Messages

1

Intrusion Detection and Prevention / Re: NetMap Error

« on: November 22, 2024, 11:01:05 am »

I've no OPNsense in a vm. We have Deciso full hardware and we had the same problem.
I've juste add the WAN interface in the Intrusion Detection settings and now the log went silent about this problem.

I hope it'll help

I've started another thread about that because I had a combination of problem after the upgrade:

https://forum.opnsense.org/index.php?topic=44178.0

2

Web Proxy Filtering and Caching / Re: Urgent Prod system - OPNWAF + SURICATA Logs went full and Everything is blocked

« on: November 22, 2024, 10:57:34 am »

Update:
In the Intrusion Detection I have to choose the WAN interface even I've use only a bridge.
Is this a bug or a design problem?
Now the log has gone silent.

Someone can explain me? and I repeat there was  nothing like that before the upgrade.

3

Web Proxy Filtering and Caching / Re: Urgent Prod system - OPNWAF + SURICATA Logs went full and Everything is blocked

« on: November 22, 2024, 10:26:32 am »

Dear OPNSense community,

I've found that as the disk where full. The OPNsense wasn't really available anymore for the rest of the network. I've received some E-mail alerts that to processor of the appliance overloaded. The appliance was bought this year it's a Deciso 3842 AMD EPYC 8GB 256GB M.2.

The communication between our cluster and backup NAS were broken. Problems cascaded from one to the next.

I think something wrong is happened after the upgrade on the version 24.10_7 suricata is indeed integrated in OPNsense. I've deleted the old log, but we still have a problem with the IDS - a flooding of the following information.
bridge0^: error reading netmap data via polling: No buffer space available

Now it could be really interesting to know why this have change between the version of the OPNsense system.

Regards,

Joel.


Ps: I've already setup the log for the IDS to get really smaller but it's not the solution.

4

Web Proxy Filtering and Caching / Urgent Prod system - OPNWAF + SURICATA Logs went full and Everything is blocked

« on: November 22, 2024, 08:55:49 am »

Dear OPNSense community,

we have a Business license, that's normally to receive a stable version after every update / upgrade, but it's not the case. Last Upgrade from the 24.4.3 to the version 24.10_7 (amd)
os-OPNWAF Version 1.6 - os-crowdsec 1.0.8_1 and Intrusion Detection is activated
After the upgrade the Logs from Suricata went full (and the disk too) -> Resource limit succeeded Service RootFs

Topology:
we have a bridge the firewall is in our DMZ behind the 1. HOP where there is an another router./firewall The OPNSense is there for his WAF / PROXY functions (OPNWAF / SURICATA / Crowdsec)

We have some Nextcloud and we are securing the traffic to Nextcloud with OPNSense.
Since the last upgrade the logs went full with Suricata. I've deleted some logs they were bigger than 100GB.

Now the Firewall is simply blocking the traffic from the Nextcloud to everything, event if I've made some rules like Nextcloud to everything with any ports.

All the services are green.

I cannot explain what is happen, but for a Business license, I think this version has a bug!

I've restarted already nothing is working and I don't where to beginning with this kind of Stuff. In the OPNWAF the logs won't show any problem. It seems to be a problem with the firewall!

example:
__timestamp__   2024-11-22T08:31:43
ack   3809070810
action    [block]
anchorname   
datalen   0
dir    [in]
dst   XX.X.XXX.XXX (OPNSense Firewall/PROXY)
dstport   48012
ecn   
id   4409
interface   bridge0
interface_name   BRG
ipflags   DF
ipversion   4
label   Default deny / state violation rule
length   52
offset   0
protoname   tcp
protonum   6
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
rulenr   4
seq   
src   XX.X.XXX.XXX (Nextcloud)
srcport   443
subrulenr   
tcpflags   A
tcpopts   
tos   0x0
ttl   64
urp   506

The worst I've change nothing. Everything is going wrong after the ugprade of the version 24.10_7

Could please help me

Thank you in advance!

Regards,

Joel.

5

General Discussion / Re: OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload

« on: November 15, 2024, 10:16:16 am »

Hello Franco, Hi dear community,

no misunderstood I like to use the OPNSense and
I've found some solutions on the UI
Firewall -> Web Application -> Gateways -> Virtual servers
But I don't think that disabling a whole rule because of a parameter on the rule is an enhancement on the security of the WAF. An Exception for a certain URL would be a great improvement.
Maybe I'm wrong.

Regards,

Joel.

6

General Discussion / Re: OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload

« on: November 15, 2024, 09:48:41 am »

Hello Franco,

could you please explain how?
We had a maintenance on the OPNsense and an update (Version 24.10_7 and os-OPNWAF 1.6). Now it's even worst there's no exception anymore for Nextcloud and Nextcloud cannot show the files on the UI.
My workflow before the update as worked, now I must repeat all from the start. Because the rules were changed.

Thanks ahead for your help

Regards,
Joel.

7

General Discussion / Re: OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload

« on: September 11, 2024, 06:36:19 pm »

Every time I restart the plugin / service, I loose all the changes in the conf files. Is there a special way to do this with OPNsense? Because I need to fix this asap.

8

General Discussion / Re: OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload

« on: September 11, 2024, 06:31:59 pm »

Hello,
thank you for your fast answer.
Is there some possibility to apply the new parameters and that the modsecurity keep them? (I mean in the console mod / shell)
I've found the parameters in this file:
/usr/local/etc/apache24/modsecurity.conf
But if I change something, the next restart of the plugin / service, it resets the parameter to the original values ( 13107200 and 131072). I can't change anything. The "App Specific Rule Exclussions" nextcloud in Firewall -> Web Application-> Settings -> Web protection ist doing nothing. There's no effect on the nextcloud.

I've find the rules Set files for Nextcloud too, but nothing works.
I've deactivated the Web protection, because with, nobody can really use Nextcloud. From now I'm using only the gateway webserver. I was thinking that a business solution like this waf plugin would work.

I've forgot to write that we are using the version OPNsense 24.4.2-amd64 with the os-OPNWAF 1.5

Can I add the parameters in the gateway_vhosts.conf?

Thx ahead.

Regards,

Joel Timm.

9

General Discussion / OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload

« on: September 11, 2024, 04:29:30 pm »

Dear OPNsense community,

We bought the 3-year package to have business capabilities on our firewall in our company. But as soon as we started configuring OPNWAF (Web Application) Business, it didn't work as expected. We can't upload any documents or photos, regardless of file size (error 413). Some nextcloud applications generate errors (such as “photos”, or we lose the ability to change profile status). On the firewall, in the Web Protection tab, I've configured Nextcloud-specific rule exclusions, but that doesn't seem to do anything...

We have found that there's is a limitation in the modsecurity on the OPNWAF. The info is in the Web Error Log.
ModSecurity: Request body no files data length is larger than the configured limit (131072).. Deny with code (413) [hostname "xxxxxxxxx"] [uri "/remote.php/dav/files/

The problem with this plugin is that we couldn't find any documentation of the plugin paths on the hard disk. We have no idea how to set up this plugin, and there's no way of changing anything in the user interface. That's sad for a Business tool.

If someone with experience on this plugin can explain to me where I can change the configured limit, I'd be very happy not loose my time with this kind of stuffs.

Thank you ahead.

Regards,

Joel. T

10

General Discussion / Re: OPNWAF with Nextcloud, wildcard Letsencrypt only A rating in ssl labs

« on: August 15, 2024, 08:43:13 am »

I understand this point. Is there a possibility to distribute / deploy the wildcard Letsencrypt certificate from the OPNsense to the diverse systems in the DMZ? To simplify the process and don't have every system requesting a renewal every time.

Thank you ahead.

Regards,

Joel T.

11

General Discussion / OPNWAF with Nextcloud, wildcard Letsencrypt only A rating in ssl labs

« on: August 14, 2024, 08:01:08 pm »

Dear community,

I've setup a web application firewall with OPNWAF (Business) and ACME Letsencrypt. It works well, but I cannot obtain on SSL Labs the A+ because there's an invalid HSTS policy.
I don't want to deploy the certificates on every Nextcloud and we are using the service ACME Client on the OPNsense firewall with a wildcard. Is there a possibility to setup Nextcloud and OPNWAF to act as reverse proxy to solve this problem? I would like that SSL Labs check the HSTS from the OPNWAF and not from the Nextcloud to keep the easy aspect of the self-signed on every system.
Is there any other possibility with OPNsense?
I've no clue anymore.

Thanks an advance for your help.

Regards,

Joel T.

12

German - Deutsch / Naxsi/Nginx Custom Rules funktionieren nicht

« on: February 08, 2024, 04:19:41 pm »

Liebe OPNSense Community,
wir haben für einen Webserver eine WAF in der OPNSense mit Nginx und Naxsi aufgesetzt.
Derzeit erstellen wir die Regeln hierfür.
Jedoch scheinen die Regeln nicht übernommen/angewendet zu werden.
Gibt es die Möglichkeit die Regeln auf der Maschine einzusehen (im Terminal)?
Unsere Regeln sind gleichermaßen geschrieben (in der Weboberfläche) wie die voreingestellten Regeln die bereitgestellt werden.
Ich würde mich um jede Unterstützung freuen!
Mit freundlichen Grüßen
T.B.

13

General Discussion / Someone could help please with the OPNWAF-Plugin

« on: July 19, 2023, 10:03:59 am »

Dear OPNSense community,
I'm missing some information about the OPNWAF-Plugin. It's not clear with the certificate management where NGINX + NAXSI it's clear and explained. When I try to activate this plugin the service doesn't start and the settings are the same with a functional NGNIX+NAXSI. The problem with NAXSI is that this block the Apple devices with Safari and without a disabling of a base Ruleset, it won't work. It's not really safe like that.

OPNWAF seems to be easier but it simply doesn't work with our certificates. (no let's encrypt here)
here some info from the log: pass request body failed, AH00898: Error during SSL Handshake with remote server
The Set-UP is simple: Der HTTPS Port für den Virtual Server is not standard, SSL Proxy check peer is enable and the URI matches the CN, the certificate field in the Virtual Server is the same as in HTTP Server from NGNIX in the field TLS Certificate. The Location>Remote destinations in OPNWAF is the https://XX.XX.XX.XX (X = IP) of our Webserver.
With the same certificate-setting with NGNIX + NAXSI it will work, that's why I don't understand.

I hope with these information you can help me.

I was thinking that with the business license it would be easier for us.

Thank you ahead.

Joel T.

14

High availability / Re: High availability with rspamd - no synchronization

« on: August 30, 2022, 11:02:30 am »

no there's the config (please see the screen shot, but it does nothing when it sync either manually or with the Cron job :-(

15

General Discussion / Rspamd MX Check Expiration not applying

« on: August 30, 2022, 10:30:15 am »

Hello there,
when we set a Expiration in the MX Check Option of Rspamd in our OPNSense, and click Apply and afterwards switch to another Register the parameter is not applied and the field is empty.
Could this be a communication problem between Rspamd and Redis?
We would hope to find a solution so we can set this parameter.
Thanks in advance
T. Beyer