Messages

Versions   
OPNsense 21.7.1-amd64
FreeBSD 12.1-RELEASE-p19-HBSD
OpenSSL 1.1.1k 25 Mar 2021

ntpd   Network Time Daemon


2021-08-15T06:41:00   ntpd[93468]   daemon child exited with code 1   
2021-08-15T06:41:00   ntpd[18732]   unable to bind to wildcard address :: - another process may be running - EXITING   
2021-08-15T06:41:00   ntpd[18732]   restrict: 'monitor' cannot be disabled while 'limited' is enabled   
2021-08-15T06:41:00   ntpd[18732]   gps base set to 2021-07-25 (week 2168)   
2021-08-15T06:41:00   ntpd[18732]   basedate set to 2021-07-22   
2021-08-15T06:41:00   ntpd[18732]   proto: precision = 0.153 usec (-23)   
2021-08-15T06:41:00   ntpd[93468]   ----------------------------------------------------   
2021-08-15T06:41:00   ntpd[93468]   available at https://www.nwtime.org/support   
2021-08-15T06:41:00   ntpd[93468]   corporation. Support and training for ntp-4 are   
2021-08-15T06:41:00   ntpd[93468]   Inc. (NTF), a non-profit 501(c)(3) public-benefit   
2021-08-15T06:41:00   ntpd[93468]   ntp-4 is maintained by Network Time Foundation,   
2021-08-15T06:41:00   ntpd[93468]   ----------------------------------------------------   
2021-08-15T06:41:00   ntpd[93468]   Command line: /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid   
2021-08-15T06:41:00   ntpd[93468]   ntpd 4.2.8p15@1.3728-o Tue Aug 3 09:54:13 UTC 2021 (1): Starting   
2021-08-15T06:40:28   ntpd[13032]   daemon child exited with code 1   
2021-08-15T06:40:28   ntpd[34945]   unable to bind to wildcard address :: - another process may be running - EXITING   
2021-08-15T06:40:28   ntpd[34945]   restrict: 'monitor' cannot be disabled while 'limited' is enabled   
2021-08-15T06:40:28   ntpd[34945]   gps base set to 2021-07-25 (week 2168)   
2021-08-15T06:40:28   ntpd[34945]   basedate set to 2021-07-22   
2021-08-15T06:40:28   ntpd[34945]   proto: precision = 0.123 usec (-23)

I am in China, so change update server to mirror CN.

opnsense   
Version   21.7.1   
Architecture   amd64   
Flavour   OpenSSL   
Commit   ec466867c   
Mirror   https://opnsense.aivian.org/FreeBSD:12:amd64/21.7   
Repositories   OPNsense, SunnyValley, mimugmail   
Updated on   Wed Aug 4 16:35:02 CST 2021   
Checked on   N/A


***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.1 (amd64/OpenSSL) at Sat Aug 14 16:17:47 CST 2021
Fetching changelog information, please wait... Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
4764836020224:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: transfer timed out
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
4016512311296:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
4016512311296:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:

When upgrade 21.1 to 21.1.1,th UI is show me :400 Bad Request,need to check!
I am refresh to fix the problem.

OPNsense 20.7.4-amd64
FreeBSD 12.1-RELEASE-p10-HBSD
OpenSSL 1.1.1h 22 Sep 2020
Updates   Click to check for updates.
CPU Type   AMD FX-9800P RADEON R7, 12 COMPUTE CORES 4C+8G (4 cores)
CPU usage   
0
100
0
100
Load average   1.57, 1.59, 1.51
Uptime   04:24:32
Current date/time   Sun Nov 15 18:24:26 CST 2020
Last config change   Sun Nov 15 14:05:38 CST 2020
State table size   
0 % ( 339/1578000 )
MBUF Usage   
0 % ( 1780/983846 )
Memory usage   
26 % ( 4170/15780 MB )
Disk usage   
2% / [ufs] (3.2G/217G)


2020-11-15T18:19:01   configd.py[24146]   unable to sendback response [OK ] for [sensei][periodicals][None] {ef8a7db5-db0a-491e-b1e0-b759d1c3a0e7}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe


2020-11-15T18:19:00   configctl[83343]   error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 68, in exec_config_cmd line = sock.recv(65536).decode() socket.timeout: timed out
2020-11-15T18:17:36   /send_heartbeat.py[55752]   unexpected result from https://opnsense.emergingthreats.net/api/v1/telemetry (http_code 403)
2020-11-15T18:09:00   configctl[68845]   error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 68, in exec_config_cmd line = sock.recv(65536).decode() socket.timeout: timed out
2020-11-15T18:09:00   configctl[53986]   error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 68, in exec_config_cmd line = sock.recv(65536).decode() socket.timeout: timed out
2020-11-15T18:02:00   configctl[17350]   error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 68, in exec_config_cmd line = sock.recv(65536).decode() socket.timeout: timed out
2020-11-15T18:02:00   configctl[61985]   error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 68, in exec_config_cmd line = sock.recv(65536).decode() socket.timeout: timed out
2020-11-15T17:59:00   configctl[95376]   error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 68, in exec_config_cmd line = sock.recv(65536).decode() socket.timeout: timed out
2020-11-15T17:59:00   configctl[90731]   error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 68, in exec_config_cmd line = sock.recv(65536).decode() socket.timeout: timed out
2020-11-15T17:58:05   syslog-ng[9596]   syslog-ng starting up; version='3.29.1'
2020-11-15T17:58:05   syslogd   kernel boot file is /boot/kernel/kernel
2020-11-15T17:58:04   syslogd   exiting on signal 15
2020-11-15T17:58:04   syslog-ng[53888]   Configuration reload finished;
2020-11-15T17:58:04   syslog-ng[53888]   Configuration reload request received, reloading configuration;


suricata   Intrusion Detection could not running very well

2020-11-15T18:26:47   suricata[68475]   [100451] <Notice> -- This is Suricata version 5.0.4 RELEASE running in SYSTEM mode
2020-11-15T18:25:10   suricata[57041]   [100662] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:re0/R failed: Device busy
2020-11-15T18:25:10   suricata[57041]   [100988] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Unable to find the sm in any of the sm lists
2020-11-15T18:20:17   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2016763: SYN-only to port(s) 22:22 w/o direction specified, disabling for toclient direction
2020-11-15T18:20:17   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 50919: SYN-only to port(s) 8009:8009 w/o direction specified, disabling for toclient direction
2020-11-15T18:20:17   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 5323: SYN-only to port(s) 37:37 w/o direction specified, disabling for toclient direction
2020-11-15T18:20:17   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 5322: SYN-only to port(s) 37:37 w/o direction specified, disabling for toclient direction
2020-11-15T18:20:17   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 5321: SYN-only to port(s) 37:37 w/o direction specified, disabling for toclient direction
2020-11-15T18:20:17   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 620: SYN-only to port(s) 8080:8080 w/o direction specified, disabling for toclient direction
2020-11-15T18:20:17   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 618: SYN-only to port(s) 3128:3128 w/o direction specified, disabling for toclient direction
2020-11-15T18:20:17   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 615: SYN-only to port(s) 1080:1080 w/o direction specified, disabling for toclient direction
2020-11-15T18:20:17   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 504: SYN-only to port(s) 0:1023 w/o direction specified, disabling for toclient direction
2020-11-15T18:20:17   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 503: SYN-only to port(s) 0:1023 w/o direction specified, disabling for toclient direction
2020-11-15T18:20:17   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 249: SYN-only to port(s) 15104:15104 w/o direction specified, disabling for toclient direction
2020-11-15T18:20:14   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip|file.apk' is checked but not set. Checked in 29382 and 1 other sigs
2020-11-15T18:20:14   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'itunes.serverinfo.request' is checked but not set. Checked in 13899 and 0 other sigs
2020-11-15T18:20:14   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'kindle.request' is checked but not set. Checked in 23617 and 0 other sigs
2020-11-15T18:20:14   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'smb.small.packet' is checked but not set. Checked in 17127 and 0 other sigs
2020-11-15T18:20:14   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'zip_in_uri_java' is checked but not set. Checked in 27740 and 0 other sigs
2020-11-15T18:20:14   suricata[57041]   [100988] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'RTMP.sysMemCall' is checked but not set. Checked in 22067 and 0 other sigs

feedback error log with Services: Intrusion Detection
add more rule lists in,most could not download ,so add by myself.
hope to running always and ignore errors.
Thank you !

Hope firmware files updated half a month.
In China, the Internet is not very good.
Hope supports more hardware.
Thank you.

Thank you!

Example: The gateway address 223.156.140.1 obtained by dial-up Internet, the subnet mask is always 255.255.255.0, but the client address becomes 223.156.143.82, this is a problem, the normal client address should be 225.156.140.2- 255.156.140.154, sometimes it is a normal address, but most of the time the address obtained is offset, 140+2 or 140+3, this is wrong, I don't know how to solve it, the OPENWRT system also has this problem , Please check to see if the upgrade can be resolved, thank you!
With many different devices, OPNSENSE can dial correctly occasionally, and I hope it can be resolved.

PPPOE dial
Subnet mask is 255.255.255.0,but interface wan is no correct,so need to check.
Maybe upgrade to deal with ISP hijacking or ISP servers have loophole or leak.
Thank you!

opnsense x64
Services: Intrusion Detection: Administration
Download:enabled all rules and make them to drop
but to
Rules:could not changed to drop ,over 10000 rules,I only to Rules menu to changed them  and very slow,hope have a quicly way to deal with.
Thank you!

In China,I is used Tor by myself to write the config file:torrc,but could not used this way to opnsense,so need Tor UI upgrade like this picture,and add obfs4proxy/meek/snowflake.

The opnsense system could used Tor auto way to deal with network problem.
Thank you very much!


https://xiaoxiaobai.ga/28/07/2020/%e7%9b%b8%e5%af%b9%e5%ae%89%e5%85%a8%e7%9a%84%e6%b5%8f%e8%a7%88%e5%99%a8tor%e4%bd%bf%e7%94%a8%e6%95%99%e7%a8%8b/

os-shadowsocks is only a Secure socks5 proxy server,hope support client,need upgrade to support shadowsocksr\v2ray,for open a tunnel to download and update in China.
Need installed default.
More information:
https://github.com/coolsnowwolf/openwrt
https://github.com/2dust/v2rayN
https://github.com/yanue/V2rayU
https://github.com/v2ray/v2ray-core

If not true, I am very sorry.
Thank you!

Unbound - URLs of Blacklists
I add more lists in ,hope upgrade like adblock plus extension in Chrome.
The same with IDS/IPS download.
Which is failed ,click it do download and installed.
ET Pro/rules and Snort VRT/rules could not installed.
If have a handbook told me how to do it,that is very useful.
In China ,the Internet is very slow.
Thank you!

The Snort Rules:ET Pro and Snort VRT are not installed
Error info:
Error reconfiguring IDS
Error(1)

The same with me ,need latest config for Intrusion Detection and Prevention.
Thank you!