1
23.1 Legacy Series / Re: Web UI not responding
« on: June 30, 2023, 03:10:12 am »
This recovered eventually and I upgraded it to current.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
23.1 Legacy Series / Web UI not responding
« on: June 29, 2023, 06:02:39 pm »
I am one minor version back on the stable series. I was trying to temporarily turn on SSH internally so I could debug some issues. It was already on but it would not accept my password.
The settings looked fine but all authentication over SSH was failing to accept the password, even after I reset the password. I noticed on the page where you configure SSH the authentication database was set to nothing which didn't sound right. I set that to the local database and saved and the website stopped responding. I've been able to do various things such as restart services from the console but the main website is not recovering. Running rc.restart_webgui works fine without error. It is acting as if it isn't listening on 443 but I didn't change any of that. Doing a simple openssl -connect to the firewall host name is giving a timeout. Can anyone know how I can recover? My config backup is a bit old and I've trying to avoid restoring back to that from the command line.
The settings looked fine but all authentication over SSH was failing to accept the password, even after I reset the password. I noticed on the page where you configure SSH the authentication database was set to nothing which didn't sound right. I set that to the local database and saved and the website stopped responding. I've been able to do various things such as restart services from the console but the main website is not recovering. Running rc.restart_webgui works fine without error. It is acting as if it isn't listening on 443 but I didn't change any of that. Doing a simple openssl -connect to the firewall host name is giving a timeout. Can anyone know how I can recover? My config backup is a bit old and I've trying to avoid restoring back to that from the command line.
3
Intrusion Detection and Prevention / Re: can't get ANY alerts under Intrusion Detection
« on: January 04, 2023, 08:30:32 pm »
Not sure about Zenarmor. I've made progress to the point where I got a test "alert" to log and alert with OPNSense. This quick start URL was helpful: https://suricata.readthedocs.io/en/suricata-6.0.9/quickstart.html#alerting
Most of it doesn't apply because things are already installed but the alerting test and log checks are helpful.
In particular under 2.5 alerting I was able to get the test alert to log and alert for both LAN and WAN.
I watched the logs using the 2.6 method.
I had done the following:
1. Under Services: Intrusion Detection: Administration I clicked Download and selected and enabled the various rules I wanted. In particular for the test alert the "ET open/emerging-attack_response" rule set is needed.
2. Under Services: Intrusion Detection: Policy I created and enabled a rule which set all the downloaded rules to Alert mode initially.
3. I setup a daily "Download and update intrusion detection rules" automatic cron job using System: Settings: Cron.
4. I did a "pkg install jq" from a root shell in order to read an alert as per section 2.6 of that quick start guide.
5. Under settings I checked the following: Enabled, Promiscuous mode, Enable syslog alerts, Enable eve syslog output. I also set pattern matcher to Hyperscan and under Interfaces entered both my LAN and WAN interfaces.
Eventually I enabled IPS mode after the hardware offloading was confirmed off and switched over to Drop from Alert what I created in point 2 above.
Most of it doesn't apply because things are already installed but the alerting test and log checks are helpful.
In particular under 2.5 alerting I was able to get the test alert to log and alert for both LAN and WAN.
I watched the logs using the 2.6 method.
I had done the following:
1. Under Services: Intrusion Detection: Administration I clicked Download and selected and enabled the various rules I wanted. In particular for the test alert the "ET open/emerging-attack_response" rule set is needed.
2. Under Services: Intrusion Detection: Policy I created and enabled a rule which set all the downloaded rules to Alert mode initially.
3. I setup a daily "Download and update intrusion detection rules" automatic cron job using System: Settings: Cron.
4. I did a "pkg install jq" from a root shell in order to read an alert as per section 2.6 of that quick start guide.
5. Under settings I checked the following: Enabled, Promiscuous mode, Enable syslog alerts, Enable eve syslog output. I also set pattern matcher to Hyperscan and under Interfaces entered both my LAN and WAN interfaces.
Eventually I enabled IPS mode after the hardware offloading was confirmed off and switched over to Drop from Alert what I created in point 2 above.
4
Intrusion Detection and Prevention / Re: can't get ANY alerts under Intrusion Detection
« on: January 04, 2023, 07:22:45 pm »
I'm in a similar boat and I don't get it either. Suricata is running. The webui restart option doesn't appear to do a restart i.e. the PID on the firewall does not change but start and stop do work from web UI. I'm on the latest release as of 2022-01-04 but no alerts are getting generated or logged from anything.
With similar rules under pfsense I had a lot of hits. It is acting as if the rules claiming to be enabled are not actually enabled. That currently doesn't make much sense to me.
With similar rules under pfsense I had a lot of hits. It is acting as if the rules claiming to be enabled are not actually enabled. That currently doesn't make much sense to me.
5
22.7 Legacy Series / Re: Vulnerabilities from the WAN ?
« on: January 04, 2023, 06:00:26 pm »What has been said so far in the thread rung true to me.
- What is OpenSSL used for within OPNSense ?
- Does updating OPNSense also updates OpenSSL libraries ?
- does having outdated OpenSSL version would pose any security risks from the WAN side ?
OPNSense 22.7.10_2 has: OpenSSL 1.1.1s 1 Nov 2022. It does update libraries too. This is a supported release.
It can in theory but I don't see a current threat your mileage may vary. OPNSense seems to do a much better job at staying current than a lot of other products. The latest Openssl 3 can cause other compatibility issues.
6
22.7 Legacy Series / Anti DDOS enable syncookies causes timeouts for specific VPNs and Dilbert
« on: January 04, 2023, 05:31:12 pm »
I am running the latest production release as of 2022-01-04 i.e. 22.7.10_2.
I am trying to understand what OPNSense is doing with syncookies. They seem to appear both as a tunable under System -> Settings -> Tunables:
"net.inet.tcp.syncookies Generate SYN cookies for outbound SYN-ACK packets " (which is 1 or on by default)
and under Firewall -> Settings -> Advanced
the Anti DDOS enable syncookies (which is never by default).
Can someone explain what the 2nd option is doing and how is it related to the 1st tunable? I do want Anti DDOS. The help is sparse and when I turn it on I get some very strange specific issues. To be clear other web traffic and VPNs work fine from the LAN out to the Internet ex. AnyConnect etc.
It is not clear to me how to use the adaptive option. When that 2nd option is set to always that is when the weird timeout problems appear but only for two very specific instances:
1. Palo Alto Global Protect VPN connections from LAN to Internet cannot connect. HTTPS connections from LAN to Palo Alto firewall get 6KB of a login 12KB page and timeout. The same connection works using curl directly on the OPNSense firewall.
2. Parts of the Dilbert web comic cannot complete loading.
Can anyone shed some light on this?
I am trying to understand what OPNSense is doing with syncookies. They seem to appear both as a tunable under System -> Settings -> Tunables:
"net.inet.tcp.syncookies Generate SYN cookies for outbound SYN-ACK packets " (which is 1 or on by default)
and under Firewall -> Settings -> Advanced
the Anti DDOS enable syncookies (which is never by default).
Can someone explain what the 2nd option is doing and how is it related to the 1st tunable? I do want Anti DDOS. The help is sparse and when I turn it on I get some very strange specific issues. To be clear other web traffic and VPNs work fine from the LAN out to the Internet ex. AnyConnect etc.
It is not clear to me how to use the adaptive option. When that 2nd option is set to always that is when the weird timeout problems appear but only for two very specific instances:
1. Palo Alto Global Protect VPN connections from LAN to Internet cannot connect. HTTPS connections from LAN to Palo Alto firewall get 6KB of a login 12KB page and timeout. The same connection works using curl directly on the OPNSense firewall.
2. Parts of the Dilbert web comic cannot complete loading.
Can anyone shed some light on this?
7
22.7 Legacy Series / Re: Failing DNS services
« on: January 04, 2023, 04:54:56 pm »
Logically I would not expect two different DNS servers to work at that same time on that same server/firewall but I haven't tried it on OPNSense. I would expect DNSCrypt and one DNS server to work.
Unbound was crashing on its own for me so I had to turn that off and use other DNS servers.
Clearly it would be nice if this got fixed but I have no delusions of having all services on my firewall.
Having two other DNS servers (or one if that works for you) your firewall uses works just fine for now.
It does not block OPNSense use.
Unbound was crashing on its own for me so I had to turn that off and use other DNS servers.
Clearly it would be nice if this got fixed but I have no delusions of having all services on my firewall.
Having two other DNS servers (or one if that works for you) your firewall uses works just fine for now.
It does not block OPNSense use.
Pages: [1]