Messages

You have to include it before any other import with the same include optional statement.

e.g.

Include etc/apache24/modsecurity.conf
IncludeOptional etc/apache24/afolder/*.conf
IncludeOptional etc/apache24/modsecurity-crs/crs-exclusions.conf <--- this one is new in the upcoming version, just as heads up
IncludeOptional etc/apache24/modsecurity-crs/crs-setup.conf
IncludeOptional etc/apache24/modsecurity-crs/rules/*.conf


I wrote that Phase1 matching rules have to be before any other ruleset inclusion.

Thank you for your help.
I hope that we will get this feature in the next release.

Regards,

Joel.

I've tried something like that. Create a folder afolder
edit /usr/local/opnsense/service/templates/OPNsense/Apache/httpd.conf

add Include etc/apache24/afolder/*.conf
in
Include etc/apache24/modsecurity.conf
IncludeOptional etc/apache24/modsecurity-crs/crs-setup.conf
Include etc/apache24/afolder/*.conf
IncludeOptional etc/apache24/modsecurity-crs/rules/*.conf

Copy the conf file in the afolder
and tried with @pmFromFile or @contains
restart the apache service.
I've checked that in /usr/local/etc/apache24/httpd.conf is modified too.

It doesn't work after the restart of the apache24
I don't know what I'm doing wrong here.

I keep having something like that in the logs:
[security2:error] [pid xxxxxx:tid xxxxxxxx] [client X.X.X.X:49438] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i)(?:^|b[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?u[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?s[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0- ..." at ARGS:mainForm:sometabview:mycompany. [file "/usr/local/etc/apache24/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "514"] [id "932250"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: SH GmbH (8532) found within ARGS:mainForm:sometabview:mycompany: SH GmbH (8532)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.18.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-RCE"] [tag "capec/1000/152/248/88"] [hostname "xxxxxxx.xxx"] [uri "/xxxx/xxxxx/xxxxxx.xhtml"] [unique_id "xxxxxxxxxxxxxxxxxxxxxxx"], referer https://xxxxxxx.xxx/xxxx/xxxxx/xxxxxx.xhtml

Dear OPNSense community,


We have a scenario where we need to update the rules for one of our in-house developed professional apps, but without a direct exception like the one available for the user interface in ModSecurity. We need something like the ability to use a whitelist file. Something like this: 
SecRule ARGS:mainForm:sometabview:mycompany "@pmFromFile /usr/local/etc/apache24/Includes/modsecurity_wl.txt" "id:1000,phase:1,pass,nolog,ctl:ruleRemoveById=932250"
2nd example (with the text of the whitelist): SecRule ARGS:mainForm:sometabview:mycompany "@contains SH GmbH" "id:1000,phase:1,pass,nolog,ctl:ruleRemoveById=932250"

This is really important for our application, as we sometimes conduct EPA/PEN-TEST audits.
Rule 932250 serves its purpose very precisely and blocks a company's input. However, it would be nonsensical to disable rule 932250, as it is truly important for security...[ Unix direct remote command execution ]

Could you give us some guidance on what we can adjust and how we can set this up permanently, or how the appliance can maintain this for as long as possible?
Thank you in advance.

Regards,
Joel.

I would maybe look at what Zenarmor has to offer. They are one of our partners: https://docs.opnsense.org/vendor/sunnyvalley/zenarmor.html

The plugin combination you use has either no maintainers or support Tier3. They are all completely in community scope.

https://github.com/opnsense/plugins/blob/0e62a4992404873c2d0005ed2b3a474d0d9eac9b/README.md?plain=1#L130

https://github.com/opnsense/plugins/commit/7cd45894e266427fcddb25f9af30477d8de1a69f

Isn't os-OPNPROXY a business plugin from OPNSense / Deciso itself? (and sold as a bonus plugin)
https://docs.opnsense.org/manual/opnproxy.html

Dear OPNSense community,

We performed an upgrade this morning, and the proxy authentication via LDAP (AD) in Squid is not working as intended.
The Chromium browser prompts for a username and password, and even when these are entered correctly, the login window keeps reappearing.
It works with Firefox and we juste need to enter the username and password one time. Unfortunately, this shows us that the proxy cannot work with SSO, as was the case with a Sophos appliance, where this feature was truly user-friendly (one-time password at Windows login, no double/triple login with the browsers/ web app).
Even if the website is on the list of local websites (some of which we host ourselves), the proxy still displays the login window!!!

My infos:
Version: OPNsense 25.10.2_4 / FreeBSD 14.4-RELEASE
os-squid: 1.4
os-web-proxy-sso: 2.2_3
os-OPNProxy 1.0.5_4
Services -> Squid Web Proxy -> Forward Proxy -> Authentication Settings -> Authentication method -> LDAP

Do you have any idea why the Chromium browser isn't working with Squid/OPNSense?
Is it possible to set up a working web proxy with SSO on an OPNSense server? (This might also be of interest to the customers.)
Is there a better alternative to Squid that is also more user-friendly? (without requiring users to enter a username and password in the browser)

Thank you in advance for the information.

Regards,

Joel.

Dear community,
I am trying to disable the rules (the manual part) in order to set up the rules using policies only, but when I select all entries (or 1000/500/200) and click the "Disable" button, the waiting circle appears, and when it is finished, nothing happens; the checkboxes are not empty.
Is this a known bug or something similar? Because it's crazy to manually deactivate about 30,000 entries.
Thank you in advance for your help.
Best regards,
Joel.

Hello,

Instead of disabling 30k rules manually, you should control them via IDS/IPS Policy settings.

Steps

Go to
Services → Intrusion Detection → Policies
Create or edit a policy.
Configure:
Rulesets: leave empty or select desired rulesets
Action: set to
disabled (to disable all rules)
or alert / drop depending on your setup.
Apply the policy to the interface.
Policies override individual rule states, so you do not need to manually disable rules.

Hi,
I have already done that, but I still get the message that some rules need to be activated manually, even though I am using the policies.
I don't know why.
Regards,
Joel

Dear community,

We have already made several updates to the system since December, but we are experiencing an issue with our Deciso Business Appliance. When we are logged into the dashboard, the CPU goes out of control. We can observe the CPU usage increasing without us doing anything.


   0 root        -64    -     0B  1824K iflib    2 263.1H  61.26% [kernel{if_igc3_tq}]
16330 root         68    0    17M  2524K iflib    1   0:02  30.67% /sbin/ifconfig -m -v
16386 root         68    0    17M  2520K iflib    1   0:02  22.59% /sbin/ifconfig -m -v
 2915 root         68    0    17M  2528K iflib    2   0:04  22.14% /sbin/ifconfig -m -v
15589 root         68    0    17M  2528K iflib    2   0:02  19.85% /sbin/ifconfig -m -v

Is this a bug or a known issue?
I've seen some users complain about this in recent versions, but we're using an official Deciso business device, not a VM or home server.

DEC3842
hw.model: AMD EPYC 3101 4-Core Processor

Base Board Information
        Manufacturer: Deciso B.V.
        Product Name: NetBoard-A20
        Version: R2.0

Ethernet Controller I225-V

I would appreciate it if you could give me some advice.
I feel that the latest business versions are not as stable as the older ones.

Thank you ahead.

Regards,

Joel.

I took a snapshot before every major upgrade and only used the function once to reboot on the last knows good version because of an error, but I'll check out your tip. 

Regards,

Joel

Dear community,
I am trying to disable the rules (the manual part) in order to set up the rules using policies only, but when I select all entries (or 1000/500/200) and click the "Disable" button, the waiting circle appears, and when it is finished, nothing happens; the checkboxes are not empty.
Is this a known bug or something similar? Because it's crazy to manually deactivate about 30,000 entries.
Thank you in advance for your help.
Best regards,
Joel.

If you have evidence that an update really caused the loss of firewall rules, you can still open an issue on Github to reach the developers. My main point is that this is the community forum and although I run a handful of systems with the business edition I do not have the expertise to help you. Also I never experienced anything like that myself.

Side note - why do you need a maintenance window to run an audit?

That's the only time I can devote to it. I take care of many other networks and application infrastructures, and since the problem didn't block the system's communication (I've simply re-create the 4/5 missing rules), I'll take care of it next time.
It's not about the OPNSense-Firewalls, It's about the workflow in the company.

Cheers,
Joel.

Well, you can audit System: Configuration: History for where these disappeared (and restore them if they were lost then I suppose).

That also goes for opening a business support case as a starting point to investigate.

Without support hours posting here is as good as it gets.


Cheers,
Franco

Dear Franco and Patrick,
I get your point, but I don't understand the business model of why we should pay for troubleshooting the Deciso Business Appliance (which we purchased with a license). I understand that I need to purchase support if I need something that is beyond my expertise or if information is missing from the documentation because we need something more specific. But in my opinion, this is simply an automated update from the Deciso server that is faulty.
I'm will auditing the system the next monthly maintenance (I've already done a part of it, when I've found that some rules are missing), thank you for your advice.
Best regards,
Joel.

Please let me know if I've done something wrong this time. I already mentioned that this is a business device, not a VM for the firewall at home.

Dear Opnsense community,

This morning we performed our monthly maintenance and we are certain that we lost some rules and objects during the upgrade.
We noticed this because our AMS group created a ticket for some rules that had already been created for a customer project, and we couldn't find any of these rules or categories after the upgrade.
The upgrade went strangely: Without warning, we were downgraded from version 25.10.1_2 to version 25.10, and after that we had to upgrade again to get version 25.10.2. Is this a mistake on the part of the OPNsense team? Has anyone ever heard of anything like this before?
We did not attempt to uninstall anything. The device did this on its own.

It's quite disturbing as a customer.

2026-02-19T08:16:56
Notice
pkg-static
opnsense-business-25.10.2 installed
2026-02-19T08:15:52
Notice
pkg-static
opnsense-business-25.10 deinstalled
2026-01-22T06:18:23
Notice
pkg-static
opnsense-business-25.10.1_2 installed

Regards

Joel.

Dear community,

I cannot see the other severity of the access log in Squid (plug-in Squid Web Proxy). It remains empty. The only thing that works is the notification.
Can anyone give me a hint about this?

example:

only 2026-02-19T12:23:41
Notice
squid
ACL-REQ |opnproxy_ext_acl_net| |

even with multiple selection

with ssh:
tail -f /var/log/squid/access.log

xx.xx.xx.xx - xx:xx:xx:xx:xx:xx - [dd/mmm/2026:hh:mm:ss +0100] "CONNECT static.licdn.com:443 HTTP/1.1" 200 39 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36" TCP_TUNNEL:HIER_DIRECT
xx.xx.xx.xx - xx:xx:xx:xx:xx:xx - [dd/mmm/2026:hh:mm:ss +0100] "CONNECT platform.linkedin.com:443 HTTP/1.1" 403 20345 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36" TCP_DENIED:HIER_NONE
xx.xx.xx.xx - xx:xx:xx:xx:xx:xx - [dd/mmm/2026:hh:mm:ss +0100] "CONNECT ponf.linkedin.com:443 HTTP/1.1" 403 20349 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36" TCP_DENIED:HIER_NONE


Thank you in advance

Joel.

Are you referring to the sshlockout alias?

No