"
great ! thx a lot opnsense & naxsi :D
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
23.1 Legacy Series / Re: nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 since 23.1.10_1
June 28, 2023, 09:36:21 AM #2
23.1 Legacy Series / Re: nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 since 23.1.10_1
June 24, 2023, 12:52:29 PM
hi,
testing :) with, before , re-enabled line ( 51 & 81 )
MainRule id:1000 "rx..........
MainRule id:1500 "rx..........
testing :) with, before , re-enabled line ( 51 & 81 )
MainRule id:1000 "rx..........
MainRule id:1500 "rx..........
Quoteroot@fw:~ # opnsense-revert -z nginx
Fetching nginx.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20221213... done
nginx-1.24.0_6,3: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
nginx: 1.24.0_8,3
Number of packages to be installed: 1
The process will require 4 MiB more space.
[1/1] Installing nginx-1.24.0_8,3...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
Extracting nginx-1.24.0_8,3: 100%
=====
Message from nginx-1.24.0_8,3:
--
Recent version of the NGINX introduces dynamic modules support. In
FreeBSD ports tree this feature was enabled by default with the DSO
knob. Several vendor's and third-party modules have been converted
to dynamic modules. Unset the DSO knob builds an NGINX without
dynamic modules support.
To load a module at runtime, include the new `load_module'
directive in the main context, specifying the path to the shared
object file for the module, enclosed in quotation marks. When you
reload the configuration or restart NGINX, the module is loaded in.
It is possible to specify a path relative to the source directory,
or a full path, please see
https://www.nginx.com/blog/dynamic-modules-nginx-1-9-11/ and
http://nginx.org/en/docs/ngx_core_module.html#load_module for
details.
Default path for the NGINX dynamic modules is
/usr/local/libexec/nginx.
root@fw:~ # service nginx stop
Stopping nginx.
Waiting for PIDS: 63871.
root@fw:~ # service nginx start
/usr/local/etc/rc.d/nginx: WARNING: failed to setup nginx
Performing sanity check on nginx configuration:
nginx: [warn] could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.
nginx: [warn] could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
root@fw:~ # service nginx status
nginx is running as pid 66182
Quote2023/06/24 12:50:00 [warn] 79720#100103: could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
2023/06/24 12:50:00 [notice] 79720#100103: signal process started
root@fw:/var/log/nginx # tail -100 error.log
Quoteroot@fw:/usr/local/etc/nginx # find . -type f -name "*.conf" -exec grep hash {} /dev/null \;
./nginx.conf:ip_hash;
./nginx.conf:ip_hash;
./nginx.conf:ip_hash;
./nginx.conf:ip_hash;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
Quoteroot@fw:/usr/local/etc/nginx # nginx -V
nginx version: nginx/1.24.0
built with OpenSSL 1.1.1u 30 May 2023
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --with-pcre --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_smtp_module --with-mail_ssl_module --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/ngx_brotli-9aec15e --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/headers-more-nginx-module-33b646d --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/naxsi-1.4/naxsi_src --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/njs-0.7.12/nginx --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/nginx-module-vts-bf64dbf --with-ld-opt='-L /usr/local/lib'
Quoteroot@fw:/usr/local/etc/nginx # cd /usr/local/libexec/nginx
root@fw:/usr/local/libexec/nginx # ls -latr
total 3136
drwxr-xr-x 10 root wheel 512 Jun 23 06:23 ..
-r-xr-xr-x 1 root wheel 171336 Jun 24 10:52 ngx_stream_module.so
-r-xr-xr-x 1 root wheel 982968 Jun 24 10:52 ngx_stream_js_module.so
-r-xr-xr-x 1 root wheel 88616 Jun 24 10:52 ngx_mail_module.so
-r-xr-xr-x 1 root wheel 18816 Jun 24 10:52 ngx_http_xslt_filter_module.so
-r-xr-xr-x 1 root wheel 172080 Jun 24 10:52 ngx_http_vhost_traffic_status_module.so
-r-xr-xr-x 1 root wheel 567216 Jun 24 10:52 ngx_http_naxsi_module.so
-r-xr-xr-x 1 root wheel 1001536 Jun 24 10:52 ngx_http_js_module.so
-r-xr-xr-x 1 root wheel 25440 Jun 24 10:52 ngx_http_headers_more_filter_module.so
-r-xr-xr-x 1 root wheel 9088 Jun 24 10:52 ngx_http_brotli_static_module.so
-r-xr-xr-x 1 root wheel 14472 Jun 24 10:52 ngx_http_brotli_filter_module.so
#3
23.1 Legacy Series / Re: nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 since 23.1.10_1
June 23, 2023, 11:35:40 PM #4
23.1 Legacy Series / Re: nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 since 23.1.10_1
June 23, 2023, 10:34:35 PM
same pb with line 81 after i'v commented line 51
nginx start but with warning
Quoteroot@fw:~ # /usr/sbin/service nginx start
/usr/local/etc/rc.d/nginx: WARNING: failed to setup nginx
Performing sanity check on nginx configuration:
nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1000 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:81
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
Starting nginx.
nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1000 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:81
/usr/local/etc/rc.d/nginx: WARNING: failed to start nginx
QuoteMainRule id:1000 "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|ARGS|URL|$HEADERS_VAR_X:Cookie" "s:$policye5cc303f2c4d419da82d91435bf7b
85b:4"
nginx start but with warning
Code Select
root@fw:~ # /usr/sbin/service nginx start
/usr/local/etc/rc.d/nginx: WARNING: failed to setup nginx
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.
root@fw:~ # /usr/sbin/service nginx status
nginx is running as pid 42341. #5
23.1 Legacy Series / nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 since 23.1.10_1
June 23, 2023, 10:22:38 PM
hi,
using:
OPNsense 23.1.10_1-amd64 ( from hardware appliance )
service nginx not starting since last OPNsense update
Naxsi-Config : MainRule id:1500 is
plz see attachment ( screen nginx 's conf )
thx &
Best Regards :)
using:
OPNsense 23.1.10_1-amd64 ( from hardware appliance )
service nginx not starting since last OPNsense update
Quoteroot@fw:~ # service nginx start
/usr/local/etc/rc.d/nginx: WARNING: failed to setup nginx
Performing sanity check on nginx configuration:
nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:51
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
Starting nginx.
nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:51
/usr/local/etc/rc.d/nginx: WARNING: failed to start nginx
Naxsi-Config : MainRule id:1500 is
QuoteMainRule id:1500 "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp file upload" "mz:FILE_EXT" "s:$policycd6d033b9a494994a4f73375c23b214e:8";
plz see attachment ( screen nginx 's conf )
thx &
Best Regards :)
#6
French - Français / Re: unbound liste blanche en ipv6 cidr max 32bit
May 27, 2023, 02:46:23 PM
j'ai essayé avec chrome/firefox/edge
en fait, on peut contourner
suffit de faire l enregistrement souhaité sans se soucier du CIDR
sauvegarder
ré-editer la ressource en corrigeant la valeur CIDR
en fait, on peut contourner
suffit de faire l enregistrement souhaité sans se soucier du CIDR
sauvegarder
ré-editer la ressource en corrigeant la valeur CIDR
#7
French - Français / unbound liste blanche en ipv6 cidr max 32bit
May 27, 2023, 12:02:16 PM
hello,
j ai un petit soucis avec OPNsense 23.1.8 + unbound (up to date /services_unbound_acls.php ) sur une appliance compatible
j'ai une conf ipv6 type ULA
visiblement on ne peut plus allez au delà de 32bi sur la conf CIDR en IPV6 de la whitelist /services_unbound_acls.php ( cf screen )
une idée ? :)
( je sais que c est très large, mais chez Free , on a une large capa de sous reseau dans les nexthop )
merci à vous
amicalement
j ai un petit soucis avec OPNsense 23.1.8 + unbound (up to date /services_unbound_acls.php ) sur une appliance compatible
j'ai une conf ipv6 type ULA
visiblement on ne peut plus allez au delà de 32bi sur la conf CIDR en IPV6 de la whitelist /services_unbound_acls.php ( cf screen )
une idée ? :)
( je sais que c est très large, mais chez Free , on a une large capa de sous reseau dans les nexthop )
merci à vous
amicalement
#8
22.7 Legacy Series / Re: 22.7.5 check update always show same 2 updated package
October 10, 2022, 09:04:14 AMCode Select
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.7.5 (amd64/OpenSSL) at Mon Oct 10 08:56:11 CEST 2022
>>> Check installed kernel version
Version 22.7.5 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.7.5 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
FreeBSD
OPNsense
>>> Check installed plugins
os-acme-client 3.13
os-bind 1.24
os-c-icap 1.7_2
os-clamav 1.7_1
os-crowdsec 1.0.1
os-dnscrypt-proxy 1.12
os-firewall 1.2
os-ftp-proxy 1.0_3
os-google-cloud-sdk 1.0_1
os-haproxy 3.11
os-intrusion-detection-content-et-open 1.0.1
os-intrusion-detection-content-pt-open 1.0_1
os-intrusion-detection-content-snort-vrt 1.1_1
os-maltrail 1.9
os-mdns-repeater 1.1
os-nginx 1.30
os-nrpe 1.0_2
os-postfix 1.23_2
os-tayga 1.2
os-telegraf 1.12.5
os-wireguard 1.12
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 63 dependencies to check.
Checking packages: ...............................................
pkg-1.18.4 repository mismatch: FreeBSD
pkg-1.18.4 version mismatch, expected 1.17.5_1
Checking packages: .................. done
***DONE***however repo FreeBSD say
Check for core packages consistency
Core package "opnsense" has 63 dependencies to check.
Checking packages: ...............................................
pkg-1.18.4 repository mismatch: FreeBSD
pkg-1.18.4 version mismatch, expected 1.17.5_1
#9
22.7 Legacy Series / Re: 22.7.5 check update always show same 2 updated package
October 10, 2022, 08:59:49 AM
hi,
audit health launched with no altered pkg, and repository sync seem to be ok
i did not do anything, i "waited" :);
now check update is fine
thx for your response
Best regards
audit health launched with no altered pkg, and repository sync seem to be ok
i did not do anything, i "waited" :);
now check update is fine
thx for your response
Best regards
#10
22.7 Legacy Series / 22.7.5 check update always show same 2 updated package
October 08, 2022, 10:10:18 AM
hello,
in version 22.7.5, mirror https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
the update check systematically puts the same 2 updated packages in the process, even after a reboot
ps: 22.7.5 Commit 5d65a72c6
thx for your great job team !
in version 22.7.5, mirror https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
the update check systematically puts the same 2 updated packages in the process, even after a reboot
Code Select
***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.7.5 (amd64/OpenSSL) at Sat Oct 8 10:01:17 CEST 2022
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (100 candidates): .......... done
Processing candidates (100 candidates): .......... done
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
libssh2: 1.10.0,3 [FreeBSD]
libunwind: 20211201_1 [FreeBSD]
Number of packages to be installed: 2
The process will require 1 MiB more space.
376 KiB to be downloaded.
[1/2] Fetching libunwind-20211201_1.pkg: .......... done
[2/2] Fetching libssh2-1.10.0,3.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/2] Installing libunwind-20211201_1...
[1/2] Extracting libunwind-20211201_1: .......... done
[2/2] Installing libssh2-1.10.0,3...
[2/2] Extracting libssh2-1.10.0,3: .......... done
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 2 packages:
Installed packages to be REMOVED:
libssh2: 1.10.0,3
libunwind: 20211201_1
Number of packages to be removed: 2
The operation will free 1 MiB.
[1/2] Deinstalling libunwind-20211201_1...
[1/2] Deleting files for libunwind-20211201_1: .......... done
[2/2] Deinstalling libssh2-1.10.0,3...
[2/2] Deleting files for libssh2-1.10.0,3: .......... done
Checking all packages: .......... done
The following package files will be deleted:
/var/cache/pkg/libunwind-20211201_1~bc7bd23b75.pkg
/var/cache/pkg/libssh2-1.10.0,3~af9e8f1d75.pkg
/var/cache/pkg/libunwind-20211201_1.pkg
/var/cache/pkg/libssh2-1.10.0,3.pkg
The cleanup will free 376 KiB
Deleting files: .... done
All done
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***ps: 22.7.5 Commit 5d65a72c6
thx for your great job team !
#11
22.7 Legacy Series / CrowdSec and Whitelist ?
August 20, 2022, 01:31:03 PM
hi,
is it possible to add whitelist under opnsense gui ?
instead of create a manual list at /usr/local/etc/crowdsec/parsers/s02-enrich/whitelist.yml
as i've read at https://docs.crowdsec.net/docs/whitelist/create/
?
example of blocked internal address: 192.xxx.xxx.yyy blocked by internal decision
is it possible to add whitelist under opnsense gui ?
instead of create a manual list at /usr/local/etc/crowdsec/parsers/s02-enrich/whitelist.yml
as i've read at https://docs.crowdsec.net/docs/whitelist/create/
?
example of blocked internal address: 192.xxx.xxx.yyy blocked by internal decision
Quotetime="20-08-2022 12:25:17" level=debug msg="pf: add ban on 192.xxx.xxx.yyy for 9353 sec (crowdsecurity/ssh-bf)"Best Regards
time="20-08-2022 12:25:17" level=debug msg="pfctl add: /sbin/pfctl -t crowdsec_blacklists -T add 192.xxx.xxx.yyy"
time="20-08-2022 12:25:17" level=debug msg="pfctl flush state: /sbin/pfctl -k 192.xxx.xxx.yyy"
time="20-08-2022 12:25:17" level=debug msg="Adding '192.xxx.xxx.yyy' for '2h35m53.746882625s'"
root@fw:/var/log/crowdsec # grep 192.xxx.xxx.yyy crowdsec-firewall-bouncer.log
root@fw:~ # pfctl -sr | grep block | grep 192.168
block drop in log on ! igb1 inet from 192.xxx.xxx.0/24 to any
block drop in log on ! igb3 inet from 192.xxx.xxx.0/24 to any
block drop in log on ! igb0 inet from 192.xxx.xxx.0/24 to any
block drop in log quick on igb0 inet from 192.xxx.0.0/16 to any label "1eb94a38e58994641aff378c21d5984f"
root@fw:/var/log/crowdsec # cscli decisions list
+---------+----------+----------------+----------------------+--------+---------+----+--------+-------------------+----------+
| ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION | ALERT ID |
+---------+----------+----------------+----------------------+--------+---------+----+--------+-------------------+----------+
| 1088201 | crowdsec | Ip:192.xxx.xxx.yyy | crowdsecurity/ssh-bf | ban | | 0 | 6 | 2h0m24.485586953s | 129 |
+---------+----------+----------------+----------------------+--------+---------+----+--------+-------------------+----------+
1 duplicated entries skipped
#12
22.7 Legacy Series / Re: cannot reassigned interface or modify interface
August 04, 2022, 06:33:22 PM
thx a lot "again" :)
done
done
#13
22.7 Legacy Series / Re: cannot reassigned interface or modify interface
August 04, 2022, 06:30:31 PM
ok thx for lot of other :)
sry, I didn't see your other message
sry, I didn't see your other message
#14
22.7 Legacy Series / Re: cannot reassigned interface or modify interface
August 04, 2022, 06:27:15 PM
thx a lot,
another fix if service was not enabled
( same syntax fix , line 674 )
diff /usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_opnsense_haproxy_index.volt.php /usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_opnsense_haproxy_index.volt.php.DEFO
another fix if service was not enabled
( same syntax fix , line 674 )
diff /usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_opnsense_haproxy_index.volt.php /usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_opnsense_haproxy_index.volt.php.DEFO
Quote
674c674
< <p><?= sprintf($lang->_('Further information is available in our %sHAProxy plugin documentation%s and of course in the %s official HAProxy documentation%s . Be sure to report bugs and request features on our %sGitHub issue page%s . Code contributions are also very welcome!'), '<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') ?></p>
---
> <p><?= sprintf($lang->_('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!'), '<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') ?></p>
#15
22.7 Legacy Series / Re: cannot reassigned interface or modify interface
August 04, 2022, 05:33:13 PM
same pb with translate field :
Services => HAProxy => Parameters
changed to
Services => HAProxy => Parameters
| [04-Aug-2022 17:25:14 Europe/Paris] ValueError: Missing format specifier at end of string in /usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_opnsense_haproxy_index.volt.php:674 Stack trace: #0 /usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_opnsense_haproxy_index.volt.php(674): sprintf('Plus d'inf...', '', '', '') |
Quote<p><?= sprintf($lang->_('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial
changed to
Quote<p><?= sprintf($lang->_('Further information is available in our %sHAProxy plugin documentation%s and of course in the %s official
