Messages

1

24.7 Production Series / CUPS vulnerability

« on: September 28, 2024, 11:25:44 am »

I did my homework before asking. No CUPS package to be found in OPNsense and no port 631 listening.

However, since *BSD is potentially affected, I would like to confirm that there is indeed no risk for OPNsense. Could any third-party package install CUPS?

Thank you.

2

23.7 Legacy Series / Re: After upgrade to 23.7.7_3 - link down/up - and after that NO connection outside

« on: November 06, 2023, 08:20:41 pm »

Thanks, franco, for the hint. I will check at my earliest convenience.

3

23.7 Legacy Series / Re: Unbound not resolving Microsoft domains

« on: November 06, 2023, 08:18:11 pm »

I haven't dug into this topic too much but I also notice that many Microsoft domains do not resolve on my internal network. Lookups on OPN directly work.

Example: g.msn[.]com

I was hoping that some update would fix that issue...

4

23.7 Legacy Series / Re: After upgrade to 23.7.7_3 - link down/up - and after that NO connection outside

« on: November 06, 2023, 08:07:44 pm »

Hi forum,

I can completely confirm this issue.

After switching on a PC that is directly connected to one of the OPN ports, it takes approx. 10 minutes for the external network connection to become available. Connection to the OPN interface works, as does e.g. DNS. So it's not an issue on the "pc side" of the network.

All other physical OPN ports are not affected and continue to function as normal.

The only log entries that appear around the time the network starts to work are those:

SYSTEM/LOG/GENERAL
Notice   root   reload filter for configured schedules   
Notice   kernel   <6>igb1: promiscuous mode disabled   
Notice   kernel   <6>igb1: promiscuous mode enabled

This has only started after upgrading to 23.7.7_3.

Any ideas are much appreciated.

5

23.7 Legacy Series / Re: Unusual Issue

« on: September 14, 2023, 09:51:57 pm »

Hi fbtanner,

I guess we need more details on your configuration. However, if your OPN's LAN IF has 10.8.0.1/16, there is no such thing as a 10.8.1.0/?? subnet. The only network you have is 10.8/16.

My first guess is that you have configured 10.8.x.0/24 networks on your hosts which will not work as expected.

Any 10.8.x.0/24 where x!=0 will not have a route to your OPN box.

6

23.7 Legacy Series / Firewall rule not working as expected

« on: September 14, 2023, 09:45:41 pm »

Dear forum,

I'm a bit puzzled.

I have a firewall deny rule that blocks access to a particular domain by means of an alias that I have created for that domain.

The rule has been working fine for months. Then I observed that the domain is accessible all of a sudden. I didn't touch the firewall config. For debugging purposes, I enabled logging for the rule in question and, voila, the rule works again as it should.

Any hints are much appreciated.

Thanks,
adk

7

22.7 Legacy Series / Static DHCPv4 hogging memory?

« on: December 31, 2022, 10:09:11 am »

Hi forum,

I am on 22.7.10_2. Yesterday, I configured some static DHCPv4 mappings. With every entry in the mapping table, my memory use increased. After having created three entries, something had hogged all my free memory (6GB) and filled up my entire swap.

Rebooting fixed the issue and everything was back to normal.

Creating more static mapping entries reliably reproduced the issue.

Is this a known bug?

Regards,
adk

8

22.1 Legacy Series / Re: cyrus-sasl

« on: March 01, 2022, 10:51:20 pm »

I also noticed the vuln in the security audit.

However, the really interesting questions are:-
* Is OPNsense vulnerable in its default configuration?
* Are there any mitigation measures?
* Is access to the web UI needed or are there also other attack vectors?

Any feedback is much appreciated.

9

General Discussion / time-boxed internet access for certain MACs or IPs

« on: February 16, 2022, 06:47:50 pm »

Dear forum,

I am trying to implement time-based restrictions for some IPs on my network that can be bypassed with a password or similar. I.e. for normal users, internet access should be terminated at a certain time. For some users, though, it should be possible to bypass this restriction. However, I haven't found a viable solution yet.

Time-triggered firewall rules do not appear to be suitable since they cannot be bypassed.

A captive portal is also not ideal as it is AFAIK always active.

Setting up a VPN server just for a few internal IPs to bypass time-based restrictions seems to be a bit over the top .

Any suggestions are highly welcome.

Cheers,
adk

10

General Discussion / Re: Blocking youtube

« on: February 16, 2022, 06:38:28 pm »

Thanks, mimugmail.

I had tried something similar before and created aliases for yt. It worked but was a bit flaky. Sometimes connections would succeed but most of the time they were blocked.

Just wondering why the DNS blocklist does not work. All the others seem to be working fine.

Cheers,
adk

11

General Discussion / Blocking youtube

« on: February 15, 2022, 08:11:20 am »

Hello forum,

I have been testing various DNS blocklists in unbound. I noticed that the Facebook blocklist seems to work fine whereas the Youtube blocklist does not seem to have any effect. Does anyone have an idea why this is?

Cheers,
adk

12

General Discussion / Transparent proxy and netflow

« on: December 18, 2021, 03:09:00 pm »

Dear community,

I am running a transparent HTTP proxy on my OPNsense box. It appears that some of the traffic from LAN to the Internet is not represented in the netflow diagrams. So far I didn't have the time yet for a thorough investigation but it appears to me that HTTPS traffic is counted by netflow whereas plain HTTP is not. Could the port redirection rule for the transparent HTTP proxy be the cause for this?

Under Reporting > Health > Traffic, all traffic is counted and the digrams are correct.

Any ideas are much valued.

13

21.7 Legacy Series / Re: Suricata warning: flowbit 'ET.Parallax-12' is checked but not set.

« on: December 17, 2021, 03:03:56 pm »

Thanks @all for your replies.

The latest OPNsense updated fixed the unknown classtype errors.

The flowbit errors persist, though. How would I set a flowbit to active and how can I find out which flowbit is required by which rule? Not sure how I can figure that out.

Having said that, I am still a bit surprised that these error messages started popping up without my having changed anything. What might be the cause for this?

Any help is much appreciated.

14

General Discussion / Re: log4j and OPNsense

« on: December 12, 2021, 12:13:42 pm »

@all: Thanks for your responses.

So I take it that when I do not run Sensei or have not used any third-party repos, there should be no Java in OPNsense.

15

General Discussion / log4j and OPNsense

« on: December 12, 2021, 01:52:03 am »

Dear community,

I am almost 100 percent sure that this new vuln (CVE-2021-44228) does NOT affect OPNsense since it is AFAIK built with Python and PHP but some brief feedback from a dev would be much appreciated.

Cheers
adk