Messages

I'm still clueless.  Where can I go to also learn?

I was just taking his statement verbatim. If whoever is behind IPfire is problematic, so be it. I am not really interested in digging deeper. "Difficult" project leads in open source are not uncommon. Case closed for me.

The GeoIP databases are updated automatically. To check go to

Firewall: Aliases: GeoIP settings

and look at the "Last updated" timestamp.

The reason IPFire is being unrecommended, is the guys behind.

So I learned, thank you.

So there will likely be users for a Linux router with an OPNsense like user interface and decent support. The Linux user base is growing.

But there must be a dozen different firewall appliance distributions based on Linux given how the Linux community and ecosystem ticks? There ...

* insert Annakin and Padme meme *

Seriously, no takers? OpenWRT for sure. And they have an optional more capable UI IIRC?

Then again - you need hardware anyway. And Mikrotik Router OS while closed source is not that bad. I use it for everything Layer 2 here.

When you create the alias you define how frequently the source is pulled for updates.

I use 6 hours for most.

But it's another module, though since I went the "I only support cloudflare in caddy" it looks attractive.

I also know who WeidiDeng is.

Sounds awesome!

OK. How about being able to select more than one "Caddy internal access list" as a compromise? So one gets at least manageable objects for IPv4, IPv6, Cloudflare, other CDNs, ...

Also: what's with all the other fields in the access lists? Are any of them relevant for trusted proxies or just the address content?

Hi all, but specifically Cedric (@monviech):

I just added Cloudflare's egress IP addresses to Caddy as trusted proxies in one of our installations so client IP addresses get passed properly down the chain. Works as designed. But feels a little clumsy:

- You can only select a single "Caddy access list" - I originally created two, one for IPv4, one for IPv6, because "of course" only to find I needed to combine them into one.
- Although Cloudflare last changed the lists in 2023 they provide them under a static URL in text CIDR format, so they could be trivially pulled into a firewall alias with the existing mechanisms.

I will happily create a feature request on Github, but wanted to discuss if that would be feasible, first.

Kind regards,
Patrick

So in your case, it will continue to use your local DNS server which does not know about your home network names.

And possibly stops to be reachable at all, if it's not on a directly connected LAN and you direct all your traffic (0.0.0.0/0, ::/0) into the WireGuard Tunnel.

Please note what I'm saying is highly simplified, I have no insight into the governance of freebsd, nor met any of their team members yet.

See you in Brussels, possibly?

Kleine Falle im "Router hinter Router" Szenario: "block private networks" auf WAN und die Tatsache, dass "reply-to" per default an ist. Firewall: Settings: Advanced, dort "disable reply-to" aktivieren, wenn WAN ein Broadcastnetzwerk (aka Ethernet) ist.

Außerdem helfen Uwes wirklich großartige Einführungsbeiträge:

https://forum.opnsense.org/index.php?topic=42985.0
https://forum.opnsense.org/index.php?topic=39556.0

1. it went into halt mode and stayed there

Does your device support ACPI power off? Some embedded systems don't.

2. UPS power was recycled so it killed everything, including OPNSense itself which was in halt mode, it never fully shutdown.

But power cycling when halted does not hurt.

And I already agreed hard wired shutting down the UPS is probably a bad idea - please raise a feature request on Github.

1. "/usr/local/etc/rc.halt" does call "shutdown -p now":

Code Select Expand

#!/bin/sh

# shutdown syshook / plugin scripts
/usr/local/etc/rc.syshook stop

/sbin/shutdown -op now

while :; do sleep 1; done

2. The hardwired killpower flag might call for a feature request to make it configurable.

I haven't noticed because here my OPNsense is the master NUT server and all other servers shut down first. I think the firewall killing the Internet connection should go down last.

HTH,
Patrick

I would use HAproxy only for acquis, not for bouncing. Bouncing can be done at the network layer, i.e. pf. But that's me. :-)

Das geht, dazu musst du eigentlich nur die HAproxy collection mit cscli nachinstallieren und in acquis.d irgend was passendes an YAML ablegen.

I conclude that I can delete all entries in the OLD lists then ? This would help too.

That should be the last step in the migration assistant. Weren't you offered that option?