1
Tutorials and FAQs / Re: [TOOL] OPNBORG (Monitoring, Audit, Configuration, Log, ...)
« on: October 13, 2024, 03:42:35 pm »
Nice work !
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
Tutorials and FAQs / Re: Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« on: August 07, 2024, 02:11:42 pm »
Maybe tutorial will be affected from https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls.html
3
24.7 Production Series / Re: New Dashboard
« on: August 06, 2024, 01:43:13 pm »
First impresssions:
1. Clicking on firewall always use rule id in page and i need to remove it ()
2. Mobile version is pain for me the dashboard is moving like crazy and i can't scroll,
But in general its very cool to see some new things implemented ^^
ThanksTeam!
1. Clicking on firewall always use rule id in page and i need to remove it ()
2. Mobile version is pain for me the dashboard is moving like crazy and i can't scroll,
But in general its very cool to see some new things implemented ^^
ThanksTeam!
4
General Discussion / Re: Coraza WAF for HaProxy
« on: July 30, 2024, 09:05:13 am »
Just a quick update on this post , i manage to get it working and its okey, there a few errors that i must fix but so far its okey and blocks.
5
Tutorials and FAQs / Re: Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« on: July 19, 2024, 12:12:37 am »
Just a head's up. In Public services picture, X-Forwarded-For Header is set but recent changes are removing it.
Code: [Select]
4.2
Added:
* add support for built-in OCSP update feature
* add support for forwarded header (RFC7239)
* add option "X-Forwarded-For Header" to backend settings
* add options for HTTP/2 performance tuning
Fixed:
* fix SSL sync cron job (bulk sync was never working properly)
Changed:
* upgrade to HAProxy 2.8 release series (#3459)
* change default for HTTP/2 to enabled (only new frontends/backends)
* add "no-alpn" option if HTTP/2 is not enabled (only TLS-enabled frontends)
* move OCSP settings from "Service" to "Global" section
* replace bundled haproxyctl library with haproxy-cli
Deprecated:
* frontend option "X-Forwarded-For Header" (the backend option should be used)
6
General Discussion / Coraza WAF for HaProxy
« on: July 18, 2024, 02:24:01 pm »
Hey gentlemens i found in old thread that someone asked about coraza, then i found guide for deb/ubn for integration with HaProxy here.
Can you help me to add it to haproxy for testing purposes , and later add it to HaProxy itself
~ few hundred years later managed to build and run the coraza in opnsense, but i stumble few hickups that i don't understand yet,
- first how to create easy configctl service for it / or maybe just run at startup time of opnsense
- second as i search in forums or inside opnsense files i dont see haproxy.conf that i can edit (and it's not automatic generated) - i guess php handles the generation of it, and in my case is in /usr/local/etc/haproxy.conf and edit will not help, if i click apply from UI because maybe will delete my additions.
Is there a way to add in example bellow few options ?
Can you help me to add it to haproxy for testing purposes , and later add it to HaProxy itself
Code: [Select]
root@wall:~/coraza # git clone https://github.com/corazawaf/coraza-spoa.git
Cloning into 'coraza-spoa'...
remote: Enumerating objects: 965, done.
remote: Counting objects: 100% (451/451), done.
remote: Compressing objects: 100% (178/178), done.
remote: Total 965 (delta 315), reused 311 (delta 265), pack-reused 514
Receiving objects: 100% (965/965), 288.82 KiB | 999.00 KiB/s, done.
Resolving deltas: 100% (497/497), done.
root@firewall:~/coraza # cd ./coraza-spoa
root@firewall:~/coraza/coraza-spoa # make
make: "/root/coraza/coraza-spoa/Makefile" line 22: Invalid line type
make: "/root/coraza/coraza-spoa/Makefile" line 24: Invalid line type
make: "/root/coraza/coraza-spoa/Makefile" line 28: Invalid line type
make: "/root/coraza/coraza-spoa/Makefile" line 29: warning: duplicate script for target "ifeq" ignored
make: "Makefile" line 23: warning: using previous script for "ifeq" defined here
make: "/root/coraza/coraza-spoa/Makefile" line 29: warning: duplicate script for target "(,)" ignored
make: "Makefile" line 23: warning: using previous script for "(,)" defined here
make: "/root/coraza/coraza-spoa/Makefile" line 30: Invalid line type
make: Fatal errors encountered -- cannot continue
make: stopped in /root/coraza/coraza-spoa~ few hundred years later managed to build and run the coraza in opnsense, but i stumble few hickups that i don't understand yet,
- first how to create easy configctl service for it / or maybe just run at startup time of opnsense
- second as i search in forums or inside opnsense files i dont see haproxy.conf that i can edit (and it's not automatic generated) - i guess php handles the generation of it, and in my case is in /usr/local/etc/haproxy.conf and edit will not help, if i click apply from UI because maybe will delete my additions.
Is there a way to add in example bellow few options ?
Code: [Select]
defaults
log global
option httplog
timeout client 1m
timeout server 1m
timeout connect 10s
timeout http-keep-alive 2m
timeout queue 15s
timeout tunnel 4h # for websocket
frontend test
mode http
bind *:80
unique-id-format %[uuid()]
unique-id-header X-Unique-ID
filter spoe engine coraza config /etc/haproxy/coraza.cfg
# Currently haproxy cannot use variables to set the code or deny_status, so this needs to be manually configured here
http-request redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
http-response redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
http-request deny deny_status 403 hdr waf-block "request" if { var(txn.coraza.action) -m str deny }
http-response deny deny_status 403 hdr waf-block "response" if { var(txn.coraza.action) -m str deny }
http-request silent-drop if { var(txn.coraza.action) -m str drop }
http-response silent-drop if { var(txn.coraza.action) -m str drop }
# Deny in case of an error, when processing with the Coraza SPOA
http-request deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
http-response deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
use_backend test_backend
backend test_backend
mode http
http-request return status 200 content-type "text/plain" string "Welcome!\n"
backend coraza-spoa
mode tcp
balance roundrobin
timeout connect 5s # greater than hello timeout
timeout server 3m # greater than idle timeout
server s1 127.0.0.1:9000
7
24.1 Legacy Series / Re: Suricata IPS Block Bad Actors - Add to Firewall Alias Group
« on: July 17, 2024, 04:14:06 pm »
That's what i'am searching right now.
Maybe as you point the place that logs are collected /var/log/suricata/eve.json some python script need to be run to extract the ips and convert them into a file that can be read from alias.
Another thing that may be good to add to the UI of suricata is ban time (maybe 30) mins and check time (5mins)
for the script to scrap the file to remove ips that are done with the ban. (this can be done with cron maybe.. )
Example chatgpt decoder of the file
Maybe as you point the place that logs are collected /var/log/suricata/eve.json some python script need to be run to extract the ips and convert them into a file that can be read from alias.
Another thing that may be good to add to the UI of suricata is ban time (maybe 30) mins and check time (5mins)
for the script to scrap the file to remove ips that are done with the ban. (this can be done with cron maybe..
)Example chatgpt decoder of the file
Code: [Select]
import json
def extract_src_ips(file_path, output_path):
ips = set()
with open(file_path, 'r') as file:
for line in file:
try:
data = json.loads(line)
if 'src_ip' in data:
ips.add(data['src_ip'])
if 'flow' in data and 'src_ip' in data['flow']:
ips.add(data['flow']['src_ip'])
except json.JSONDecodeError:
print(f"Error decoding JSON in line: {line}")
with open(output_path, 'w') as output_file:
for ip in ips:
output_file.write(ip + '\n')
# Specify the input file path and the output file path
input_file_path = 'C:/Users/X/Desktop/input.json'
output_file_path = 'C:/Users/X/Desktop/ips.txt'
# Extract src_ips and save to file
extract_src_ips(input_file_path, output_file_path)
8
24.1 Legacy Series / Re: 24.1.2 Wireguard does not work after updating
« on: June 18, 2024, 01:10:34 pm »
Upgrading here to OPNsense 24.1.9-amd64 just now and wg stops for me as well , restart via service fix the issue.
9
Virtual private networks / Why Wireguard shows wrong time for last handshake and how to fix it?
« on: May 17, 2024, 08:56:00 am »
OPNsense 24.1.7-amd64
As description says i find it strange it is wrong time when firewall logs shows it right.
Is there a file that need to be edited to show it right, or this is expected behaviour?
As description says i find it strange it is wrong time when firewall logs shows it right.
Is there a file that need to be edited to show it right, or this is expected behaviour?
10
24.1 Legacy Series / MultiWAN - Gateway not showing with Static IPv4
« on: March 06, 2024, 11:23:57 am »
Hellow gentlemen, I have a small network with 4 static WAN addresses, we are currently using one but I decided to add the others so that they can be used productively. The GATEWAY is statically set and working at x.x.x.233 and the WAN interface works with it without a problem, but when I tried to activate the second WAN_HA interface it does not show me the statically entered GATEWAY, what could be the problem?
Thank you for your time!
Thank you for your time!
11
24.1 Legacy Series / Re: 24.1 - DHCP server moves to KEA - implications?
« on: February 28, 2024, 01:11:08 pm »
Kea migrate was easy , thanks for implement.
I just miss one thing to remove clients from leases, it's maybe expected but it`s unknown to me why one i have the server on 0.74 , and i have new reservation to point again to 0.74 but kea gives me 0.150 on image bellow.
How you remove the old lease ?
Keep the good work!
~PS. After some time of refreshing the NIC , correct ip is set !
I just miss one thing to remove clients from leases, it's maybe expected but it`s unknown to me why one i have the server on 0.74 , and i have new reservation to point again to 0.74 but kea gives me 0.150 on image bellow.
How you remove the old lease ?
Keep the good work!
~PS. After some time of refreshing the NIC , correct ip is set !
12
General Discussion / Failover WAN ips with single gateway
« on: October 17, 2023, 09:35:49 am »
I got 4 static ip's and single gateway is it possible to use failover/load balance for them?
Router have wan/lan ports only and it's virtualized in proxmox with added few virtual nics (attached to actuall WAN interface).
Problem is that when i create like 2/3 WAN interfaces with static ip , gateway is already used from the first one.
Can you give me some tips how ot achieve this ?
Thanks in advance
Router have wan/lan ports only and it's virtualized in proxmox with added few virtual nics (attached to actuall WAN interface).
Problem is that when i create like 2/3 WAN interfaces with static ip , gateway is already used from the first one.
Can you give me some tips how ot achieve this ?
Thanks in advance
13
Web Proxy Filtering and Caching / Re: squid graphs?
« on: August 30, 2023, 02:22:49 pm »
Also very interested in this, specifically for watching requests and their api's for debugging.
For me solution for now is mitmproxy virtualized on proxmox *in regular mode* - transparent not works for me https://github.com/mitmproxy/mitmproxy/discussions/6338
For me solution for now is mitmproxy virtualized on proxmox *in regular mode* - transparent not works for me https://github.com/mitmproxy/mitmproxy/discussions/6338
14
General Discussion / Loopback disable ipv6 - duplication
« on: April 05, 2023, 07:14:58 am »
Hellow gentlemens, still learning here need some help, because I think i saw something strange in watching my logs.
First is is possible somehow to disable rules that are hardcoded for ipv6 somehow and is it a good idea? ( also can i remove ipv6 from loopback routes ?)
Second i follow a guide to disable ipv6 for firewall but i still see it sometimes in loopback in example even i'am sure i disable it right.
And also on rules picture isn't this duplicating?
Thanks in advance.
First is is possible somehow to disable rules that are hardcoded for ipv6 somehow and is it a good idea? ( also can i remove ipv6 from loopback routes ?)
Second i follow a guide to disable ipv6 for firewall but i still see it sometimes in loopback in example even i'am sure i disable it right.
And also on rules picture isn't this duplicating?
Thanks in advance.
15
23.1 Legacy Series / Re: Security Audit Log Issues
« on: March 11, 2023, 02:45:17 pm »
Please don’t report issues to us reported by the security health check, they are already known and highly likely a fix is pending for the next release.https://docs.opnsense.org/security.html
I was reporting once like you guys than readed docs, and I still do
I was reporting once like you guys than readed docs, and I still do