnscrypt  i can use the well know list based on NS domain name.
in the unbound must be use the ip .

so if you decide to remove a function to replace it with another, the latter must have at least all the functionality of the replaced function.

by the way i will reported a issue with Dnscrypt log that are not more visibile form GUI.
can  you fix this ?

2

21.7 Legacy Series / Re: Why is custom options for Unbound removed in 21.7 ?

« on: February 10, 2022, 02:11:30 pm »

I have read the whole discussion and would like to say a few words.
Franco says he wants to eliminate certain parameters (such as Dns Unbound coustom option) from the graphic configuration because with the expansion of the user base many novice people could make big problems using them.
But firewalls are complex systems, and whoever uses them must at least read a fucking manual before doing a basic setup.
No firewall manufacturer that I know of whether it is Checkpoint or Cisco or juiniper or Palo alto would have ever followed this logic.

Furthermore, if during an update such a feature is deleted before proceeding, the system must give a warning big as a house  to the system administrator, especially because it is not certain that one can quickly realize that the configuration has changed. because the Dnscrypt service is still formally active and if you do not check the service logs or the Unbound configuration, you risk exposing yourself to a security risk because a system security feature has been removed without however disabling the related service.

Perhaps instead of disabling that field from the graphical configuration I would have put a nice warning banner with a check mark so that the inexperienced user would realize that changing it without having the right knowledge could lead to catastrophic results.

this is my two cents.

3

Web Proxy Filtering and Caching / SSL Inspection at wire speed

« on: February 27, 2020, 07:53:39 pm »

SSL Inspection is a very useful thing but it slowly the internet experience .
I use a test platform with a xeon 5650 and 8 gb of ram and one HD 7200 rpm.
but is not enough.
i can replace  the disk with an nvme ssd (if supported by freebsd)

But there is a pci-e  board that can i add to the system to  do the work of ssl inspection a sort of ssl inspection hardware engine ?

4

Web Proxy Filtering and Caching / Re: "SSL no bump sites" doesn't work for Win Updates

« on: February 27, 2020, 05:12:59 pm »

Thank you.

now i will use HOST and the  Ip address  of fqdn domain are seen in pf tables  and i think that all will works fine

Best regards

A.V. 

5

Web Proxy Filtering and Caching / Re: "SSL no bump sites" doesn't work for Win Updates

« on: February 27, 2020, 12:23:52 am »

and here my nat configuration

6

Web Proxy Filtering and Caching / Re: "SSL no bump sites" doesn't work for Win Updates

« on: February 27, 2020, 12:22:39 am »

Here there are mi alias... i suppose that  i have do a mistake with the alias of sistes i use a FQDN instead of ip address.

7

Web Proxy Filtering and Caching / Re: "SSL no bump sites" doesn't work for Win Updates

« on: February 26, 2020, 06:33:24 pm »

so in my rules  is the alias the problem, if i try to use ip address instead of domain can i solve the problem ?

8

General Discussion / Re: Feature Request: More Flexible Squid Configuration Interface

« on: February 25, 2020, 06:12:50 pm »

Hi for the Windows Update the solution is this access-list in pre-auth

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex microsoft.com                     
acl NoSSLIntercept ssl::server_name_regex .microsoft.com                   
acl NoSSLIntercept ssl::server_name_regex windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex .windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex update.microsoft.com.akadns.net

ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

acl BrokenButTrustedServers dstdomain download.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com.akadns.net
acl BrokenButTrustedServers dstdomain update.microsoft.com.nsatc.net
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

and this

acl BrokenButTrustedServers dstdomain "/usr/local/squid/etc/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

i am not an Squid Expert, so i can do some mistake, but i found the solution on the Opnsense german forums
Here

https://forum.opnsense.org/index.php?topic=6648.0

to resolve the cert error for all sites i think that the access list
sslproxy_cert_error deny all

must be modified in
sslproxy_cert_error allow all

9

General Discussion / Feature Request: More Flexible Squid Configuration Interface

« on: February 25, 2020, 02:28:29 am »

I am trying the SSL Inspection with Squid and Clam AV, all worrks fine with most sites, but there are some sites
like Windows Update or Cisco or adobe sites and so on that can cause issue

The problem is the same for all these  sites

The following error was encountered while trying to retrieve the URL: https://72.163.4.74/*

    Failed to establish a secure connection to 72.163.4.74

The system returned:

    (92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

    Handshake with SSL server failed: error:141A10F4:SSL routines:ossl_statem_client_read_transition:unexpected message

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is admin@localhost.local.

the problem can be solved by manually changing the squid configuration in CLI, unfortunately, however, if for any reason changes are made to the configuration via GUI, the changes made by editing the configuration in CLI are lost because the file is regenerated from scratch.

You could implement fields to make these changes directly from the GUI ?

Best Regards

A.V

10

Web Proxy Filtering and Caching / Re: "SSL no bump sites" doesn't work for Win Updates

« on: February 21, 2020, 01:24:01 am »

Hi,
Can you post the screen shot of the page of nat configuration, not only the line of the rule but the page with the configuration of the rule ?
and the list of domain that you have put in the alias ?

I have the same problem with squid but seems that i am unable to set correctly the aliases, the nat and the firewall roule .

11

Italian - Italiano / Re: Squid, Ssl Nobump and Windows Update.

« on: February 20, 2020, 10:17:19 pm »

La soluzione sta sul forum tedesco di Opnsense e sul forum inglese.

si deve copiare nel file di configurazione di squid in testa alle acl questa acl

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex microsoft.com                     
acl NoSSLIntercept ssl::server_name_regex .microsoft.com                   
acl NoSSLIntercept ssl::server_name_regex windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex .windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex update.microsoft.com.akadns.net

ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

acl BrokenButTrustedServers dstdomain download.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com.akadns.net
acl BrokenButTrustedServers dstdomain update.microsoft.com.nsatc.net
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

il modo piu corretto di farlo a quanto ho capito (ma se il mitico Franco intervenisse per confermarlo gli sarei grato)  sarebbe quello di creare un file apposito per i domini di windows e poi creare
nel file principale l'acl che fa riferimento al file in questa maniera .

acl BrokenButTrustedServers dstdomain "/usr/local/squid/etc/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

ora il problema è un'altro che ogni qual volta  si modifica la configurazione da GUI  il file di squid viene ricreato e quindi si perdono le acl immesse.

qualcuno ha idea di come risolvere la cosa ?

ma se invece di immettere queste acl direttamente nel file di squid di potesse fare via gui
magari in un campo apposito chiamato acl windows update sarebbe meglio .

 

12

Italian - Italiano / Squid, Ssl Nobump and Windows Update.

« on: February 19, 2020, 09:55:13 pm »

Salve a tutti,
è il mio primo post qui sul forum italiano.
Ho problemi a configurare squid con gli update di windows 10 .
utilizzo squid con l'ispezione SSL attivata e CLAM, AV
in pratica  c'è un errore da qualche parte nella catena dei certificati.
se provo a contattare l'url incriminato (lod di Windoews update )  dal browser ottengo questo
https://fe3cr.delivery.mp.microsoft.com/

The following error was encountered while trying to retrieve the URL: https://fe3cr.delivery.mp.microsoft.com/*

    Failed to establish a secure connection to 191.232.139.2

The system returned:

    (92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

    SSL Certficate error: certificate issuer (CA) not known: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft ECC Product Root Certificate Authority 2018

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is admin@localhost.local.

ho visto che sul forum tedesco piu o meno c'è una soluzione,ma vorrei capire bene quelli che devo fare
sinceramente non mi va di incasinare il file di configurazione di squid senza motivo

Qualcuno puo darmi una mano ?



Cordiali Saluti

A.V.

Opnsense 20.1
x86

13

19.7 Legacy Series / Re: [Résolu] clamav : Can't download *.cvd

« on: February 11, 2020, 10:02:45 pm »

Disable clamd and freshclam, then via CLI:

pkg remove os-clamav clamav
rm -rf /var/db/clamav
pkg install os-clamav
pkg install wget

wget   main.cvd
mv main.db /var/db/clamav
chown clamav:clamav main.cvd
chmod 640 main.cvd (the same of daily.cvd)
freshclam

with these step working but the night when run the cron script for freshclam the db will corrupted.

 


root@OPNsense:~ # freshclam
Tue Feb 11 21:58:29 2020 -> ClamAV update process started at Tue Feb 11 21:58:29 2020
Tue Feb 11 21:58:30 2020 -> ^Your ClamAV installation is OUTDATED!
Tue Feb 11 21:58:30 2020 -> ^Local version: 0.102.1 Recommended version: 0.102.2
Tue Feb 11 21:58:30 2020 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Tue Feb 11 21:58:30 2020 -> daily.cvd database is up to date (version: 25720, sigs: 2181998, f-level: 63, builder: raynman)
Tue Feb 11 21:58:30 2020 -> main database available for download (remote version: 59)
Tue Feb 11 21:59:30 2020 -> ^Download failed (28) Tue Feb 11 21:59:30 2020 -> ^ Message: Timeout was reached
Tue Feb 11 21:59:30 2020 -> ^getcvd: Can't download main.cvd from https://database.clamav.net/main.cvd
Tue Feb 11 21:59:30 2020 -> Trying again in 5 secs...
Tue Feb 11 21:59:35 2020 -> main database available for download (remote version: 59)
Tue Feb 11 22:00:35 2020 -> ^Download failed (28) Tue Feb 11 22:00:35 2020 -> ^ Message: Timeout was reached
Tue Feb 11 22:00:35 2020 -> ^getcvd: Can't download main.cvd from https://database.clamav.net/main.cvd
Tue Feb 11 22:00:35 2020 -> Trying again in 5 secs...
Tue Feb 11 22:00:41 2020 -> main database available for download (remote version: 59)
Tue Feb 11 22:01:41 2020 -> !Download failed (28) Tue Feb 11 22:01:41 2020 -> ! Message: Timeout was reached
Tue Feb 11 22:01:41 2020 -> !getcvd: Can't download main.cvd from https://database.clamav.net/main.cvd
Tue Feb 11 22:01:41 2020 -> Giving up on https://database.clamav.net...
Tue Feb 11 22:01:41 2020 -> !Update failed for database: main
Tue Feb 11 22:01:41 2020 -> ^fc_update_databases: fc_update_database failed: Connection failed (5)
Tue Feb 11 22:01:41 2020 -> !Database update process failed: Connection failed (5)
Tue Feb 11 22:01:41 2020 -> !Update failed.

14

19.7 Legacy Series / Re: [Résolu] clamav : Can't download *.cvd

« on: February 11, 2020, 01:40:28 pm »

I followed all the steps, from the uninstallation of clamav, to the deletion of the databases and the reinstallation of the package, but the creation of the main.cvd continues to fail and it never manages to download it all.
I tried to copy the clam av db that I have on the opnsense virtual machine and it seemed to be going, but today I have the service out of use again I don't know what to do.

15

19.7 Legacy Series / Re: [Résolu] clamav : Can't download *.cvd

« on: February 10, 2020, 01:37:08 pm »

HI all,

I have the same problem on a fresh installation of Opnsense 20

how can i resolve ?

i follow this steps but some procedures are missing.

what are the steps after download (with wget) main cvd ?