Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - shproto

Pages: [1] 2

23.1 Legacy Series / Re: nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 since 23.1.10_1

« on: June 28, 2023, 09:36:21 am »

great ! thx a lot opnsense & naxsi

23.1 Legacy Series / Re: nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 since 23.1.10_1

« on: June 24, 2023, 12:52:29 pm »

hi,
testing

with, before , re-enabled line ( 51 & 81 )

MainRule id:1000 "rx..........
MainRule id:1500 "rx..........

Quote

root@fw:~ # opnsense-revert -z nginx
Fetching nginx.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20221213... done
nginx-1.24.0_6,3: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
nginx: 1.24.0_8,3

Number of packages to be installed: 1

The process will require 4 MiB more space.
[1/1] Installing nginx-1.24.0_8,3...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
Extracting nginx-1.24.0_8,3: 100%
=====
Message from nginx-1.24.0_8,3:

--
Recent version of the NGINX introduces dynamic modules support. In
FreeBSD ports tree this feature was enabled by default with the DSO
knob. Several vendor's and third-party modules have been converted
to dynamic modules. Unset the DSO knob builds an NGINX without
dynamic modules support.

To load a module at runtime, include the new `load_module'
directive in the main context, specifying the path to the shared
object file for the module, enclosed in quotation marks. When you
reload the configuration or restart NGINX, the module is loaded in.
It is possible to specify a path relative to the source directory,
or a full path, please see
https://www.nginx.com/blog/dynamic-modules-nginx-1-9-11/ and
http://nginx.org/en/docs/ngx_core_module.html#load_module for
details.

Default path for the NGINX dynamic modules is

/usr/local/libexec/nginx.
root@fw:~ # service nginx stop
Stopping nginx.
Waiting for PIDS: 63871.
root@fw:~ # service nginx start
/usr/local/etc/rc.d/nginx: WARNING: failed to setup nginx
Performing sanity check on nginx configuration:
nginx: [warn] could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.
nginx: [warn] could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
root@fw:~ # service nginx status
nginx is running as pid 66182

Quote

2023/06/24 12:50:00 [warn] 79720#100103: could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
2023/06/24 12:50:00 [notice] 79720#100103: signal process started
root@fw:/var/log/nginx # tail -100 error.log

Quote

root@fw:/usr/local/etc/nginx # find . -type f -name "*.conf" -exec grep hash {} /dev/null \;
./nginx.conf:ip_hash;
./nginx.conf:ip_hash;
./nginx.conf:ip_hash;
./nginx.conf:ip_hash;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;
./nginx.conf: hash $remote_addr consistent;

Quote

root@fw:/usr/local/etc/nginx # nginx -V
nginx version: nginx/1.24.0
built with OpenSSL 1.1.1u 30 May 2023
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --with-pcre --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_smtp_module --with-mail_ssl_module --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/ngx_brotli-9aec15e --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/headers-more-nginx-module-33b646d --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/naxsi-1.4/naxsi_src --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/njs-0.7.12/nginx --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/nginx-module-vts-bf64dbf --with-ld-opt='-L /usr/local/lib'

Quote

root@fw:/usr/local/etc/nginx # cd /usr/local/libexec/nginx
root@fw:/usr/local/libexec/nginx # ls -latr
total 3136
drwxr-xr-x 10 root wheel 512 Jun 23 06:23 ..
-r-xr-xr-x 1 root wheel 171336 Jun 24 10:52 ngx_stream_module.so
-r-xr-xr-x 1 root wheel 982968 Jun 24 10:52 ngx_stream_js_module.so
-r-xr-xr-x 1 root wheel 88616 Jun 24 10:52 ngx_mail_module.so
-r-xr-xr-x 1 root wheel 18816 Jun 24 10:52 ngx_http_xslt_filter_module.so
-r-xr-xr-x 1 root wheel 172080 Jun 24 10:52 ngx_http_vhost_traffic_status_module.so
-r-xr-xr-x 1 root wheel 567216 Jun 24 10:52 ngx_http_naxsi_module.so
-r-xr-xr-x 1 root wheel 1001536 Jun 24 10:52 ngx_http_js_module.so
-r-xr-xr-x 1 root wheel 25440 Jun 24 10:52 ngx_http_headers_more_filter_module.so
-r-xr-xr-x 1 root wheel 9088 Jun 24 10:52 ngx_http_brotli_static_module.so
-r-xr-xr-x 1 root wheel 14472 Jun 24 10:52 ngx_http_brotli_filter_module.so

23.1 Legacy Series / Re: nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 since 23.1.10_1

« on: June 23, 2023, 11:35:40 pm »

issue

https://github.com/opnsense/plugins/issues/3480

wait & see now

23.1 Legacy Series / Re: nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 since 23.1.10_1

« on: June 23, 2023, 10:34:35 pm »

same pb with line 81 after i'v commented line 51

Quote

root@fw:~ # /usr/sbin/service nginx start
/usr/local/etc/rc.d/nginx: WARNING: failed to setup nginx
Performing sanity check on nginx configuration:
nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1000 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:81
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
Starting nginx.
nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1000 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:81
/usr/local/etc/rc.d/nginx: WARNING: failed to start nginx

Quote

MainRule id:1000 "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|ARGS|URL|$HEADERS_VAR_X:Cookie" "s:$policye5cc303f2c4d419da82d91435bf7b
85b:4"

nginx start but with warning

Code: [Select]

root@fw:~ # /usr/sbin/service nginx start
/usr/local/etc/rc.d/nginx: WARNING: failed to setup nginx
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.
root@fw:~ # /usr/sbin/service nginx status
nginx is running as pid 42341.

23.1 Legacy Series / nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 since 23.1.10_1

« on: June 23, 2023, 10:22:38 pm »

hi,
using:
OPNsense 23.1.10_1-amd64 ( from hardware appliance )

service nginx not starting since last OPNsense update

Quote

root@fw:~ # service nginx start
/usr/local/etc/rc.d/nginx: WARNING: failed to setup nginx
Performing sanity check on nginx configuration:
nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:51
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
Starting nginx.
nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:51
/usr/local/etc/rc.d/nginx: WARNING: failed to start nginx

Naxsi-Config : MainRule id:1500 is

Quote

MainRule id:1500 "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp file upload" "mz:FILE_EXT" "s:$policycd6d033b9a494994a4f73375c23b214e:8";

plz see attachment ( screen nginx 's conf )

thx &
Best Regards

French - Français / Re: unbound liste blanche en ipv6 cidr max 32bit

« on: May 27, 2023, 02:46:23 pm »

j'ai essayé avec chrome/firefox/edge
en fait, on peut contourner
suffit de faire l enregistrement souhaité sans se soucier du CIDR
sauvegarder
ré-editer la ressource en corrigeant la valeur CIDR

French - Français / unbound liste blanche en ipv6 cidr max 32bit

« on: May 27, 2023, 12:02:16 pm »

hello,

j ai un petit soucis avec OPNsense 23.1.8 + unbound (up to date /services_unbound_acls.php ) sur une appliance compatible

j'ai une conf ipv6 type ULA

visiblement on ne peut plus allez au delà de 32bi sur la conf CIDR en IPV6 de la whitelist /services_unbound_acls.php ( cf screen )

une idée ?

( je sais que c est très large, mais chez Free , on a une large capa de sous reseau dans les nexthop )

merci à vous

amicalement

22.7 Legacy Series / Re: 22.7.5 check update always show same 2 updated package

« on: October 10, 2022, 09:04:14 am »

Code: [Select]

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.7.5 (amd64/OpenSSL) at Mon Oct 10 08:56:11 CEST 2022
>>> Check installed kernel version
Version 22.7.5 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.7.5 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
FreeBSD
OPNsense
>>> Check installed plugins
os-acme-client 3.13
os-bind 1.24
os-c-icap 1.7_2
os-clamav 1.7_1
os-crowdsec 1.0.1
os-dnscrypt-proxy 1.12
os-firewall 1.2
os-ftp-proxy 1.0_3
os-google-cloud-sdk 1.0_1
os-haproxy 3.11
os-intrusion-detection-content-et-open 1.0.1
os-intrusion-detection-content-pt-open 1.0_1
os-intrusion-detection-content-snort-vrt 1.1_1
os-maltrail 1.9
os-mdns-repeater 1.1
os-nginx 1.30
os-nrpe 1.0_2
os-postfix 1.23_2
os-tayga 1.2
os-telegraf 1.12.5
os-wireguard 1.12
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 63 dependencies to check.
Checking packages: ...............................................
pkg-1.18.4 repository mismatch: FreeBSD
pkg-1.18.4 version mismatch, expected 1.17.5_1
Checking packages: .................. done
***DONE***

however repo FreeBSD say

Check for core packages consistency
Core package "opnsense" has 63 dependencies to check.
Checking packages: ...............................................
pkg-1.18.4 repository mismatch: FreeBSD
pkg-1.18.4 version mismatch, expected 1.17.5_1

22.7 Legacy Series / Re: 22.7.5 check update always show same 2 updated package

« on: October 10, 2022, 08:59:49 am »

hi,

audit health launched with no altered pkg, and repository sync seem to be ok

i did not do anything, i "waited"

;

now check update is fine

thx for your response

Best regards

22.7 Legacy Series / 22.7.5 check update always show same 2 updated package

« on: October 08, 2022, 10:10:18 am »

hello,

in version 22.7.5, mirror https://pkg.opnsense.org/FreeBSD:13:amd64/22.7

the update check systematically puts the same 2 updated packages in the process, even after a reboot

Code: [Select]


***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.7.5 (amd64/OpenSSL) at Sat Oct  8 10:01:17 CEST 2022
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (100 candidates): .......... done
Processing candidates (100 candidates): .......... done
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	libssh2: 1.10.0,3 [FreeBSD]
	libunwind: 20211201_1 [FreeBSD]

Number of packages to be installed: 2

The process will require 1 MiB more space.
376 KiB to be downloaded.
[1/2] Fetching libunwind-20211201_1.pkg: .......... done
[2/2] Fetching libssh2-1.10.0,3.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/2] Installing libunwind-20211201_1...
[1/2] Extracting libunwind-20211201_1: .......... done
[2/2] Installing libssh2-1.10.0,3...
[2/2] Extracting libssh2-1.10.0,3: .......... done
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 2 packages:

Installed packages to be REMOVED:
	libssh2: 1.10.0,3
	libunwind: 20211201_1

Number of packages to be removed: 2

The operation will free 1 MiB.
[1/2] Deinstalling libunwind-20211201_1...
[1/2] Deleting files for libunwind-20211201_1: .......... done
[2/2] Deinstalling libssh2-1.10.0,3...
[2/2] Deleting files for libssh2-1.10.0,3: .......... done
Checking all packages: .......... done
The following package files will be deleted:
	/var/cache/pkg/libunwind-20211201_1~bc7bd23b75.pkg
	/var/cache/pkg/libssh2-1.10.0,3~af9e8f1d75.pkg
	/var/cache/pkg/libunwind-20211201_1.pkg
	/var/cache/pkg/libssh2-1.10.0,3.pkg
The cleanup will free 376 KiB
Deleting files: .... done
All done
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***

ps: 22.7.5 Commit 5d65a72c6

thx for your great job team !

22.7 Legacy Series / CrowdSec and Whitelist ?

« on: August 20, 2022, 01:31:03 pm »

hi,

is it possible to add whitelist under opnsense gui ?

instead of create a manual list at /usr/local/etc/crowdsec/parsers/s02-enrich/whitelist.yml

as i've read at https://docs.crowdsec.net/docs/whitelist/create/
?

example of blocked internal address: 192.xxx.xxx.yyy blocked by internal decision

Quote

time="20-08-2022 12:25:17" level=debug msg="pf: add ban on 192.xxx.xxx.yyy for 9353 sec (crowdsecurity/ssh-bf)"
time="20-08-2022 12:25:17" level=debug msg="pfctl add: /sbin/pfctl -t crowdsec_blacklists -T add 192.xxx.xxx.yyy"
time="20-08-2022 12:25:17" level=debug msg="pfctl flush state: /sbin/pfctl -k 192.xxx.xxx.yyy"
time="20-08-2022 12:25:17" level=debug msg="Adding '192.xxx.xxx.yyy' for '2h35m53.746882625s'"
root@fw:/var/log/crowdsec # grep 192.xxx.xxx.yyy crowdsec-firewall-bouncer.log

root@fw:~ # pfctl -sr | grep block | grep 192.168
block drop in log on ! igb1 inet from 192.xxx.xxx.0/24 to any
block drop in log on ! igb3 inet from 192.xxx.xxx.0/24 to any
block drop in log on ! igb0 inet from 192.xxx.xxx.0/24 to any
block drop in log quick on igb0 inet from 192.xxx.0.0/16 to any label "1eb94a38e58994641aff378c21d5984f"

root@fw:/var/log/crowdsec # cscli decisions list
+---------+----------+----------------+----------------------+--------+---------+----+--------+-------------------+----------+
| ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION | ALERT ID |
+---------+----------+----------------+----------------------+--------+---------+----+--------+-------------------+----------+
| 1088201 | crowdsec | Ip:192.xxx.xxx.yyy | crowdsecurity/ssh-bf | ban | | 0 | 6 | 2h0m24.485586953s | 129 |
+---------+----------+----------------+----------------------+--------+---------+----+--------+-------------------+----------+
1 duplicated entries skipped

Best Regards

22.7 Legacy Series / Re: cannot reassigned interface or modify interface

« on: August 04, 2022, 06:33:22 pm »

thx a lot "again"

done

22.7 Legacy Series / Re: cannot reassigned interface or modify interface

« on: August 04, 2022, 06:30:31 pm »

ok thx for lot of other

sry, I didn't see your other message

22.7 Legacy Series / Re: cannot reassigned interface or modify interface

« on: August 04, 2022, 06:27:15 pm »

thx a lot,

another fix if service was not enabled
( same syntax fix , line 674 )

diff /usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_opnsense_haproxy_index.volt.php /usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_opnsense_haproxy_index.volt.php.DEFO

Quote

674c674
< <?= sprintf($lang->_('Further information is available in our %sHAProxy plugin documentation%s and of course in the %s official HAProxy documentation%s . Be sure to report bugs and request features on our %sGitHub issue page%s . Code contributions are also very welcome!'), '<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') ?>
---
> <?= sprintf($lang->_('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!'), '<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') ?>

22.7 Legacy Series / Re: cannot reassigned interface or modify interface

« on: August 04, 2022, 05:33:13 pm »

same pb with translate field :

Services => HAProxy => Parameters

[04-Aug-2022 17:25:14 Europe/Paris] ValueError: Missing format specifier at end of string in /usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_opnsense_haproxy_index.volt.php:674
Stack trace:
#0 /usr/local/opnsense/mvc/app/cache/_usr_local_opnsense_mvc_app_views_opnsense_haproxy_index.volt.php(674): sprintf('Plus d'inf...', '', '', '')

Quote

<?= sprintf($lang->_('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial

changed to

Quote

<?= sprintf($lang->_('Further information is available in our %sHAProxy plugin documentation%s and of course in the %s official

Pages: [1] 2