1
15.7 Legacy Series / Re: IPv6 LAN NET
« on: October 05, 2015, 03:17:52 pm »
I changed the firewall from LAN NET to any and it allowed traffic to flow. Does this create an exposure?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
15.7 Legacy Series / IPv6 LAN NET
« on: October 02, 2015, 06:57:22 pm »
How is a LAN NET defined for an IPv6 network when the network is DHCPv6?
I am seeing blocks in my firewall for traffic originating on the LAN side to do things like DNS lookups or HTTPS traffic.
OPNsense 15.7.15-amd64
FreeBSD 10.1-RELEASE-p19
LibreSSL 2.2.3
I am seeing blocks in my firewall for traffic originating on the LAN side to do things like DNS lookups or HTTPS traffic.
Quote
The rule that triggered this action is:
@5 block drop in log inet6 all label "Default deny rule IPv6"
OPNsense 15.7.15-amd64
FreeBSD 10.1-RELEASE-p19
LibreSSL 2.2.3
3
15.7 Legacy Series / Re: Problem accessing modem on WAN
« on: August 26, 2015, 02:40:11 am »
In the wan interface tab at the bottom; make sure you are not blocking private networks.
4
15.7 Legacy Series / [SOLVED] Firewall Filter Rule
« on: August 12, 2015, 08:39:22 pm »
How do you filter the firewall logs so that I can look at my IPv6 blocks only?
5
15.7 Legacy Series / Re: [WORKAROUND] Unable to add user with shell access
« on: July 10, 2015, 09:37:36 pm »
The ssh works, I am in the right groups and can now connect. What I can't do is sudo commands. I am trying to not rely on the root logon for anything.
There isn't a /etc/sudoers file (is that what's needed on BSD?) I did add my user to wheel manually and it didn't have any effect.
There isn't a /etc/sudoers file (is that what's needed on BSD?) I did add my user to wheel manually and it didn't have any effect.
6
15.7 Legacy Series / Re: Help with Dynamic DNS
« on: July 10, 2015, 02:31:59 pm »
That's awesome. It might be an interesting feature enhancement to make one of the monitoring interfaces a pseudo one which pings against an external server to derive its value. This way it can be managed in the GUI.
7
15.7 Legacy Series / Re: [WORKAROUND] Unable to add user with shell access
« on: July 10, 2015, 02:27:55 pm »
I can confirm the workaround works, but there is still an issue with proper group membership.
/etc/inc/auth.inc contains:
However my user is only in admins and the custom group I set up for ssh_users. The user is not able to sudo as a result.
/etc/inc/auth.inc contains:
Code: [Select]
/* admins access gives wheely rights */
if (userHasPrivilege($user, 'page-all')) {
$user_group = 'wheel';
}However my user is only in admins and the custom group I set up for ssh_users. The user is not able to sudo as a result.
8
15.7 Legacy Series / Re: [WORKAROUND] Unable to add user with shell access
« on: July 09, 2015, 03:07:08 am »
Thanks, I will try this out.
9
15.7 Legacy Series / [SOLVED] Unable to add user with shell access
« on: July 08, 2015, 03:24:35 pm »
I have added a user, ssh key, admin privileges, and shell access via the web gui. The user is not being allowed to login with the following error:
I ssh into the firewall with root and I am able to see that my new user is not added to the group I created for SSH, nor wheel. I do see that the auth key is there along with the proper shell /bin/csh.
Is there something else needed?
--bcj
Quote
NO LOGINS: System going down at 10:32
pam_nologin: pam_sm_acct_mgmt: Administrator refusing you: /var/run/nologin
Connection closed by
I ssh into the firewall with root and I am able to see that my new user is not added to the group I created for SSH, nor wheel. I do see that the auth key is there along with the proper shell /bin/csh.
Is there something else needed?
--bcj
10
15.7 Legacy Series / Re: Help with Dynamic DNS
« on: July 08, 2015, 02:03:18 pm »
You can run a dynamic IP address update utility from any PC behind the ISP router. This could be your OpnSense firewall or a Windows PC, etc.
In order to run an updater on the OpnSense firewall which is independent of the functions built in, you would want to run it from a script of some sort. I don't use no-ip, so I can't speak to whether or not this script would work. It was found using Google. For reference: http://techgeekjay.blogspot.com/2013/03/no-ip-automatic-update-bash-script-for.html
A few pieces have been changed such as using sh for the interpreter instead of bash and log locations.
Save this to the firewall, adjust the values as needed at the top and set it up in a cron job.
--bcj
In order to run an updater on the OpnSense firewall which is independent of the functions built in, you would want to run it from a script of some sort. I don't use no-ip, so I can't speak to whether or not this script would work. It was found using Google. For reference: http://techgeekjay.blogspot.com/2013/03/no-ip-automatic-update-bash-script-for.html
A few pieces have been changed such as using sh for the interpreter instead of bash and log locations.
Code: [Select]
#!/bin/sh
# No-IP uses emails as passwords, so make sure that you encode the @ as %40
USERNAME=--account name--
PASSWORD=--my password--
HOST=--my host name--
LOGFILE=/var/log/noip.log
STOREDIPFILE=/var/run/current_ip
USERAGENT="Simple Bash No-IP Updater/0.4 antoniocs@gmail.com"
if [ ! -e $STOREDIPFILE ]; then
touch $STOREDIPFILE
fi
NEWIP=$(curl http://icanhazip.com/)
STOREDIP=$(cat $STOREDIPFILE)
if [ "$NEWIP" != "$STOREDIP" ]; then
RESULT=$(curl -o "$LOGFILE" -s --user-agent "$USERAGENT" "https://$USERNAME:$PASSWORD@dynupdate.no-ip.com/nic/update?hostname=$HOST&myip=$NEWIP")
LOGLINE="[$(date +"%Y-%m-%d %H:%M:%S")] $RESULT"
echo $NEWIP > $STOREDIPFILE
else
LOGLINE="[$(date +"%Y-%m-%d %H:%M:%S")] No IP change"
fi
echo $LOGLINE >> $LOGFILE
exit 0Save this to the firewall, adjust the values as needed at the top and set it up in a cron job.
--bcj
11
15.7 Legacy Series / Re: Help with Dynamic DNS
« on: July 07, 2015, 03:28:48 am »
You could write a script to do it and run the script from any computer behind the modem/router.
Code: [Select]
#!/bin/sh
PUBLIC_IP=$(curl -s http://ipecho.net/plain; echo)
echo $PUBLIC_IP12
Development and Code Review / Re: [SUGGESTION] diag_ndp.php
« on: June 30, 2015, 04:10:47 pm »
If my provider provided any host name it would be in their naming convention and not mine; therefore useless to me. The IPv6 DHCP services are not handled locally. Instead, they are handled by my provider. IPv4 host names are provided locally by the inside DHCP services. These names are meaningful to me.
I do have the track interface's IPv6 address set up as a DNS provider and I am running the Unbound DNS server. This is currently managed manually and I have a request for consideration thread opened to make it automated. https://forum.opnsense.org/index.php?topic=795.0
I do have the track interface's IPv6 address set up as a DNS provider and I am running the Unbound DNS server. This is currently managed manually and I have a request for consideration thread opened to make it automated. https://forum.opnsense.org/index.php?topic=795.0
13
Development and Code Review / Re: [SUGGESTION] diag_ndp.php
« on: June 30, 2015, 02:11:06 pm »
Hi Franco,
How would the hosts file learn of the IP addresses and how would it update when the provider makes a change? I don't see how that is possible.
--bcj
How would the hosts file learn of the IP addresses and how would it update when the provider makes a change? I don't see how that is possible.
--bcj
14
15.1 Legacy Series / [REQUEST]
« on: June 27, 2015, 02:38:46 pm »
IPv6 addresses are assigned by my Internet provider and I would like to use my LAN's track address as the DNS server for my dual stack hosts.
Would you consider adding a checkbox on the services_dhcp.php page to add the LAN IPv6 address to the DNS list of the IPv4 DHCP requests? This should also stop the propagation of the routers IPv6 DNS servers to the inside hosts.
Right now I am putting the address into my global lists manually, but I would rather the inside clients not have the ability to query outside servers.
Thanks for any considerations!
Would you consider adding a checkbox on the services_dhcp.php page to add the LAN IPv6 address to the DNS list of the IPv4 DHCP requests? This should also stop the propagation of the routers IPv6 DNS servers to the inside hosts.
Right now I am putting the address into my global lists manually, but I would rather the inside clients not have the ability to query outside servers.
Thanks for any considerations!
15
Development and Code Review / Re: [SUGGESTION] diag_ndp.php
« on: June 19, 2015, 06:41:27 pm »
Feel free to do whatever you'd like, I appreciate the willingness to incorporate the feedback! The arp -a command doesn't take anything on my side to execute for what it is worth but I don't know if that's always the case for others.
Enjoy your weekend as well.
Enjoy your weekend as well.
Pages: [1] 2