OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of markes20754 »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - markes20754

Pages: [1]
1
General Discussion / Re: Azure Linux Agent Install
« on: May 02, 2024, 04:16:23 am »
UPDATE: After posting this I was able to piece together some other articles and get this working. These are just my quick notes so someone smarter than me should be able to polish this up.

#Disable the default swap file - Azure agent mounts a temp volume presented to the VM and creates its own swap file
swapoff /dev/gpt/swapfs

#Install the agent dependencies
pkg upgrade
pkg install -y sudo bash git

# check on the python path -- at the time of this post it's 3.9 and create the link for python
ls /usr/local/bin/python*
ln -s /usr/local/bin/python3.9 /usr/local/bin/python

# clone the agent
git clone https://github.com/Azure/WALinuxAgent.git
cd WALinuxAgent

#check the current stable build -- at the time of this post it's v2.10.0.8
git checkout v2.10.0.8

#install the agent and register it as a service
python setup.py install --register-service

#create links for the agent
ln -sf /usr/local/sbin/waagent /usr/sbin/waagent
ln -sf /usr/local/sbin/waagent2.0 /usr/sbin/waagent2.0

#Setup the agent service scripts
echo '#! /bin/sh' >> /usr/local/etc/rc.d/waagent.sh
echo '/usr/local/sbin/waagent --daemon' >> /usr/local/etc/rc.d/waagent.sh
chmod +x /usr/local/etc/rc.d/waagent.sh
echo 'waagent_enable="YES"' >> /etc/rc.conf.local

#Change the agent built swap from 16gb default to 6gb -- the temp volume in my VM was only 8GB
sed -i .bak 's/ResourceDisk.SwapSizeMB=16384/ResourceDisk.SwapSizeMB=6144/g' /etc/waagent.conf

#A quick version check. If this doesn't return the version something went wrong
waagent -version

service waagent status
service waagent start
service waagent status





2
General Discussion / Azure Linux Agent Install
« on: May 01, 2024, 11:39:40 pm »
I've been able to find some references in posts but I haven't found any clear instructions on how to install the Azure Linux Agent onto an uploaded OPNSense HyperV image.  Has anyone been able to successfully install and configure the agent? If so, could you share your steps?

Thanks in advance!

3
Web Proxy Filtering and Caching / Re: HAProxy - OR operator - multiple ACLs
« on: April 30, 2024, 04:25:38 pm »
Thanks! The Regex is a good idea.

Yes, the unique ID given to the ACL name is an OPNSense implementation but not one that's contained in other HAProxy implementations where unique ACL names aren't required and, in cases like this, are intentional.

You can see the difference in the OPNSense implementation and its unique ID "injection" when you compare the config file from an OPNSense HAProxy setup to another vendor's setup (let's use PFSense as an example).

4
Web Proxy Filtering and Caching / Re: HAProxy - OR operator - multiple ACLs
« on: April 30, 2024, 02:02:56 pm »
Consider the following combined host/vpath rules:

ACL NAME "MY_HOSTS"
Host: www.foo.com
Host: foo.com
Host: www.foo.co.uk

ACL_NAME "ALLOWED_VPaths"
VPath: /bar

Without the OR condition on the ACL in OPNSense, you need to create three rules to accomplish the rule condition to only allow https://www.foo.com/bar, https://foo.com/bar and https://www.foo.co.uk/bar

With the OR condition on the same ACL name you can create one rule that effectively says:
(HOSTS Start With [https://www.foo.com OR https://foo.com OR https://www.foo.co.uk]) AND (VPATH Starts With  [/bar])

Hope that makes sense.

5
Web Proxy Filtering and Caching / HAProxy - OR operator - multiple ACLs
« on: April 29, 2024, 09:30:27 pm »
In the HAProxy documentation, an OR operator can be used by defining multiple ACLs with the same name. See https://www.haproxy.com/documentation/haproxy-configuration-tutorials/core-concepts/acls/#or-operator

You can also create an or statement by defining multiple ACLs with the same name. Below, the condition is again true if the requested URL path begins with /images/ or the URL path ends with .jpg:

frontend www
  bind :80
  acl images_url path_beg /images/
  acl images_url path_end .jpg
  use_backend static_assets if images_url
backend static_assets
  server s1 192.168.50.20:80


OPNsense's implementation of HAProxy generates a unique ID name for each ACL rather than to use the actual name that the user gives in the GUI. This appears to make the use of this OR operator not possible. For example, let's say that I had two host names for the same website (foo.com and www.foo.com) If I created an ACL with both of these conditions and gave them both the same name, then in a "normal" HAProxy config (including PFSense), I would only need to build one rule. As it stands now, I have to create a unique rule for each condition and add all of those rules to the front-end pool.

If you examine the OPNSense HAProxy config export, both are given a unique system generated ACL which results in the OR condition not being applied.

    # ACL: h-www_foo_com
    acl acl_662818fddd6816.90414207 hdr(host) -i www.foo.com

    # ACL: h-www_foo_com
    acl acl_662830c24229a7.03064246 hdr(host) -i foo.com

    # ACTION: foo_com_rule
    use_backend foo_backend if acl_662818fddd6816.90414207


Would it be possible to have the system generated ACL name be the same if the user inputed ACL name is the same? This would allow for the OR condition to be used on OPNSense like it does with PFSense and other implementations.

Thanks!
Mark

6
24.1 Legacy Series / Re: Legacy IPSEC vti routed firewall interface vs ipsec interface
« on: April 29, 2024, 08:13:53 pm »
Ok I think I got it. Confirming:
By default, the VTI interfaces - ipsec(X) aren't used and all rules should be added to the IPSec (enc0) interface. In short, this is the same as pfSense.

However, if I want to build rules per-VTI interface I would set net.inet.ipsec.filtertunnel and net.inet6.ipsec6.filtertunnel = 1 AND net.enc.in.ipsec_filter_mask and net.enc.out.ipsec_filter_mask = 0

I'm not using any policy based tunnels, so it sounds like there's no downside to this change. Other than making rule organization a little easier is there any pro/con to the "per interface rule" approach vs using enc0?

What about client to firewall IPSec tunnels (I think they're called Road warrior in the documentation)?

Thanks!

7
24.1 Legacy Series / Legacy IPSEC vti routed firewall interface vs ipsec interface
« on: April 29, 2024, 07:48:19 pm »
Hi All,
I'm transitioning from PFSense to OPNSense and am trying to get clarification on the use of the Routed VTI firewall interface vs the IPsec interface rules.

In PFSense, when you create a routed VTI IPSec tunnel, you don't see an interface in the firewall to apply rules to -- all rules (for all tunnels) are applied to the IPSec interface. In OPNSense I see an interface for all of my VTI Routed IPSec tunnels in addition to the IPSec interface.

From what I can tell, the OPNSense IPSEC firewall rule logic is the same as PFSense where rules should be applied to the IPSec interface but when I did some testing and applied an ANY/ANY rule with logging to one of the VTI firewall interfaces, I see allowed traffic.

My question is this: Are the IPSec VTI Routed interfaces used at all with respect to firewall rules? If so, when should a rule be created using the tunnel's VTI interface vs the IPSec interface? The documentation isn't clear.

Thank you!
Mark


Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2