Messages

1

Web Proxy Filtering and Caching / Re: transparent web proxy without mitm for https not working

« on: July 04, 2021, 09:41:14 am »

Hi,
DNS blocking does not work. Since I have deny all rules for my host and only allow a few specific ones. But since e.g. Windows Updates uses a lot of possibly changing IP addresses DNS will resolve probably but it will still be blocked on a firewall filtering level.

Cheers Jonas

2

Web Proxy Filtering and Caching / Re: transparent web proxy without mitm for https not working

« on: July 04, 2021, 09:23:36 am »

Hi,
thanks for you answer.
I used the settings in firefox "Also use this proxy for FTP and HTTPS", which points to "192.168.1.23:3128". So no need to point HTTPS to another port? That's why I tried to redirect to 3128 with the transparent settings, too.

It's not too late for a DNS solution. With unbound or dns-crypt?

Cheers Jonas

3

Web Proxy Filtering and Caching / transparent web proxy without mitm for https not working

« on: July 04, 2021, 01:03:04 am »

Hi,
I just want to get the web proxy running to deny all outgoing traffic except for a few domains.
I enabled SSL inspection and "Log SNI information only", because as far as I understand this is needed to be able to do ACL filtering on DNS names, right?

If I configure the browser on the host (192.168.1.102) to directly use the web proxy  for http/https on port 3128 it does work as expected.

If I try to do it transparent via the Port Forwarding NAT rule, I get a "SSL_ERROR_RX_RECORD_TOO_LONG" which seems like, there is something wrong with the redirect rule:

IF1    TCP    192.168.1.102    *    ! 192.168.1.0/24    443 (HTTPS)    192.168.1.23    3128    redirect traffic to proxy HTTPS

Any help appreciated.

Cheers Jonas

4

General Discussion / Transparent bridge but no inernet on bridge interface

« on: June 20, 2021, 05:10:24 pm »

Hi,
I am running verision OPNsense 21.1.7_1-amd64.
I followed the documentation https://docs.opnsense.org/manual/how-tos/transparent_bridge.html and configured a bridge interface with DHCP enabled.
The bridge interface is connected to a upstream internet router which serves the bridge interface with an DHCP address.
I am able to connect to the bridge interface to access the OPNsense web interface.

The strange behavior I observed is, that the OPNsense cannot itself connect to the internet via the bridge interface:

I opened to shell, one with a ping and another one doing a tcpdump:

root@OPNsense:~ # tcpdump -i igb1 -n host 1.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:49:33.330085 IP 192.168.178.26 > 1.1.1.1: ICMP echo request, id 33705, seq 0, length 64
14:49:33.355622 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 0, length 64
14:49:33.355836 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 0, length 64
14:49:34.330575 IP 192.168.178.26 > 1.1.1.1: ICMP echo request, id 33705, seq 1, length 64
14:49:34.355178 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 1, length 64
14:49:34.355328 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 1, length 64
14:49:35.394235 IP 192.168.178.26 > 1.1.1.1: ICMP echo request, id 33705, seq 2, length 64
14:49:35.419240 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 2, length 64
14:49:35.419441 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 2, length 64
14:49:36.395406 IP 192.168.178.26 > 1.1.1.1: ICMP echo request, id 33705, seq 3, length 64
14:49:36.421182 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 3, length 64
14:49:36.421276 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 3, length 64
14:49:37.402817 IP 192.168.178.26 > 1.1.1.1: ICMP echo request, id 33705, seq 4, length 64

root@OPNsense:~ # ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
^C
--- 1.1.1.1 ping statistics ---
92 packets transmitted, 0 packets received, 100.0% packet loss

From this output it does not look like a routing issue, rather then a filterting issue.

For the bridge interface all incoming and outgoing traffic is allowed (see attachment).

Additionaly I changed net.link.bridge.pfil_bridge from default to 1 and net.link.bridge.pfil_member from default to 0.

The only option currently found to enable internet for the OPNsense box itself and be able to e.g. retrieve firmware upgrades is to disable firewall filtering completely via Firewall -> Settings -> Advanced ->  Disable all packet filtering.

Here an output of all filter rules:

# pfctl -s all
TRANSLATION RULES:
no nat proto carp all
no rdr proto carp all
no rdr on igb0 proto tcp from any to (igb0) port = ssh
no rdr on igb0 proto tcp from any to (igb0) port = http

FILTER RULES:
scrub on igb2 all fragment reassemble
scrub on igb0 all fragment reassemble
scrub on igb3 all fragment reassemble
scrub on igb1 all fragment reassemble
scrub on bridge0 all fragment reassemble
block drop in log on ! bridge0 inet from 192.168.178.0/24 to any
block drop in log inet from 192.168.178.26 to any
pass in log quick on lo0 inet6 all flags S/SA keep state label "70fcd47cc0b8782476fce1731eb7eb4c"
block drop in log quick inet6 all label "91515c100a3692cb94121964974ce513"
block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "1d245529367b2e34eeaff16086aeafe9"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state label "71dd196398b3f1da265dbd9dcad00e70"
block drop in log quick inet proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick proto carp from (self) to any label "306de368b07e5782660745341cd22731"
pass log quick proto carp all keep state label "ace7acc1be88f3baee3b75f64fca8a6f"
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "669143f420c3ab4118bcb0bf4b5fd823"
block drop in log quick proto tcp from <sshlockout> to (self) port = http label "b523e02acc7c2758dc28e60501bc95c2"
block drop in log quick from <virusprot> to any label "8e367e2f9944d93137ae56d788c5d5e1"
pass in log on bridge0 proto udp from any port = bootps to any port = bootpc keep state label "8794fba2af10a80a7cd6694545f5f976"
pass out log on bridge0 proto udp from any port = bootpc to any port = bootps keep state label "387b9c2f2783413d29228e81c6e27f02"
pass in log quick on lo0 all flags S/SA keep state label "91e2443ae2e8caf012f9a6e5a8a455c8"
pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
pass in log quick on igb0 proto tcp from any to (self) port = ssh flags S/SA keep state label "535fb49265487de284cbc79f8048a934"
pass in log quick on igb0 proto tcp from any to (self) port = http flags S/SA keep state label "535fb49265487de284cbc79f8048a934"
pass out log route-to (bridge0 192.168.178.1) inet from (bridge0) to ! (bridge0:network) flags S/SA keep state allow-opts label "d16470f92e546eb1cc63d0d8414acf21"
pass in log quick on igb1 inet proto icmp all keep state label "d80462bd0f5f4db7839ce37d5acf6738"
pass out log quick on igb1 inet proto icmp all keep state label "2255abe718bd9d4b0eaa95123a853c1e"
pass in log quick on igb1 inet all flags S/SA keep state label "56c0bd681b45c2b9059fdb34405fc3cf"
pass in log quick on igb1 inet6 all flags S/SA keep state label "56c0bd681b45c2b9059fdb34405fc3cf"
pass out log quick on igb1 inet all flags S/SA keep state label "797bba2bb0edc676dec18823cdae8109"
pass out log quick on igb1 inet6 all flags S/SA keep state label "797bba2bb0edc676dec18823cdae8109"
block drop in log quick on igb1 inet all label "332710a834c1f8d3eaaba38c885a9360"
block drop out log quick on igb1 inet all label "d6d049b5dae98a0397ac306af917f7db"
pass out log quick on igb0 inet all flags S/SA keep state label "57560aeeec3c6856ac89c82db739c72d"
pass in log quick on igb0 inet all flags S/SA keep state label "84c724704fe974ec269d10b841bd6468"
block drop in log quick on igb0 inet all label "a30a658ac0ebd497abc45b9b13b1aecd"
block drop out log quick on igb0 inet all label "31820796274819aff5a7ce520c566d2e"
pass out log quick on lo0 inet all flags S/SA keep state label "05325fdef78307145a8ee3053a2b16b8"
block drop in log quick on lo0 inet all label "a79a16e4be401f91ecbb92707712b46f"
block drop out log quick on lo0 inet all label "9e693e65e6826c36382b2da578878238"
pass in log quick on igb2 inet all flags S/SA keep state label "02a0b69922af00ebf2a07e7404cb2730"
pass out log quick on igb2 inet all flags S/SA keep state label "653bd7c3c22383592d6df2f9ae03c4dc"
pass out log quick on igb3 inet proto udp from any port = bootpc to any port = bootps keep state label "41a450c8bbded4ae2767718a48e114ee"
pass out log quick on igb3 inet proto udp from any port = bootps to any port = bootpc keep state label "2e664a995ecb77df56f6874da969523d"
pass out log quick on igb3 inet proto tcp from 192.168.178.0/24 to any flags S/SA keep state label "90dcbcf5de35f2e4a6c1752397c26f1b"
pass in log quick on igb3 inet from any to 192.168.178.23 flags S/SA keep state label "298e85603ec04386fb72dd55c4b2a333"
pass in log quick on igb3 inet from any to 192.168.178.24 flags S/SA keep state label "ff9b91f4fb97c6ecc01969640217b9d1"
pass in log quick on igb3 inet all flags S/SA keep state label "18e4965afaaa9b82588bb9da85180eea"
pass out log quick on igb3 inet all flags S/SA keep state label "11bc15649131440ccf0d0ea7ff44c37a"
block drop in log quick on igb3 inet all label "4a79e200d71cb7f98c6355b529b70e5d"
block drop out log quick on igb3 inet all label "cfe61624757dacfb735b8b3623b01d3f"
pass in log quick on bridge0 reply-to (bridge0 192.168.178.1) inet all flags S/SA keep state label "86fc54f838e92bf09103bbb5ee3931e7"
pass in log quick on bridge0 inet6 all flags S/SA keep state label "86fc54f838e92bf09103bbb5ee3931e7"
pass out log quick on bridge0 reply-to (bridge0 192.168.178.1) inet all flags S/SA keep state label "ae53026578b5410162b9a17442c17aa5"
pass out log quick on bridge0 inet6 all flags S/SA keep state label "ae53026578b5410162b9a17442c17aa5"
block drop in log quick on bridge0 reply-to (bridge0 192.168.178.1) inet all label "e3d8a2996db5a5d66d996c8b6af8c1c9"
block drop out log quick on bridge0 reply-to (bridge0 192.168.178.1) inet all label "616243682f4138671e28923367f87bcc"

Any help appreciated, since I don't know what I am doing wrong.