Messages

Hello,

in the past we added certificates to the CRL and deleted them afterwards.
With OPNsense Business 24.10.2, I'm unable to delete it afterwards, because it's in use from the CRL.
See screenshot attached.

Is this behaviour intended?
What I don't like about this new behaviour is the fact, that revoked certs are still showing up in the UI, for example at the OpenVPN Config export.

Christoph

Hi Dennis,

thx for your response and sorry for name mismatch ;)

I've tried your suggestion but it does not work with action "pass" and "quick" disabled.

Here is my example rule:
- Floating Rule for logging but not blocking suspicious traffic only:

Code Select Expand

action: pass, src: any, dst: 8.8.8.8, log: yes, quick:no
8.8.8.8 is just an example here but it's fine for testing if DNS to Google is not allowed per default on your clients.

The result now is that this rule allows everything to 8.8.8.8.
You can test with "telnet 8.8.8.8 53".
Unfortunately that is not the desired behaviour.

What I wanted to accomplish is that I want to log only that traffic but don't allow more than allowed for other external IPs on the firewall.

Thank you,
Christoph

Hello Dennis,

thx, "deny" and "log" works as you menteiond but "pass" and "log" is not the same as "log only".
The "pass" action allows potentielly more than the total ruleset does.

Christoph

sorry, I just tested it again and it does not work as desired with "pass" and "quick".

I've created a floating rule with
- action: pass
- quick: off
- source: any
- destination: specific suspicious ip

The problem is that this rule allows all traffic to "specific ip" wheres a "log only"/match rule would not allow anything additional on the firewall.

So, I don't have a solution for "log only" at the moment.
Anymore ideas?

Thank you,
Christoph

ok, I think if I combine "pass" with "quick" disabled, I can accomplish what I want to do.

I was actually unsure if I could potentially allow too much with "pass" so I would have preferred a "log only" action.

My intention is to use a blocklist and only log suspicious activity.
I really wanted to avoid a pass for a blocklist.

Christoph

Hi Dennis,

thx for your answer.

What I'm searching for is to log the traffic only without applying a "pass/block/recject" action.

I've found the following "match" action in the pfsense docs.
https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html#match-action

Thank you,
Christoph

Hi,

Is there a way to accomplish the following iptables-Rule with OPNsense?

Code Select Expand

iptables -A FORWARD -d 192.168.10.0/24 -j LOG --log-prefix '** SUSPECT **'

I'm unsure if "Set local tag"/"Match local tag" together with quick could help.
The "match" action as on pfsense does not seem to be available.

Thank you,
Christoph

Hello,

today I tried to upgrade from 20.7 to 21.1.

I noticed a problem with the existing NRPE check "check_icmp" installed by os-nrpe.
With 21.1 setting a source address fails.

# /usr/local/libexec/nagios/check_icmp -H 10.10.10.1 -s 10.10.100.1
check_icmp: Cannot bind to IP address 10.10.100.1: Socket operation on non-socket
# /usr/local/libexec/nagios/check_icmp -H 10.10.10.1 -s em2
check_icmp: Cannot determine IP address of interface em2: Inappropriate ioctl for device

Any idea how that could be fixed?

Thank you,
Christoph