Messages

1

24.7 Production Series / Extended Discussion: The Role of Packet Filter and IPFW in Firewall Filtering

« on: August 27, 2024, 12:21:03 pm »

I would like to continue the discussion I had in this forum thread.

In that discussion, I learned that Packet Filter cannot filter Layer 2 packets, so I conducted further testing. I found that if the ARP table lacks corresponding IP and MAC entries, the firewall will block those packets. However, if the ARP table already has these records, the firewall filters the packets according to the rules.

It was also mentioned that using IPFW for Layer 2 filtering is easier to achieve, which I also tested. I modified /boot/loader.conf to ensure that Packet Filter loads after IPFW (although I initially intended to disable Packet Filter, it still started for some reason). In practice, filtering using IPFW was successful.

However, I’m curious why not use IPFW directly for all firewall rule filtering? Is there any information that explains why PF is considered more suitable for this task than IPFW?

These questions come from my limited experience, so if there are any mistakes, I welcome corrections. Thank you!

2

24.7 Production Series / Re: Testing MITM Attack and Firewall Blocking: Discussion

« on: August 19, 2024, 12:02:09 pm »

Today, I tried adding two rules to ipfw.rules.

I found that I couldn’t directly add them under /usr/local/etc/ipfw.rules because they get overwritten when the system restarts.

However, I later discovered that if I add them under /usr/local/opnsense/service/templates/OPNsense/IPFW/ipfw.conf, they will be included in /usr/local/etc/ipfw.rules, and they won't be overwritten upon reboot. But when I tested the blocking rules, they didn’t seem to work very well. I’m not sure if it’s due to the order of operations between pf and ipfw, but I did disable pf from the Firewall: Settings: Advanced section. I’m not sure if this completely disables it.

3

24.7 Production Series / Re: Testing MITM Attack and Firewall Blocking: Discussion

« on: August 19, 2024, 08:58:07 am »

OK, thank you very much. I am trying to test using the captive portal. So, does the captive portal feature use IPFW for filtering?

4

24.7 Production Series / Testing MITM Attack and Firewall Blocking: Discussion

« on: August 19, 2024, 08:15:52 am »

Hi everyone, as mentioned in the title, I have been testing whether OPNsense can block MITM attacks. Below are the environment and settings I used during the test. If there are any mistakes, please feel free to correct me.

Target_1 PC (setting):

    IP: 192.168.1.111
    MAC: 00:0c:29:19:98:4a

Set static ARP for Target_2:

Code: [Select]

C:\Windows\system32>arp -a
Interface: 192.168.1.111 --- 0x3
  Internet Address       Physical Address       Type
  192.168.1.12           a0-02-4a-51-1c-0c      Static
Target_2 Device (setting):

    IP: 192.168.1.12
    MAC: a0:02:4a:51:1c:0c

Note: Target_2 cannot set a static ARP for Target_1, so a filter is needed to block traffic.

Firewall (settings):

Interfaces:

    igb1 (linked to Target_1) 00:07:32:a2:76:6d
    igb2 (linked to Target_2) 00:07:32:9c:ca

Interfaces: Other Types: Bridge

    bridge0: target_1, target_2 - bridge Off

Interfaces: Neighbors

    Manual: 00:0C:29:19:98:4A 192.168.1.111 target_1
    Manual: A0:02:4A:51:1C:0C 192.168.1.12 target_2

Firewall: Aliases

    target_1: MAC address - target_1_mac 00:0c:29:19:98:4a 1 2024-08-19 02:18:22
    target_2: MAC address - target_2_mac a0:02:4a:51:1c:0c 1 2024-08-19 02:20:00

Firewall: Rules: Floating

    PASS_Rule: IPv4 * target_1_mac * target_2_mac * * * 1 target1_target2_PASS
    BLOCK_Rule: IPv4 * * * target_2_mac * * * 1 target2_BLOCK

The idea behind these settings is that the first rule allows target_1 and target_2 to communicate normally. The second rule blocks all other traffic to target_2.


These are my settings, and then I used a testing tool (Ettercap) to test the setup.

When I tried an ARP poisoning attack, I could see in the firewall logs that the attacker's computer was using the IP of target_1 to ICMP target_2.

Code: [Select]

bridge 2024-08-19T05:57:08 192.168.1.111 192.168.1.12 icmp target1_target2_PASS
bridge 2024-08-19T05:57:08 192.168.1.111 192.168.1.12 icmp target1_target2_PASS
bridge 2024-08-19T05:57:08 192.168.1.111 192.168.1.12 icmp target1_target2_PASS
bridge 2024-08-19T05:57:08 192.168.1.111 192.168.1.12 icmp target1_target2_PASS
bridge 2024-08-19T05:57:08 192.168.1.111 192.168.1.12 icmp target1_target2_PASS
bridge 2024-08-19T05:57:08 192.168.1.111 192.168.1.12 icmp target1_target2_PASS
When I performed a MITM attack using Ettercap, I could see the connection between Target_1 and Target_2, and I was able to manipulate the connection to cause them to disconnect.

Does this mean my filter only checks up to layer 3 and does not filter at layer 2?

I would appreciate any advice from those with experience in this area.

5

Chinese - 中文 / Re: 設定詢問：同一網段下的內網設備互相無法訪問

« on: July 17, 2024, 09:08:11 am »

B C 主機規則有開嗎？如果懷疑是規則擋掉，建議到 Firewall: Settings: Advanced 把 Disable Firewall 打勾。這樣就知道是不是規則擋掉的。在考慮怎麼配置規則

6

General Discussion / Re: How to Create a Helloworld Plugin and Use OPNsense Tools

« on: July 10, 2024, 08:12:40 am »

Understood, but I encountered an issue when running make plugins. The error message is as follows:

Code: [Select]

make[1]: "/usr/obj/usr/tools/config/24.1/amd64/usr/plugins/Mk/plugins.mk" line 75: Plugin variant 'zabbix7' does not exist
*** Error code 1
Does this error mean that I do not have the 'zabbix7' plugin?

When running make plugins, should it be executed under /usr/local, or should each plugin be copied to /usr/plugins/devel/ before execution? The issue mentioned above occurred because I ran make plugins under /usr/local.

7

General Discussion / Re: How to Create a Helloworld Plugin and Use OPNsense Tools

« on: July 10, 2024, 04:31:51 am »

Hi,
These past few days, I tried using make ports and successfully generated packages-24.1.9_72-amd64.tar. However, I noticed something: does make ports require an internet connection? Can anyone explain the reason for this? Isn’t it supposed to package the system's own ports and those packages? Why does it need an internet connection? Is it to fetch updates?

8

General Discussion / Question about Checking RSTP Status

« on: July 10, 2024, 04:27:39 am »

Hello, Community,

I have a question about checking the status of RSTP. Currently, I found that I can check it through the CLI using the ifconfig bridge0 command. I would like to know if there are other ways to check the status. Is there an interface on the web that can be used to check the status as well?

I hope those who are knowledgeable in this area can provide me with some suggestions and references. Thank you.

9

General Discussion / Re: How to Create a Helloworld Plugin and Use OPNsense Tools

« on: July 08, 2024, 04:36:41 am »

Hi,

Last week, I attempted to follow the step "How to run individual or composite build steps." The initial steps for base and kernel went smoothly. However, when I reached the make ports step, it took a considerable amount of time. Is this normal?

10

General Discussion / Re: How to Create a Helloworld Plugin and Use OPNsense Tools

« on: July 05, 2024, 10:04:40 am »

I want to understand how make works. It seems different from FreeBSD's port or pkg, so I want to try and see how it works.

11

General Discussion / Re: How to Create a Helloworld Plugin and Use OPNsense Tools

« on: July 05, 2024, 09:22:39 am »

OK, I think I should directly operate on OPNsense.

However, I don't quite understand the initial TL;DR in the documentation. When I run make dvd in /usr/tools, I encounter a lot of errors. If I need to specify the build, where should I set those parameters?

Sorry, I'm not very clear on the documentation...

12

General Discussion / Re: How to Create a Helloworld Plugin and Use OPNsense Tools

« on: July 05, 2024, 08:16:29 am »

Code: [Select]

Installed pkg version '1.21' does not match required version '1.19'
*** Error code 1

Stop.
make: stopped in /usr/tools
root@freebsd:/usr/tools # pkg -v
1.21.3
root@freebsd:/usr/tools # uname -r
13.2-RELEASE

This is the issue I encountered on the FreeBSD system, the incompatibility of the pkg version.

So if I run make dvd on the OPNsense system, should it be executed in the /usr/tools directory? Or, like with the plugins, should it be done under /usr/plugins/devel/?

I just tried to run make package in /usr/plugins/devel/helloworld. Initially, I saw a folder and two files (src/, Makefile, pkg-descr). After execution, an additional folder work/ appeared, and I noticed that there is always a src/ folder. If I want to create other plugins, should I also copy the plugin's files into the src/ directory?

13

General Discussion / Re: How to Create a Helloworld Plugin and Use OPNsense Tools

« on: July 05, 2024, 07:47:55 am »

So, is my understanding of this document incorrect?
https://github.com/opnsense/tools

Because I thought I needed to set up a FreeBSD system and then install OPNsense tools according to the document.

According to your explanation, if I want to package a plugin, I just need to go to the plugin directory on the OPNsense system and run make package?

But if I want to package my own system, I follow the document and run make dvd in /usr/tools. The location will be in make print-IMAGESDIR. Is this correct?

14

General Discussion / How to Create a Helloworld Plugin and Use OPNsense Tools

« on: July 05, 2024, 05:28:57 am »

Hi, Community

I am having some difficulties understanding the steps for version updates and creating plugins, specifically how to create the Helloworld plugin. Additionally, I am not quite sure how the make command in OPNsense tools works. I have read the README and tried to follow the instructions, but I always encounter errors. Therefore, I would like to ask if anyone can kindly provide some advice.

Currently, I am unable to resolve this issue:

Code: [Select]

Installed pkg version '1.21' does not match required version '1.19'
*** Error code 1

Stop.
make: stopped in /usr/tools
root@freebsd:/usr/tools # pkg -v
1.21.3
root@freebsd:/usr/tools # uname -r
13.2-RELEASE
I have tried to downgrade pkg to version 1.19, but it seems unsuccessful.

15

General Discussion / Re: Issues with Sending Logs to Elastic Using Filebeat on OPNsense

« on: June 19, 2024, 09:39:58 am »

Update: I removed beats8. After installing beats7, everything works fine.