Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - JamesFrisch

#1
General Discussion / Re: Crowdsec Observations
June 13, 2026, 09:37:40 AM
Quote from: ruzamai on June 12, 2026, 05:14:48 PMWhat can Crowdsec now offer me?
An additional blocklist.
Plus you can detect unwanted behavior and then block that IP. No matter if the attackers scans ports or does something unwanted on 443.
Not sure why you would open UDP, btw.

But yeah, for me crowdsec is just that, a community blocklist where people contribute with their own data.
#2
General Discussion / Re: Crowdsec Observations
June 09, 2026, 08:31:11 AM
QuoteI've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

Same, but is that even the use case of Crowdsec here? Crowdsec blocked many port scanners for me on OPNsense. Sure, these scanners would not have done much, since the ports blocked. But the same IP is now blocked for other attacks.
Way more active is my Crowdsec on NGINX. This is where all the CVE and wordpress admin/admin stuff happens.

QuoteAnd there's constant pressure to upsell.

Never noticed that, but probably also because for me this is just a fire up and forget. I won't dig into it. Only time I went into it, was a false positive when someone synced 10k new files in Nextcloud.

QuoteHowever, it doesn't seem to be necessary other than as a scare sell to replace Fail2Ban, which I don't use either because I don't need it - because of the afore mentioned firewall rules.

For me, the none existing support for IPv6 from fail2ban made me look into Crowdsec. Blocking a single IPv6 instead of a a /48 makes no sense IMHO. I was too lazy to set it up later on, but I think at least it would be possible.

Quotethat you can't use yourself unless you upgrade your account for a ridiculous subscription charge.

AFAIK you can have 3 lists active at the same time. Fine be me.
I don't think it does much. But I also don't think it costs much. And I like the basic idea behind it.
#3
26.1, 26,4 Series / Re: Rules [new] vs. Rules
May 27, 2026, 08:32:02 AM
Quote from: tigo003 on May 27, 2026, 07:39:11 AMJust trying to gauge whether I should try again to migrate in July / August or later in the year.

There is no rush to migrate. Totally fine to not migrate in 2026. I did it on one site, and personally have a hard time getting warm with the new firewall rules. IMHO it is a downgrade and looks messy, even if you change filters all the time. But to be fair, I have not invested much time into it yet :)
#4
General Discussion / Re: KEA is still a mess IMHO
May 10, 2026, 08:57:40 PM
Quote from: Patrick M. Hausen on May 08, 2026, 08:01:56 AMAll my servers use SLAAC. The addresses are stable unless I change the MAC address of the server for some reason. I can then point Caddy (or NginX in your case) at these addresses. DHCPv6 is rarely needed.

Interesting, I thought that I had changing IPv6, but that was in the beginning of my journey. So maybe I looked at the privacy extended IPv6 back then. So in theory, I could ditch DHCPv6, and go with SLAAC only you think?

Hmm... I have to think about that, I quiet liked to have 10.10.50.4 and 2000:2000:2000:50::4 for simplicity.
#5
General Discussion / Re: KEA is still a mess IMHO
May 08, 2026, 07:33:12 AM
That is a little bit off topic, because my issue is more about OPNsense offerin MAC based reservations, which according to some folks on github is against IPv6 philosophy. And because of that, they have not accounted for certain situations and you run into errors.

Maybe I am misunderstanding you, but IMHO your idea falls flat, because I only need static leases for services. And for that I need a static IPv6.


I can't say to NGINX:
My static /48 prefix is 2000:2000:2000::, my service is in the vlan 30, which has the prefix 2000:2000:2000:30:: so proxy pass to 2000:2000:2000:30:: and somewhere in there is my destination, go find it.
#6
General Discussion / Re: KEA is still a mess IMHO
May 07, 2026, 09:38:21 PM
Quote from: franco on May 07, 2026, 10:46:17 AMI'm unable to tell.

Me too ;) no seriously, I have this issues with OPNsense, but of course it could also be KEA that is the root issue.
#7
General Discussion / KEA is still a mess IMHO
May 06, 2026, 09:34:40 PM
I know a lot of work went into KEA and I truly believe that a lot of bugs were ironed out with the recent release.
Still, KEA is IMHO not polished and production ready.

One example:
1. You have a static IPv4 reservation (based on MAC)
2. You create a IPv6  reservation, based on the same MAC

KEA will now ignore your IPv4 reservation. Yes, it worked before, but now no longer works and instead will get an IPv4 from the DHCPv4 range, while IPv6 will do the reservation correctly.

QuoteBut James, you should DUID and not MAC for IPv6
Fine, but then it should not use MAC when I click on the "add static lease" button in the lease tab, but DUID instead.
Also, since the newest update, I can no longer see the DUIDs anymore on OPNsense?


So if you think just because ICE is eol that you should switch to KEA, don't! Don't make the same mistake I did.
There is still no need to make the switch. At least not for now.
#8
Updated the script. Hope it works for you, I don't know how I could make it any simpler.
Let me know if I can help you with anything.
#9
./deSEC_DynDNS.sh runs a script called deSEC_DynDNS.sh in the directory you currently are.

Your ls shows that there is no deSEC_DynDNS.sh file in your current directory.
#10
Thank you for the heads up. In newer versions of OPNsense, you have to enable the checkbox "Show community plugins".

Although I have to check if that plugin is even needed anymore. Maybe check it this afternoon.
#11
You have to make a distinction between two different things.

The official OPNsense plugin uses ddclient.net. The catch with ddclient is that there is no official support yet for deSEC.io.


The Github link on the other hand, links to a bash script that I wrote. It was written solely for deSEC.io
How to install it on OPNsense is here: https://github.com/jameskimmel/deSEC_DynDNS#prepare-on-opnsense
#12
I think AI is overhyped and hope that the bubble will soon burst.
I also believe that this was primarily a PR stunt, and Mario and Sam are shady individuals akin to Elon Musk.

BUT, the Firefox version 150 with 270 bug fixes makes me second-guess. Maybe it could be helpful for security.
After all, this is mostly fuzzing on steroids? And fuzzing was also useful?
#13
Quote from: Cobra on April 20, 2026, 10:22:07 AMWith my internet connection I received a router that assigns me two dynamic IPs, IPV6 and IPV4.

IPv6 should be static. Otherwise your ISP is not following RIPE recommadations of offering you a statich /48 prefix or at least a static /56.
If that is the case, please name and shame.

Quote from: Cobra on April 20, 2026, 10:22:07 AMSo, I created two accounts on DuckDNS and Dedyn.io.
I really like deSEC.io.
If you are looking for a OPNsense plugin that was specifically tailored for deSEC.io, take a loot at this: https://github.com/jameskimmel/deSEC_DynDNS
IMHO simpler than the DDNS plugin.

Quote from: Cobra on April 20, 2026, 10:22:07 AMHowever, no matter how hard I try in OpnSense, I can't get an IP address to assign Let's Encrypt certificates for an internal NAS.

Why would you need that? You can simply get a cert by using the API DNS challange of desec.io (just make sure to add a 300s wait timeout) to get the cert. For example opnsense.internal.yourdomain.com. Then you can create a unbound DNS override to map opnsense.internal.yourdomain.com to for example 192.168.1.1. On the webGUI settings of opnense you set it to use said cert.

Now you have a valid cert for opnsense.internal.yourdomain.com and can reach your opnsense by inserting https://opnsense.internal.yourdomain.com into your browser.


Quote from: Cobra on April 20, 2026, 10:22:07 AMI also looked at guides for configuring the WAN interface with IPv6, but I'm holding off to avoid creating a mess because I know very little about IPv6.
Don't worry, you won't mess up anything. Just use the settings your ISP tells you to use on the WAN interface (hopefully DHCPv6). In combination a static IPv6 for your interfaces (or identity association if you don't have a static prefix) combined with Router Advertisement, you have a working IPv6 network(s).
#14
cheers, you are right.

But it makes an ugly jump to the bottom and I have to scroll up again to select the second quote (Firefox).
#15
QuoteAnd if you use anything else you get some crappy Basic HTML version where you can only read the forum partially... W-T-F ?!?!
Is that the case?
QuoteYou are promoting an unhealthy Internet where only certain software/companies/brands have a monopoly and that's simply a horrible future that I do not wish to be part of !!!
Discourse is open source, a fork always possible. So I don't really see this point.

QuoteWe already have one here!
It is decent and works. But it isn't as fun an engaging

QuoteThe average user does not know what he/she wants and uses whatever you stuff under his/her nose !!!

This goes pretty much for everything : From Cars to Computers...

Sure, but again, that is missing my point. Don't think about you and me, think about the 16y old teenager that gets newly drawn into a topic. Forums itself are a dying breed. And I am not advocating for TikTok. But early 2000 style forum is another fritction point.

QuoteCongrats : You just named the two most horrible platforms in the world as your favorite! LOL!
I never said they are my favorite. If you would stop twist my words and listen and don't fill in the blanks with what your presumptions  are, you would have known that. I personally can't stand new reddit. I said these two are the worlds favorite forum software.
Which again, think less about you and me, think about the rest of the world.

QuoteThey are marked READ after opening them so your last step is unnecessary : Not so userfriendly after all, huh ?!
No. Because you don't read every topic. This is to mark the topics as read you have not read.

QuoteThere is a PREVIEW button : Use it.
I wrote live preview.

QuoteYou can easily click on the QUOTE button of each post and open them in a New Tab and combine them all together again later.
Super EASY and straightforward :)

Can you also only select certain lines and only quote that? And do that multiplte times=



QuoteThe way this forum does it is soo much simpler and user friendlier that there is no need to re-invent the wheel or warm water...
To copy your style of arguing: Don't you have a pageup key? This is so much easier than to use the mouse (urgghhh mouse, I use my ThinkPad trackpoint) where you have to point to the bottom right just and click, just to jump back to the topic. You do know there is a button for that on the keyboard, right?


QuoteIf I am honest : I wish many times we all got stuck in the '90's and did not have this messed up world we live in these days!

Me too. And that is totally fine. But again, think a little bit less about you, and more about the community. But I see, this topic is way to emotional for you.