"
Edit
icap work after some tries.
i dont know how...
icap work after some tries.
i dont know how...
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
24.7, 24.10 Legacy Series / Re: C-ICAP cant Bind to Ip6 or Ipv4 Address
December 08, 2024, 05:57:48 PM #2
24.7, 24.10 Legacy Series / C-ICAP cant Bind to Ip6 or Ipv4 Address
December 08, 2024, 05:32:52 PM
I am trying to configure ICAP, ClamAV, and the Squid proxy, but I am having issues with ICAP, which refuses to bind to the loopback addresses, both IPv6 and IPv4.
I tried manually setting the address to 127.0.0.1, but it still won't start.
Can you help me ?
this is the error i recive.
Sun Dec 8 17:29:09 2024, main proc, Error binding
Sun Dec 8 17:29:09 2024, main proc, WARNING! Error binding to an ipv6 address. Trying ipv4...
Sun Dec 8 17:29:09 2024, main proc, Error converting ipv6 address to the network byte order
Sun Dec 8 17:28:50 2024, main proc, Error binding
I tried manually setting the address to 127.0.0.1, but it still won't start.
Can you help me ?
this is the error i recive.
Sun Dec 8 17:29:09 2024, main proc, Error binding
Sun Dec 8 17:29:09 2024, main proc, WARNING! Error binding to an ipv6 address. Trying ipv4...
Sun Dec 8 17:29:09 2024, main proc, Error converting ipv6 address to the network byte order
Sun Dec 8 17:28:50 2024, main proc, Error binding
#3
21.7 Legacy Series / Re: Why is custom options for Unbound removed in 21.7 ?
February 11, 2022, 06:32:14 PMQuote from: franco on February 10, 2022, 02:52:37 PM
Nice try for a technical discussion with validity and security concerns, but won't bite. If software development for Unbound and OPNsense stood still I would agree but it does not. :)
Cheers,
Franco
Maybe you are right, but at the moment Unbound Configuration of DOH is less flexible than DnsCrypt proxy.
for example for add a dns in dnscrypt i can use the well know list based on NS domain name.
in the unbound must be use the ip .
so if you decide to remove a function to replace it with another, the latter must have at least all the functionality of the replaced function.
by the way i will reported a issue with Dnscrypt log that are not more visibile form GUI.
can you fix this ?
#4
21.7 Legacy Series / Re: Why is custom options for Unbound removed in 21.7 ?
February 10, 2022, 02:11:30 PM
I have read the whole discussion and would like to say a few words.
Franco says he wants to eliminate certain parameters (such as Dns Unbound coustom option) from the graphic configuration because with the expansion of the user base many novice people could make big problems using them.
But firewalls are complex systems, and whoever uses them must at least read a fucking manual before doing a basic setup.
No firewall manufacturer that I know of whether it is Checkpoint or Cisco or juiniper or Palo alto would have ever followed this logic.
Furthermore, if during an update such a feature is deleted before proceeding, the system must give a warning big as a house to the system administrator, especially because it is not certain that one can quickly realize that the configuration has changed. because the Dnscrypt service is still formally active and if you do not check the service logs or the Unbound configuration, you risk exposing yourself to a security risk because a system security feature has been removed without however disabling the related service.
Perhaps instead of disabling that field from the graphical configuration I would have put a nice warning banner with a check mark so that the inexperienced user would realize that changing it without having the right knowledge could lead to catastrophic results.
this is my two cents.
Franco says he wants to eliminate certain parameters (such as Dns Unbound coustom option) from the graphic configuration because with the expansion of the user base many novice people could make big problems using them.
But firewalls are complex systems, and whoever uses them must at least read a fucking manual before doing a basic setup.
No firewall manufacturer that I know of whether it is Checkpoint or Cisco or juiniper or Palo alto would have ever followed this logic.
Furthermore, if during an update such a feature is deleted before proceeding, the system must give a warning big as a house to the system administrator, especially because it is not certain that one can quickly realize that the configuration has changed. because the Dnscrypt service is still formally active and if you do not check the service logs or the Unbound configuration, you risk exposing yourself to a security risk because a system security feature has been removed without however disabling the related service.
Perhaps instead of disabling that field from the graphical configuration I would have put a nice warning banner with a check mark so that the inexperienced user would realize that changing it without having the right knowledge could lead to catastrophic results.
this is my two cents.
#5
Web Proxy Filtering and Caching / SSL Inspection at wire speed
February 27, 2020, 07:53:39 PM
SSL Inspection is a very useful thing but it slowly the internet experience .
I use a test platform with a xeon 5650 and 8 gb of ram and one HD 7200 rpm.
but is not enough.
i can replace the disk with an nvme ssd (if supported by freebsd)
But there is a pci-e board that can i add to the system to do the work of ssl inspection a sort of ssl inspection hardware engine ?
I use a test platform with a xeon 5650 and 8 gb of ram and one HD 7200 rpm.
but is not enough.
i can replace the disk with an nvme ssd (if supported by freebsd)
But there is a pci-e board that can i add to the system to do the work of ssl inspection a sort of ssl inspection hardware engine ?
#6
Web Proxy Filtering and Caching / Re: "SSL no bump sites" doesn't work for Win Updates
February 27, 2020, 05:12:59 PM
Thank you.
now i will use HOST and the Ip address of fqdn domain are seen in pf tables and i think that all will works fine
Best regards
A.V.
now i will use HOST and the Ip address of fqdn domain are seen in pf tables and i think that all will works fine
Best regards
A.V.
#7
Web Proxy Filtering and Caching / Re: "SSL no bump sites" doesn't work for Win Updates
February 27, 2020, 12:23:52 AM
and here my nat configuration
#8
Web Proxy Filtering and Caching / Re: "SSL no bump sites" doesn't work for Win Updates
February 27, 2020, 12:22:39 AM
Here there are mi alias... i suppose that i have do a mistake with the alias of sistes i use a FQDN instead of ip address.
#9
Web Proxy Filtering and Caching / Re: "SSL no bump sites" doesn't work for Win Updates
February 26, 2020, 06:33:24 PM
so in my rules is the alias the problem, if i try to use ip address instead of domain can i solve the problem ?
#10
General Discussion / Re: Feature Request: More Flexible Squid Configuration Interface
February 25, 2020, 06:12:50 PM
Hi for the Windows Update the solution is this access-list in pre-auth
and this
i am not an Squid Expert, so i can do some mistake, but i found the solution on the Opnsense german forums
Here
https://forum.opnsense.org/index.php?topic=6648.0
to resolve the cert error for all sites i think that the access list
sslproxy_cert_error deny all
must be modified in
sslproxy_cert_error allow all
Quoteacl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex microsoft.com
acl NoSSLIntercept ssl::server_name_regex .microsoft.com
acl NoSSLIntercept ssl::server_name_regex windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex .windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex update.microsoft.com.akadns.net
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
acl BrokenButTrustedServers dstdomain download.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com.akadns.net
acl BrokenButTrustedServers dstdomain update.microsoft.com.nsatc.net
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all
and this
Quoteacl BrokenButTrustedServers dstdomain "/usr/local/squid/etc/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all
i am not an Squid Expert, so i can do some mistake, but i found the solution on the Opnsense german forums
Here
https://forum.opnsense.org/index.php?topic=6648.0
to resolve the cert error for all sites i think that the access list
sslproxy_cert_error deny all
must be modified in
sslproxy_cert_error allow all
#11
General Discussion / Feature Request: More Flexible Squid Configuration Interface
February 25, 2020, 02:28:29 AM
I am trying the SSL Inspection with Squid and Clam AV, all worrks fine with most sites, but there are some sites
like Windows Update or Cisco or adobe sites and so on that can cause issue
The problem is the same for all these sites
the problem can be solved by manually changing the squid configuration in CLI, unfortunately, however, if for any reason changes are made to the configuration via GUI, the changes made by editing the configuration in CLI are lost because the file is regenerated from scratch.
You could implement fields to make these changes directly from the GUI ?
Best Regards
A.V
like Windows Update or Cisco or adobe sites and so on that can cause issue
The problem is the same for all these sites
QuoteThe following error was encountered while trying to retrieve the URL: https://72.163.4.74/*
Failed to establish a secure connection to 72.163.4.74
The system returned:
(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:141A10F4:SSL routines:ossl_statem_client_read_transition:unexpected message
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
Your cache administrator is admin@localhost.local.
the problem can be solved by manually changing the squid configuration in CLI, unfortunately, however, if for any reason changes are made to the configuration via GUI, the changes made by editing the configuration in CLI are lost because the file is regenerated from scratch.
You could implement fields to make these changes directly from the GUI ?
Best Regards
A.V
#12
Web Proxy Filtering and Caching / Re: "SSL no bump sites" doesn't work for Win Updates
February 21, 2020, 01:24:01 AM
Hi,
Can you post the screen shot of the page of nat configuration, not only the line of the rule but the page with the configuration of the rule ?
and the list of domain that you have put in the alias ?
I have the same problem with squid but seems that i am unable to set correctly the aliases, the nat and the firewall roule .
Can you post the screen shot of the page of nat configuration, not only the line of the rule but the page with the configuration of the rule ?
and the list of domain that you have put in the alias ?
I have the same problem with squid but seems that i am unable to set correctly the aliases, the nat and the firewall roule .
#13
Italian - Italiano / Re: Squid, Ssl Nobump and Windows Update.
February 20, 2020, 10:17:19 PM
La soluzione sta sul forum tedesco di Opnsense e sul forum inglese.
si deve copiare nel file di configurazione di squid in testa alle acl questa acl
il modo piu corretto di farlo a quanto ho capito (ma se il mitico Franco intervenisse per confermarlo gli sarei grato) sarebbe quello di creare un file apposito per i domini di windows e poi creare
nel file principale l'acl che fa riferimento al file in questa maniera .
ora il problema è un'altro che ogni qual volta si modifica la configurazione da GUI il file di squid viene ricreato e quindi si perdono le acl immesse.
qualcuno ha idea di come risolvere la cosa ?
ma se invece di immettere queste acl direttamente nel file di squid di potesse fare via gui
magari in un campo apposito chiamato acl windows update sarebbe meglio .
si deve copiare nel file di configurazione di squid in testa alle acl questa acl
Quoteacl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex microsoft.com
acl NoSSLIntercept ssl::server_name_regex .microsoft.com
acl NoSSLIntercept ssl::server_name_regex windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex .windowsupdate.com
acl NoSSLIntercept ssl::server_name_regex update.microsoft.com.akadns.net
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
acl BrokenButTrustedServers dstdomain download.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com
acl BrokenButTrustedServers dstdomain update.microsoft.com.akadns.net
acl BrokenButTrustedServers dstdomain update.microsoft.com.nsatc.net
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all
il modo piu corretto di farlo a quanto ho capito (ma se il mitico Franco intervenisse per confermarlo gli sarei grato) sarebbe quello di creare un file apposito per i domini di windows e poi creare
nel file principale l'acl che fa riferimento al file in questa maniera .
Quote
acl BrokenButTrustedServers dstdomain "/usr/local/squid/etc/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all
ora il problema è un'altro che ogni qual volta si modifica la configurazione da GUI il file di squid viene ricreato e quindi si perdono le acl immesse.
qualcuno ha idea di come risolvere la cosa ?
ma se invece di immettere queste acl direttamente nel file di squid di potesse fare via gui
magari in un campo apposito chiamato acl windows update sarebbe meglio .
#14
Italian - Italiano / Squid, Ssl Nobump and Windows Update.
February 19, 2020, 09:55:13 PM
Salve a tutti,
è il mio primo post qui sul forum italiano.
Ho problemi a configurare squid con gli update di windows 10 .
utilizzo squid con l'ispezione SSL attivata e CLAM, AV
in pratica c'è un errore da qualche parte nella catena dei certificati.
se provo a contattare l'url incriminato (lod di Windoews update ) dal browser ottengo questo
https://fe3cr.delivery.mp.microsoft.com/
ho visto che sul forum tedesco piu o meno c'è una soluzione,ma vorrei capire bene quelli che devo fare
sinceramente non mi va di incasinare il file di configurazione di squid senza motivo
Qualcuno puo darmi una mano ?
Cordiali Saluti
A.V.
Opnsense 20.1
x86
è il mio primo post qui sul forum italiano.
Ho problemi a configurare squid con gli update di windows 10 .
utilizzo squid con l'ispezione SSL attivata e CLAM, AV
in pratica c'è un errore da qualche parte nella catena dei certificati.
se provo a contattare l'url incriminato (lod di Windoews update ) dal browser ottengo questo
https://fe3cr.delivery.mp.microsoft.com/
QuoteThe following error was encountered while trying to retrieve the URL: https://fe3cr.delivery.mp.microsoft.com/*
Failed to establish a secure connection to 191.232.139.2
The system returned:
(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft ECC Product Root Certificate Authority 2018
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
Your cache administrator is admin@localhost.local.
ho visto che sul forum tedesco piu o meno c'è una soluzione,ma vorrei capire bene quelli che devo fare
sinceramente non mi va di incasinare il file di configurazione di squid senza motivo
Qualcuno puo darmi una mano ?
Cordiali Saluti
A.V.
Opnsense 20.1
x86
#15
19.7 Legacy Series / Re: [Résolu] clamav : Can't download *.cvd
February 11, 2020, 10:02:45 PM
Disable clamd and freshclam, then via CLI:
pkg remove os-clamav clamav
rm -rf /var/db/clamav
pkg install os-clamav
pkg install wget
wget main.cvd
mv main.db /var/db/clamav
chown clamav:clamav main.cvd
chmod 640 main.cvd (the same of daily.cvd)
freshclam
with these step working but the night when run the cron script for freshclam the db will corrupted.
root@OPNsense:~ # freshclam
Tue Feb 11 21:58:29 2020 -> ClamAV update process started at Tue Feb 11 21:58:29 2020
Tue Feb 11 21:58:30 2020 -> ^Your ClamAV installation is OUTDATED!
Tue Feb 11 21:58:30 2020 -> ^Local version: 0.102.1 Recommended version: 0.102.2
Tue Feb 11 21:58:30 2020 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Tue Feb 11 21:58:30 2020 -> daily.cvd database is up to date (version: 25720, sigs: 2181998, f-level: 63, builder: raynman)
Tue Feb 11 21:58:30 2020 -> main database available for download (remote version: 59)
Tue Feb 11 21:59:30 2020 -> ^Download failed (28) Tue Feb 11 21:59:30 2020 -> ^ Message: Timeout was reached
Tue Feb 11 21:59:30 2020 -> ^getcvd: Can't download main.cvd from https://database.clamav.net/main.cvd
Tue Feb 11 21:59:30 2020 -> Trying again in 5 secs...
Tue Feb 11 21:59:35 2020 -> main database available for download (remote version: 59)
Tue Feb 11 22:00:35 2020 -> ^Download failed (28) Tue Feb 11 22:00:35 2020 -> ^ Message: Timeout was reached
Tue Feb 11 22:00:35 2020 -> ^getcvd: Can't download main.cvd from https://database.clamav.net/main.cvd
Tue Feb 11 22:00:35 2020 -> Trying again in 5 secs...
Tue Feb 11 22:00:41 2020 -> main database available for download (remote version: 59)
Tue Feb 11 22:01:41 2020 -> !Download failed (28) Tue Feb 11 22:01:41 2020 -> ! Message: Timeout was reached
Tue Feb 11 22:01:41 2020 -> !getcvd: Can't download main.cvd from https://database.clamav.net/main.cvd
Tue Feb 11 22:01:41 2020 -> Giving up on https://database.clamav.net...
Tue Feb 11 22:01:41 2020 -> !Update failed for database: main
Tue Feb 11 22:01:41 2020 -> ^fc_update_databases: fc_update_database failed: Connection failed (5)
Tue Feb 11 22:01:41 2020 -> !Database update process failed: Connection failed (5)
Tue Feb 11 22:01:41 2020 -> !Update failed.
pkg remove os-clamav clamav
rm -rf /var/db/clamav
pkg install os-clamav
pkg install wget
wget main.cvd
mv main.db /var/db/clamav
chown clamav:clamav main.cvd
chmod 640 main.cvd (the same of daily.cvd)
freshclam
with these step working but the night when run the cron script for freshclam the db will corrupted.
root@OPNsense:~ # freshclam
Tue Feb 11 21:58:29 2020 -> ClamAV update process started at Tue Feb 11 21:58:29 2020
Tue Feb 11 21:58:30 2020 -> ^Your ClamAV installation is OUTDATED!
Tue Feb 11 21:58:30 2020 -> ^Local version: 0.102.1 Recommended version: 0.102.2
Tue Feb 11 21:58:30 2020 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Tue Feb 11 21:58:30 2020 -> daily.cvd database is up to date (version: 25720, sigs: 2181998, f-level: 63, builder: raynman)
Tue Feb 11 21:58:30 2020 -> main database available for download (remote version: 59)
Tue Feb 11 21:59:30 2020 -> ^Download failed (28) Tue Feb 11 21:59:30 2020 -> ^ Message: Timeout was reached
Tue Feb 11 21:59:30 2020 -> ^getcvd: Can't download main.cvd from https://database.clamav.net/main.cvd
Tue Feb 11 21:59:30 2020 -> Trying again in 5 secs...
Tue Feb 11 21:59:35 2020 -> main database available for download (remote version: 59)
Tue Feb 11 22:00:35 2020 -> ^Download failed (28) Tue Feb 11 22:00:35 2020 -> ^ Message: Timeout was reached
Tue Feb 11 22:00:35 2020 -> ^getcvd: Can't download main.cvd from https://database.clamav.net/main.cvd
Tue Feb 11 22:00:35 2020 -> Trying again in 5 secs...
Tue Feb 11 22:00:41 2020 -> main database available for download (remote version: 59)
Tue Feb 11 22:01:41 2020 -> !Download failed (28) Tue Feb 11 22:01:41 2020 -> ! Message: Timeout was reached
Tue Feb 11 22:01:41 2020 -> !getcvd: Can't download main.cvd from https://database.clamav.net/main.cvd
Tue Feb 11 22:01:41 2020 -> Giving up on https://database.clamav.net...
Tue Feb 11 22:01:41 2020 -> !Update failed for database: main
Tue Feb 11 22:01:41 2020 -> ^fc_update_databases: fc_update_database failed: Connection failed (5)
Tue Feb 11 22:01:41 2020 -> !Database update process failed: Connection failed (5)
Tue Feb 11 22:01:41 2020 -> !Update failed.
