Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,61522,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,12885,0,S,239732202,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,61522,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,12885,0,S,239732202,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,62024,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,13388,0,S,4074003440,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,62024,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,13388,0,S,4074003440,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,24880,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,53637,0,S,3214463445,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 45,,,02f4bab031b57d1e30553ce08e0ec131,igc3,match,block,in,4,0x0,,246,24880,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,53637,0,S,3214463445,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,64047,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,50387,0,S,4103569185,,1024,,
2024-10-18T09:35:34-04:00 Informational filterlog 160,,,c7bf96d1eacbc9d4ffa9cc1308d3dc16,igc3,match,block,in,4,0x0,,246,64047,0,none,6,tcp,40,104.3.x.x,146.104.x.x,52801,50387,0,S,4103569185,,1024,,This is from the WebUI, also getting duplicate messages sent to syslog server where I initially noticed the log volume double. So far it appears to only be duplicating log entries for blocked traffic.root@testrange:/tmp # /usr/local/opnsense/scripts/system/update-crl-fetch.py opnsense-update.deciso.com
# [i] fetch certificate for https://opnsense-update.deciso.com
# [i] fetch CRL from http://x1.c.lencr.org/
-----BEGIN X509 CRL-----
MIIBVDCB3AIBATAKBggqhkjOPQQDAzBIMQswCQYDVQQGEwJERTEVMBMGA1UEChMM
RC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRSVVNUIEVWIFJvb3QgQ0EgMSAyMDIw
...
I see this additional CRL added to libfetch_crl.24101714:Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Last Update: Feb 5 00:00:00 2024 GMT
Next Update: Jan 4 23:59:59 2025 GMT
CRL extensions:
X509v3 Authority Key Identifier:
79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
X509v3 CRL Number:
104
No Revoked Certificates.Check for updates is now only showing one No CRL:***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.10 at Thu Oct 17 14:15:45 EDT 2024
Fetching subscription information, please wait... No CRL was provided for /CN=opnsense-update.deciso.com
done
Fetching changelog information, please wait... No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /CN=opnsense-update.deciso.com
done
Updating OPNsense repository catalogue...
No CRL was provided for /CN=opnsense-update.deciso.com
Fetching meta.conf: . done
No CRL was provided for /CN=opnsense-update.deciso.com
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***root@testrange:~ # /usr/local/opnsense/scripts/system/update-crl-fetch.py opnsense-update.deciso.com
# [i] fetch certificate for https://opnsense-update.deciso.com
[!!] Chain fetch failed for https://opnsense-update.deciso.com (HTTPSConnectionPool(host='opnsense-update.deciso.com', port=443): Max retries exceeded with url: / (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x2cedeac42d10>, 'Connection to opnsense-update.deciso.com timed out. (connect timeout=0.1)')))
-----BEGIN X509 CRL-----
MIIBVDCB3AIBATAKBggqhkjOPQQDAzBIMQswCQYDVQQGEwJERTEVMBMGA1UEChMM
RC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRSVVNUIEVWIFJvb3QgQ0EgMSAyMDIw
...
root@testrange:/tmp # cat libfetch_crl.24101713
-----BEGIN X509 CRL-----
MIIBVDCB3AIBATAKBggqhkjOPQQDAzBIMQswCQYDVQQGEwJERTEVMBMGA1UEChMM
RC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRSVVNUIEVWIFJvb3QgQ0EgMSAyMDIw
Fw0yNDAxMTUxNDAwNDlaFw0yNTAxMTYxMzU5NDlaMDEwLwIQaOXtSmaheM68bssu
...
sptVq1l7Np3JGm7LV6UkiPfEHWbtz3BXrGWe8TYJacs1ekmk06yHivnEFZHUVNAf
CzjrFOBpb2V0giVc4FT1pFyyAsHYJ8CEACufMddpJcnmqsm+u5v5s5ECvwcIVcrV
iyfpHYL9lVi4VI7b2k++Adl0fJXojykktFeycNFYCYP/fw==
-----END X509 CRL-----
# [i] fetch certificate for https://opnsense-update.deciso.com
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.10 at Thu Oct 17 13:16:14 EDT 2024
Fetching subscription information, please wait... No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /C=US/O=Let's Encrypt/CN=R11
No CRL was provided for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
done
Fetching changelog information, please wait... No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /C=US/O=Let's Encrypt/CN=R11
No CRL was provided for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /C=US/O=Let's Encrypt/CN=R11
No CRL was provided for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
done
Updating OPNsense repository catalogue...
No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /C=US/O=Let's Encrypt/CN=R11
No CRL was provided for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Fetching meta.conf: . done
No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /C=US/O=Let's Encrypt/CN=R11
No CRL was provided for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***Still seeing Chain fetch failed from the python script, but it's now printing the CRLs as well:root@testrange:/tmp # /usr/local/opnsense/scripts/system/update-crl-fetch.py opnsense-update.deciso.com
# [i] fetch certificate for https://opnsense-update.deciso.com
[!!] Chain fetch failed for https://opnsense-update.deciso.com
-----BEGIN X509 CRL-----
MIIBVDCB3AIBATAKBggqhkjOPQQDAzBIMQswCQYDVQQGEwJERTEVMBMGA1UEChMM
RC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRSVVNUIEVWIFJvb3QgQ0EgMSAyMDIw
Fw0yNDAxMTUxNDAwNDlaFw0yNTAxMTYxMzU5NDlaMDEwLwIQaOXtSmaheM68bssu
...
root@testrange:~ # /usr/local/opnsense/scripts/system/update-crl-fetch.py opnsense-update.deciso.com
# [i] fetch certificate for https://opnsense-update.deciso.com
[!!] Chain fetch failed for https://opnsense-update.deciso.com
root@testrange:~ # curl http://x1.c.lencr.org/ --output /tmp/test.crl
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 717 100 717 0 0 9425 0 --:--:-- --:--:-- --:--:-- 9434
root@testrange:~ # openssl crl -in /tmp/test.crl -inform DER -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Last Update: Feb 5 00:00:00 2024 GMT
Next Update: Jan 4 23:59:59 2025 GMT
CRL extensions:
X509v3 Authority Key Identifier:
79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
X509v3 CRL Number:
104
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
59:26:d6:a5:01:52:f5:e1:20:f8:e7:5d:6d:28:5c:a1:6f:39:
1e:ee:92:a8:4d:07:f9:a4:65:af:37:db:f8:a9:4f:df:a1:b4:
96:e5:61:1a:84:3c:03:66:0d:4f:6c:33:1c:97:b1:e5:33:9e:
4a:d9:1e:88:c7:42:8e:fd:36:21:24:e6:a0:87:b0:d2:c4:34:
41:7c:d3:68:9c:50:f2:a5:a6:09:8c:8b:c2:62:63:dc:26:a4:
12:ae:c3:81:65:c0:44:2a:35:01:49:b2:cd:59:6a:e7:5d:f1:
1f:63:84:aa:a1:53:3a:5f:7f:f3:9a:ed:42:4b:64:21:52:fa:
9d:e9:b9:af:bb:c7:5c:e4:78:3c:47:f3:be:16:78:c4:23:63:
c1:6a:e9:8e:65:31:9b:00:24:0f:91:20:98:1f:47:55:ca:ab:
6a:72:ad:ac:b9:c0:f9:3c:4f:1b:46:58:d8:50:8f:e7:13:7b:
ff:fb:5f:8b:c1:ba:01:97:37:77:34:20:a8:d5:4d:b0:9c:f2:
8f:6d:22:b2:dd:5f:05:b6:2c:de:99:a2:b6:ea:ef:59:64:d5:
c1:b0:7f:80:45:cc:68:87:7c:63:eb:63:07:f1:49:1a:8f:38:
e4:05:2d:7c:e0:42:98:ae:07:07:8b:f7:9c:3b:a9:09:70:bf:
8f:52:d3:30:ea:df:42:67:88:6b:d2:de:ab:3d:28:a4:7a:d7:
7d:bb:82:6f:6a:10:96:01:4a:3f:81:d7:e1:e3:5a:91:58:9e:
2d:f2:f9:5e:58:cf:ce:63:a3:bd:46:8f:0c:97:6c:4f:97:d5:
48:de:9c:cb:57:c3:9a:c6:a2:92:78:e6:05:3d:d5:4e:14:d9:
f8:f4:09:9e:d2:fe:13:38:5b:e9:af:0a:ec:92:e7:bf:ee:5a:
33:48:ee:31:82:d7:6f:0b:cd:ec:aa:db:66:9f:d8:a1:63:20:
57:7b:76:aa:d0:d6:a5:1e:c9:44:45:dd:3c:18:bd:6f:05:b8:
19:58:a0:e9:c5:8a:58:70:3b:e4:22:bf:0d:c8:a3:e0:53:a6:
7f:2b:a6:39:14:ad:2b:0d:b7:4a:46:d2:78:21:67:6b:25:33:
23:d6:ab:17:80:bb:66:22:ec:ee:6d:b1:e5:01:ae:4e:5b:5c:
3b:35:54:3e:5a:94:51:f5:81:eb:cb:10:ca:d6:39:7e:17:ae:
f0:4d:25:81:64:cd:b6:06:09:ea:75:eb:0e:06:e5:a4:c0:1e:
0e:24:9f:33:bf:fd:1f:12:48:57:60:e1:a4:e8:aa:b2:30:e9:
ec:e0:52:76:44:4e:bd:42:69:69:b5:de:51:ef:84:a4:16:19:
49:a2:2b:d2:3d:62:b4:6e
root@testrange:~ #
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.10 at Thu Oct 17 10:50:46 EDT 2024
Fetching subscription information, please wait... Could not load CRL file /tmp/libfetch_crl.24101710
fetch: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/subscription: Authentication error
Fetching changelog information, please wait... Could not load CRL file /tmp/libfetch_crl.24101710
fetch: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.pkg: Authentication error
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
Could not load CRL file /tmp/libfetch_crl.24101710
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***This is what's in /tmp/libfetch_crl.24101710:# [i] fetch certificate for https://opnsense-update.deciso.com
Figured a new file would be updated on the hour and it was. libfetch_crl.24101711 also only contains that single line.--- /conf/backup/config-1716803141.3662.xml 2024-05-27 05:45:41.372306000 -0400
+++ /conf/backup/config-1720538699.8016.xml 2024-07-09 11:24:59.854129000 -0400
@@ -805,16 +805,17 @@
</rule>
</outbound>
<onetoone>
- <disabled/>
<external>**externalVIP**</external>
+ <category/>
<descr/>
<interface>wan</interface>
- <ipprotocol>inet</ipprotocol>
+ <type>binat</type>
+ <disabled>1</disabled>
<source>
<address>**internalIP**</address>
</source>
<destination>
- <any/>
+ <any>1</any>
</destination>
</onetoone>
</nat>Now that my onetoone config is in OPNsense format, the upgrade from 24.1.8 to 24.1.9_4 migrated the config successfully.
--- /conf/backup/config-1716803141.3662.xml 2024-05-27 05:45:41.372306000 -0400
+++ /conf/backup/config-1719321616.8927.xml 2024-06-25 09:20:16.898912000 -0400
@@ -804,19 +804,6 @@
</created>
</rule>
</outbound>
- <onetoone>
- <disabled/>
- <external>**externalVIP**</external>
- <descr/>
- <interface>wan</interface>
- <ipprotocol>inet</ipprotocol>
- <source>
- <address>**internalIP**</address>
- </source>
- <destination>
- <any/>
- </destination>
- </onetoone>
</nat>
<filter>
<rule uuid="fca06965-4caf-41e4-992a-166d5b00e036">
@@ -2156,8 +2143,8 @@
</widgets>
<revision>
<username>(system)</username>
- <description>/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php made changes</description>
- <time>1716803141.3662</time>
+ <description>/usr/local/opnsense/mvc/script/run_migrations.php made changes</description>
+ <time>1719321616.8927</time>
</revision>
<OPNsense>
<IPsec version="1.0.1">
@@ -2383,10 +2370,11 @@
<Category version="1.0.0">
<categories/>
</Category>
- <Filter version="1.0.3">
+ <Filter version="1.0.4">
<rules/>
<snatrules/>
<npt/>
+ <onetoone/>
</Filter>
</Firewall>
<Netflow version="1.0.1">