Messages

IDLE definition: 1. not working or being used

Regards

Joel.

Did you try resetting the lobby configuration ?

I've already done that, but today memory usage is only at 32%, and CPU usage is between 10% and 50%. Yesterday, memory usage was at least 75% and CPU usage was between 80% and 100%. I can't compare that to today.

Reload the page? Possibly you are logged out?

I can confirm that I'm not logged out. I get every time the Gateways -> Failed to load widget (sometimes memory / interface statistics and system information are disappearing)
My memory is full (75% and generally it was 40%), and this problem has existed since version 25.7 and continues to occur in version 25.10.

top -o cpu
  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
80870 root          1  68    0    17M  2572K iflib    3   0:02  57.13% ifconfig
95766 root          1  60    0    17M  2580K iflib    2   0:02  52.22% ifconfig
58397 root          1  98    0    17M  2588K CPU2     2   0:03  38.47% ifconfig
70902 root          1  55    0    17M  2576K iflib    3   0:02  22.72% ifconfig
99748 root          1  68    0    17M  2588K iflib    1   0:00  13.27% ifconfig
69680 root          1  68    0    17M  2588K iflib    1   0:02  12.13% ifconfig
85142 root          1  68    0    17M  2576K iflib    3   0:00   4.73% ifconfig
10600 root          1  68    0    61M    32M piperd   0   0:00   3.41% php
  370 root         14  68    0   256M    40M accept   2  16:50   1.54% python3.11

top -o res
  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
67460 www           3  20    0  3293M  1609M uwait    2   0:03   0.00% httpd
67192 www           4  20    0  3313M  1374M uwait    3   0:04   0.00% httpd
32191 root          7  20    0  3118M   582M RUN      2 433:16   0.33% suricata
19415 www           4  20    0  1222M   505M uwait    0   0:19   0.00% httpd
42797 www          27  68    0   728M   406M piperd   3   3:40   0.00% httpd
64863 www          27  20    0   713M   385M piperd   0   4:28   0.00% httpd
22121 www           3  20    0   711M   228M uwait    1   0:10   0.00% httpd
22202 www           3  20    0   711M   228M uwait    2   0:10   0.00% httpd
42698 www          27  68    0   468M   212M piperd   0   1:02   0.00% httpd
85492 root         22  26    0  1765M   198M kqread   0  60.5H   0.21% crowdsec
42013 www          27  68    0   328M   134M piperd   1   0:10   0.00% httpd

Dear Community,
We would like to trigger the download via the share link in Nextcloud using OPNWAF's proxy feature.
I believe there is an option to use "Proxy Pass Match" for this.
But it doesn't seem to work and breaks the link. We know that the file downloads immediately if we append "/download" to the link without using the Nextcloud viewer.
We have tried the following:
      Local path
      ^/s/([^/]+)/?(.*)$
   
      Remote path
      /s/$1/download$2
This simply results in a 404 error and does not add the "/download" (the "$2" is because of the "dir" parameter that Nextcloud inserts into the email link).
We also tried the simplest method, but it doesn't work either. --> ^/s/?(.*)$ - /s/$1/download

Could you please give me some suggestions? (There isn't enough information in the online manual.)
Thank you ahead

Regards,

Joel

Have you tried disabling ntopng?

I'm getting an error with Gateways and Interface Statistics -> Failed to load widget.

Have you tried disabling ntopng?

I'm trying this option right now.
Thanks.

We're working on it.

Have a nice day,

Cedrik

Thank you!

Dear Community,
After two or three updates, I'm writing to say that I'm still having issues with the WebUI and even with an unresponsive SSH. We use the Business version of the system and typically a hardware appliance that is fully compatible with the system, since it is a Deciso/OPNSense product. 8 GB AMD EPYC 3101 4-core processor DEC3840 – OPNsense

 top -aSH
last pid: 37524;  load averages: 19.72, 22.81, 27.25                                                                                                                                 up 75+17:14:16  17:25:58
722 threads:   23 running, 677 sleeping, 22 waiting
CPU:  6.3% user,  0.0% nice, 93.6% system,  0.2% interrupt,  0.0% idle
Mem: 2338M Active, 3065M Inact, 504M Laundry, 971M Wired, 2058K Buf, 874M Free
ARC: 308M Total, 63M MFU, 136M MRU, 38M Anon, 2677K Header, 68M Other
     144M Compressed, 480M Uncompressed, 3.34:1 Ratio
Swap: 8418M Total, 4243M Used, 4175M Free, 50% Inuse

  PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
28535 root         68    0    17M  2624K RUN      0   0:04  72.71% /sbin/ifconfig -m -v
24521 root         68    0    17M  2628K CPU2     2   0:04  57.40% /sbin/ifconfig -m -v
    0 root        -64    -     0B  1712K CPU3     3 526.4H  55.32% [kernel{if_igc3_tq}]
22164 root         68    0    17M  2624K RUN      1   0:03  42.03% /sbin/ifconfig -m -v
33088 root         94    0    17M  2624K RUN      3   0:02  40.91% /sbin/ifconfig -m -v
33192 root         68    0    17M  2612K CPU1     1   0:03  33.31% /sbin/ifconfig -m -v
36021 root         68    0    17M  2624K RUN      2   0:01  13.56% /sbin/ifconfig -m -v
61959 ntopng       32    0   716M   186M RUN      0 274.2H   4.84% /usr/local/bin/ntopng /usr/local/etc/ntopng.conf -U ntopng -G /var/run/ntopng/ntopng.pid -1 /usr/local/share/ntopng/httpdocs -2 /usr/local
  370 root         68    0   246M    49M accept   1   1:19   0.28% /usr/local/bin/python3 /usr/local/opnsense/service/configd.py console (python3.11){python3.11}


This happens every time I stay on the dashboard for too long.
Is there a patch or another solution I can implement myself?

Thank you in advance

Regards,

Joel

You have to include it before any other import with the same include optional statement.

e.g.

Include etc/apache24/modsecurity.conf
IncludeOptional etc/apache24/afolder/*.conf
IncludeOptional etc/apache24/modsecurity-crs/crs-exclusions.conf <--- this one is new in the upcoming version, just as heads up
IncludeOptional etc/apache24/modsecurity-crs/crs-setup.conf
IncludeOptional etc/apache24/modsecurity-crs/rules/*.conf


I wrote that Phase1 matching rules have to be before any other ruleset inclusion.

Thank you for your help.
I hope that we will get this feature in the next release.

Regards,

Joel.

I've tried something like that. Create a folder afolder
edit /usr/local/opnsense/service/templates/OPNsense/Apache/httpd.conf

add Include etc/apache24/afolder/*.conf
in
Include etc/apache24/modsecurity.conf
IncludeOptional etc/apache24/modsecurity-crs/crs-setup.conf
Include etc/apache24/afolder/*.conf
IncludeOptional etc/apache24/modsecurity-crs/rules/*.conf

Copy the conf file in the afolder
and tried with @pmFromFile or @contains
restart the apache service.
I've checked that in /usr/local/etc/apache24/httpd.conf is modified too.

It doesn't work after the restart of the apache24
I don't know what I'm doing wrong here.

I keep having something like that in the logs:
[security2:error] [pid xxxxxx:tid xxxxxxxx] [client X.X.X.X:49438] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i)(?:^|b[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?u[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0-9\\\\?@_a-\\\\{]*)?\\\\x5c?s[\\"'\\\\)\\\\[\\\\x5c]*(?:(?:(?:\\\\|\\\\||&&)[\\\\s\\\\x0b]*)?\\\\$[!#\\\\(\\\\*\\\\-0- ..." at ARGS:mainForm:sometabview:mycompany. [file "/usr/local/etc/apache24/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "514"] [id "932250"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: SH GmbH (8532) found within ARGS:mainForm:sometabview:mycompany: SH GmbH (8532)"] [severity "CRITICAL"] [ver "OWASP_CRS/4.18.0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/ATTACK-RCE"] [tag "capec/1000/152/248/88"] [hostname "xxxxxxx.xxx"] [uri "/xxxx/xxxxx/xxxxxx.xhtml"] [unique_id "xxxxxxxxxxxxxxxxxxxxxxx"], referer https://xxxxxxx.xxx/xxxx/xxxxx/xxxxxx.xhtml

Dear OPNSense community,


We have a scenario where we need to update the rules for one of our in-house developed professional apps, but without a direct exception like the one available for the user interface in ModSecurity. We need something like the ability to use a whitelist file. Something like this: 
SecRule ARGS:mainForm:sometabview:mycompany "@pmFromFile /usr/local/etc/apache24/Includes/modsecurity_wl.txt" "id:1000,phase:1,pass,nolog,ctl:ruleRemoveById=932250"
2nd example (with the text of the whitelist): SecRule ARGS:mainForm:sometabview:mycompany "@contains SH GmbH" "id:1000,phase:1,pass,nolog,ctl:ruleRemoveById=932250"

This is really important for our application, as we sometimes conduct EPA/PEN-TEST audits.
Rule 932250 serves its purpose very precisely and blocks a company's input. However, it would be nonsensical to disable rule 932250, as it is truly important for security...[ Unix direct remote command execution ]

Could you give us some guidance on what we can adjust and how we can set this up permanently, or how the appliance can maintain this for as long as possible?
Thank you in advance.

Regards,
Joel.

I would maybe look at what Zenarmor has to offer. They are one of our partners: https://docs.opnsense.org/vendor/sunnyvalley/zenarmor.html

The plugin combination you use has either no maintainers or support Tier3. They are all completely in community scope.

https://github.com/opnsense/plugins/blob/0e62a4992404873c2d0005ed2b3a474d0d9eac9b/README.md?plain=1#L130

https://github.com/opnsense/plugins/commit/7cd45894e266427fcddb25f9af30477d8de1a69f

Isn't os-OPNPROXY a business plugin from OPNSense / Deciso itself? (and sold as a bonus plugin)
https://docs.opnsense.org/manual/opnproxy.html

Dear OPNSense community,

We performed an upgrade this morning, and the proxy authentication via LDAP (AD) in Squid is not working as intended.
The Chromium browser prompts for a username and password, and even when these are entered correctly, the login window keeps reappearing.
It works with Firefox and we juste need to enter the username and password one time. Unfortunately, this shows us that the proxy cannot work with SSO, as was the case with a Sophos appliance, where this feature was truly user-friendly (one-time password at Windows login, no double/triple login with the browsers/ web app).
Even if the website is on the list of local websites (some of which we host ourselves), the proxy still displays the login window!!!

My infos:
Version: OPNsense 25.10.2_4 / FreeBSD 14.4-RELEASE
os-squid: 1.4
os-web-proxy-sso: 2.2_3
os-OPNProxy 1.0.5_4
Services -> Squid Web Proxy -> Forward Proxy -> Authentication Settings -> Authentication method -> LDAP

Do you have any idea why the Chromium browser isn't working with Squid/OPNSense?
Is it possible to set up a working web proxy with SSO on an OPNSense server? (This might also be of interest to the customers.)
Is there a better alternative to Squid that is also more user-friendly? (without requiring users to enter a username and password in the browser)

Thank you in advance for the information.

Regards,

Joel.

Dear community,
I am trying to disable the rules (the manual part) in order to set up the rules using policies only, but when I select all entries (or 1000/500/200) and click the "Disable" button, the waiting circle appears, and when it is finished, nothing happens; the checkboxes are not empty.
Is this a known bug or something similar? Because it's crazy to manually deactivate about 30,000 entries.
Thank you in advance for your help.
Best regards,
Joel.

Hello,

Instead of disabling 30k rules manually, you should control them via IDS/IPS Policy settings.

Steps

Go to
Services → Intrusion Detection → Policies
Create or edit a policy.
Configure:
Rulesets: leave empty or select desired rulesets
Action: set to
disabled (to disable all rules)
or alert / drop depending on your setup.
Apply the policy to the interface.
Policies override individual rule states, so you do not need to manually disable rules.

Hi,
I have already done that, but I still get the message that some rules need to be activated manually, even though I am using the policies.
I don't know why.
Regards,
Joel

Dear community,

We have already made several updates to the system since December, but we are experiencing an issue with our Deciso Business Appliance. When we are logged into the dashboard, the CPU goes out of control. We can observe the CPU usage increasing without us doing anything.


   0 root        -64    -     0B  1824K iflib    2 263.1H  61.26% [kernel{if_igc3_tq}]
16330 root         68    0    17M  2524K iflib    1   0:02  30.67% /sbin/ifconfig -m -v
16386 root         68    0    17M  2520K iflib    1   0:02  22.59% /sbin/ifconfig -m -v
 2915 root         68    0    17M  2528K iflib    2   0:04  22.14% /sbin/ifconfig -m -v
15589 root         68    0    17M  2528K iflib    2   0:02  19.85% /sbin/ifconfig -m -v

Is this a bug or a known issue?
I've seen some users complain about this in recent versions, but we're using an official Deciso business device, not a VM or home server.

DEC3842
hw.model: AMD EPYC 3101 4-Core Processor

Base Board Information
        Manufacturer: Deciso B.V.
        Product Name: NetBoard-A20
        Version: R2.0

Ethernet Controller I225-V

I would appreciate it if you could give me some advice.
I feel that the latest business versions are not as stable as the older ones.

Thank you ahead.

Regards,

Joel.