Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Marty

Pages1
#1
General Discussion / Re: net scan show ports as filtered not closed
May 09, 2021, 07:25:53 AM
Quote from: jojothehumanmonkey on May 08, 2021, 07:05:34 PM
so it this website wrong?
http://www.ipv6scanner.com/cgi-bin/main.py
OPEN   An application is listening for connections on that port.
CLOSED   No application listening on that port.
FILTERED   The port is blocked by firewall or other network obstacle.

No, but there's often common misunderstanding on the scanning results.
Basically there are lots of scanning techniques that are used for fingerprinting the target machine: https://nmap.org/book/man-port-scanning-techniques.html
They rely on the design of TCP/IP stack of the target. In case of online scanners, the TCP SYN scan is commonly in use. What the non-firewalled OS does upon receiving SYN is that it responds with RST to indicate that there's no service listening on the particular port.
#2
General Discussion / Re: net scan show ports as filtered not closed
May 08, 2021, 06:52:16 PM
Usually, filtered means that the packet is silently dropped (no response from target).
Closed means that the server replies with RST flag set.
#3
Virtual private networks / Re: Generated Internal Root CA does not include EKU field
May 07, 2021, 11:56:52 AM
I'm still trying to get my head around this, however it turns out that I was wrong in describing the problem here.
The certificates seem to be generated correctly.
The Root certificate does not need to include EKU field. The Server certificate includes it.
As an addition, it looks like the client must connect via FQDN even if the IP address is defined in the certificate.
#4
Virtual private networks / Generated Internal Root CA does not include EKU field
May 06, 2021, 02:15:37 PM
Hallo,
I've started to test OPNsense with the intention to replace our company's old box.
I was struggling to configure IPSec VPN using IKEv2 + internal FreeRadius for remote users.
I was following OPNsense tutorials, but also some other sources in the Internet.
It looks like that the Root CA certificate generated on OPNsense does not include Extended Key Usage field (EKU). While RFC4809 says that this should be no reason for connection to fail whether the EKU is present of not, for Windows 7 clients (none others tested yet) I had to disable EKU check (which seems to be rather insecure) to make the tunnel come up (otherwise the 13801 error happened).
Is there any special procedure of Root CA certificate generation that should be followed (other than just using GUI) to get EKU field present in generated cert?

Versions:   
OPNsense 21.1.5-amd64
FreeBSD 12.1-RELEASE-p16-HBSD
OpenSSL 1.1.1k 25 Mar 2021
Pages1