Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - h4ck3r

Pages: [1]

22.7 Legacy Series / Re: After 22.7.5 update, can't get updates, RSS is not working & errors in X540-t2.

« on: October 20, 2022, 08:01:20 am »

Thank you Franco i will check it but the same configuration is a hardware and we don't have these errors in opnsense 21.7 version. I am saying this for informational purposes.

I try to update from time to time. there is another log today :/

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7.5 (amd64/OpenSSL) at Thu Oct 20 08:54:41 +03 2022
Fetching changelog information, please wait... opnsense-verify: error:04091068:rsa routines:int_rsa_verify:bad signature
Signature is not valid
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 808 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (28 candidates): .......... done
Processing candidates (28 candidates): .......... done
The following 28 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
   e2fsprogs-libuuid: 1.46.5 -> 1.46.5_1
   git: 2.37.3 -> 2.38.0
   isc-dhcp44-relay: 4.4.2P1 -> 4.4.3P1
   isc-dhcp44-server: 4.4.2P1_1 -> 4.4.3P1
   libffi: 3.4.2 -> 3.4.3
   libfido2: 1.11.0 -> 1.12.0
   mpd5: 5.9_10 -> 5.9_11
   opnsense: 22.7.5 -> 22.7.6
   php80: 8.0.23 -> 8.0.24
   php80-ctype: 8.0.23 -> 8.0.24
   php80-curl: 8.0.23 -> 8.0.24
   php80-dom: 8.0.23 -> 8.0.24
   php80-filter: 8.0.23 -> 8.0.24
   php80-gettext: 8.0.23 -> 8.0.24
   php80-ldap: 8.0.23 -> 8.0.24
   php80-mbstring: 8.0.23 -> 8.0.24
   php80-pdo: 8.0.23 -> 8.0.24
   php80-phalcon: 5.0.2 -> 5.0.3
   php80-session: 8.0.23 -> 8.0.24
   php80-simplexml: 8.0.23 -> 8.0.24
   php80-sockets: 8.0.23 -> 8.0.24
   php80-sqlite3: 8.0.23 -> 8.0.24
   php80-xml: 8.0.23 -> 8.0.24
   php80-zlib: 8.0.23 -> 8.0.24
   py39-certifi: 2022.6.15 -> 2022.9.24
   py39-idna: 3.3 -> 3.4
   strongswan: 5.9.6_2 -> 5.9.8

Installed packages to be REINSTALLED:
   squid-5.7 (options changed)

Number of packages to be upgraded: 27
Number of packages to be reinstalled: 1

The process will require 3 MiB more space.
22 MiB to be downloaded.
self: No packages available to install matching 'opnsense'

22.7 Legacy Series / Re: After 22.7.5 update, can't get updates, RSS is not working & errors in X540-t2.

« on: October 18, 2022, 03:06:38 pm »

Could the update problem have a dependency on these packages?

SYSTEM: FIRMWARE: LOG FILE

2022-10-06T15:41:24   Notice   pkg   pkgconf-1.8.0_1,1 deinstalled
2022-10-06T15:41:24   Notice   pkg   libuv-1.44.2 deinstalled
2022-10-06T15:41:24   Notice   pkg   bash-5.1.16 deinstalled
2022-10-06T15:41:24   Notice   pkg   netdata-1.36.1_1 deinstalled
2022-10-06T15:41:23   Notice   pkg   os-netdata-1.2 deinstalled

22.7 Legacy Series / Re: After 22.7.5 update, can't get updates, RSS is not working & errors in X540-t2.

« on: October 18, 2022, 08:04:01 am »

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 22.7.5 (amd64/OpenSSL) at Tue Oct 18 08:22:03 +03 2022
Checking connectivity for host: pkg.opnsense.org -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=54 time=51.213 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=54 time=51.172 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=54 time=51.122 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=54 time=51.168 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 51.122/51.169/51.213/0.032 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
Fetching meta.txz: . done
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Operation timed out
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Error updating repositories!
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
***DONE***

Seems like it can't resolve it in dns with "fetch".

root@OPNsense:~ # sh -x /usr/local/opnsense/scripts/firmware/changelog.sh fetch + set -e
+ DESTDIR=/usr/local/opnsense/changelog
+ FETCH='fetch -qT 5'
+ COMMAND=fetch
+ VERSION=''
+ [ fetch '=' fetch ]
+ changelog_fetch
+ mkdir -p /usr/local/opnsense/changelog
+ changelog_checksum /usr/local/opnsense/changelog/changelog.txz
+ sha256 -q /usr/local/opnsense/changelog/changelog.txz
+ echo 6cdecc6510a5e297cfc7cb537996eca3f1ad8674710cec75b6f338369c5d3ed5
+ CHECKSUM=6cdecc6510a5e297cfc7cb537996eca3f1ad8674710cec75b6f338369c5d3ed5
+ changelog_url
+ opnsense-version -a
+ CORE_ABI=22.7
+ opnsense-verify -a
+ SYS_ABI=FreeBSD:13:amd64
+ URLPREFIX=https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
+ opnsense-update -M
+ egrep -iq '\/[a-z0-9]{8}(-[a-z0-9]{4}){3}-[a-z0-9]{12}\/'
+ echo https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/sets/changelog.txz
+ URL=https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/sets/changelog.txz
+ fetch -qT 5 -mo /usr/local/opnsense/changelog/changelog.txz https://pkg.opnsense.org/FreeBS D:13:amd64/22.7/sets/changelog.txz
+ changelog_checksum /usr/local/opnsense/changelog/changelog.txz
+ sha256 -q /usr/local/opnsense/changelog/changelog.txz
+ echo 0460d8ba23dc3cfb55db904b9d45dcf7755ff1d8bee2ea513a6a02ac0359e454
+ [ 6cdecc6510a5e297cfc7cb537996eca3f1ad8674710cec75b6f338369c5d3ed5 '!=' 0460d8ba23dc3cfb55d b904b9d45dcf7755ff1d8bee2ea513a6a02ac0359e454 ]
+ fetch -qT 5 -o /usr/local/opnsense/changelog/changelog.txz.sig https://pkg.opnsense.org/Fre eBSD:13:amd64/22.7/sets/changelog.txz.sig
fetch: transfer timed out

root@OPNsense:~ # curl -v google.com
* Trying 172.217.17.142:80...
* Trying 2a00:1450:4017:811::200e:80...
* Immediate connect fail for 2a00:1450:4017:811::200e: No route to host

^C
root@OPNsense:~ # curl -v -4 google.com
* Trying 172.217.17.142:80...
* Connected to google.com (172.217.17.142) port 80 (#0)
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.85.0
> Accept: */*
>

root@OPNsense:~ # fetch -v -4 -o speedtest.py http://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py
resolving server address: raw.githubusercontent.com:80

failed to connect to raw.githubusercontent.com:80
fetch: transfer timed out

22.7 Legacy Series / After 22.7.5 update, can't get updates, RSS is not working & errors in X540-t2.

« on: October 17, 2022, 11:46:34 pm »

**GOT REQUEST TO AUDIT CONNECTIVITY**
Currently running OPNsense 22.7.5 (amd64/OpenSSL) at Tue Oct 18 00:26:55 +03 2022
Checking connectivity for host: pkg.opnsense.org -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=54 time=51.545 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=54 time=51.555 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=54 time=51.585 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=54 time=51.504 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 51.504/51.547/51.585/0.029 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 808 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
**DONE**

root@OPNsense:~ # sysctl -a | grep rss
net.inet.rss.bucket_mapping: 0:0 1:1 2:2 3:3 4:4 5:5 6:6 7:7 8:8 9:9 10:10 11:11 12:12 13:13 14:14 15:15
net.inet.rss.enabled: 1
net.inet.rss.debug: 0
net.inet.rss.basecpu: 0
net.inet.rss.buckets: 16
net.inet.rss.maxcpus: 64
net.inet.rss.ncpus: 16
net.inet.rss.maxbits: 7
net.inet.rss.mask: 15
net.inet.rss.bits: 4
net.inet.rss.hashalgo: 2
hw.bxe.udp_rss: 0
hw.ix.enable_rss: 1

root@OPNsense:~ # sysctl -a | grep isr
net.route.netisr_maxqlen: 256
net.isr.numthreads: 16
net.isr.maxprot: 16
net.isr.defaultqlimit: 256
net.isr.maxqlimit: 10240
net.isr.bindthreads: 1
net.isr.maxthreads: 16
net.isr.dispatch: hybrid

before update:
root@OPNsense:/home # dmesg | grep vectors
igb0: Using MSI-X interrupts with 9 vectors
igb1: Using MSI-X interrupts with 9 vectors
igb2: Using MSI-X interrupts with 9 vectors
igb3: Using MSI-X interrupts with 9 vectors
ix0: Using MSI-X interrupts with 9 vectors
ix1: Using MSI-X interrupts with 9 vectors
ix2: Using MSI-X interrupts with 9 vectors
ix3: Using MSI-X interrupts with 9 vectors
after update:
root@OPNsense:/home # dmesg | grep vectors
anything?

ix0 1500 <Link#5> a0:36:9f:54:2d:94 2106555 22 0 1253860 0 0
ix0 - 193.X.X.36/ 193.X.X.38 2354 - - 2029 - -
ix0 - 79.123.X.X 79.123.X.X 0 - - 0 - -
ix1 1500 <Link#6> a0:36:9f:54:2d:96 1015755 0 0 1045083 0 0

22.7 Legacy Series / Re: 22.7.5 Just upgraded to the latest version. Everything works fine.

« on: October 13, 2022, 12:48:36 pm »

Can you share your ethernet cards, cpu and ram information and server information you use?
How many rulesets are active on the IPS side, could you run Suricata multicore by enabling RSS?
thanks wuwzy

22.7 Legacy Series / Re: Intel X520-DA2 producing Errors IN

« on: October 13, 2022, 12:28:26 pm »

We think it may be related to Freebsd 13 when we switch from version 21.x to version 22.x. There are errors in intel x540-t2 card. No problem with intel I350-t rNDC cards :/

https://www.freebsd.org/releases/13.1R/hardware/ is there information and support for your current card here?

21.1 Legacy Series / Re: Suricata IDS/IPS ~56% slower than before update

« on: November 12, 2021, 01:01:06 pm »

hi @klamath

OPNsense 21.7.3_3-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
OpenSSL 1.1.1l 24 Aug 2021

Hardware: Dell R720
CPU 1   Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz   Model 62 Stepping 4   2600 MHz 8core
CPU 2   Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz   Model 62 Stepping 4   2600 MHz 8core

Ram : DDR-3   64.00 GB   Presence Detected   Dual Rank   1866 MHz

Ethernet:
NIC Slot 6   Intel(R) Ethernet Converged Network Adapter X540-T2 (WAN,DMZ)
Integrated NIC 1   Intel(R) GbE 4P I350-t rNDC (LAN,MANAGEMENT)

When Suricata is enabled with IDS/IPS protection the max WAN speed is capped at around 650-670Mbps, with IPS mode disabled I can achieve full 827Mb/s down.

I can't say that the ethernet cards we use are not compatible with suricata IPS running on freebsd, because you have witnessed that it works properly in the previous kernel.

At the same time, when I follow the dpinger service, the situation is as follows:

2021-11-12T02:35:16   dpinger[78904]   send_interval 1000ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr
2021-11-11T13:01:05   dpinger[62032]   WAN_GWv4_ X: sendto error: 55
2021-11-11T02:35:29   dpinger[72741]   GATEWAY ALARM: WAN_GWv4_ (Addr: XAlarm: 0 RTT: 13002us RTTd: 125us Loss: 0%)
2021-11-11T02:35:29   dpinger[62032]   WAN_GWv4_ X.255.0.37: Clear latency 13002us stddev 125us loss 0%
2021-11-11T02:35:17   dpinger[38016]   GATEWAY ALARM: WAN_GWv4_ (Addr: X.255.0.37 Alarm: 1 RTT: 12983us RTTd: 102us Loss: 25%)
2021-11-11T02:35:17   dpinger[62032]   WAN_GWv4_ X.255.0.37: Alarm latency 12983us stddev 102us loss 25%
2021-11-11T02:35:14   dpinger[62032]   send_interval 1000ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr X.255.0.37 bind_addr X.255.0.38 identifier "WAN_GWv4_ "
2021-11-10T17:00:24   dpinger[89102]   WAN_GWv4_ X.255.0.37: sendto error: 55

It would be great if we could find a solution and suggestion for this problem, thank you for your valuable information sharing.

Intrusion Detection and Prevention / is it possible to bypass IDS/IPS to during backup transfer?

« on: October 25, 2021, 12:22:56 pm »

Hello,
from time to time i need to transfer a lot of backup data from one local network to another (from LAN to DMZ using Veeam Agent for Microsoft). I don't want to disable IDS/IPS on these interfaces, but is it possible to bypass IDS/IPS to NFS (TCP/2049) during transfer? I haven't found any hints on how to write a rule that leaves Suricatas ruleset very early. Suricata's documentation is unclear to me at this point (https://suricata.readthedocs.io/en/suricata 6.0.0/performance/ignoring-traffic.html).
What would be the best way to accomplish my requirement?

Also, some ip addresses in the DMZ need to receive data from clients on the LAN side via snmp (naturally emerging-scan.rules prevents this). How can we make these ip addresses bypass the ids rules?

Pages: [1]