Messages

Incidentally, and speaking more generally, many systems allow the management of information and other things through Telegram bots; it would be interesting to add that functionality to Opnsense.

Telegram is a giant malware. You would be laying your network infrastructure out before the Russia's FSB who is both feet in Telegram and uses it for spying. Give your head a shake. It is about the same as having confidential discussions over Zoom. OMG some are naive!

If you don't provide any evidence, I call BS.

This individual appears to have a special status here, despite him being unrelated to the project, since he is allowed to hurl personal insults, and moderators leave that w/o attention or action. This does not reflect well on the project or the forum.

You're approaching a point of no return in your rhetoric.

Software problems are rhetoric? This is a novel concept.
Lead the way: bring something constructive into this discussion, like propose some solutions, diagnostics, troubleshooting, etc.
You are monitoring the discussion but not offering anything, and then you blame me for something not being constructive (like in the other thread that you locked with that justification). The reality is that I am powerless to satisfy your requirement for it to be that because all I have is a non-working or intermittently working firewall, absent any guidance from the vendor. The two highly active members who demand that I snow them my [confidential] firewall rules do not count for constructive feedback. Such is the reality of real-world IT security. If you become so aggravated by my reporting of problems, I'll leave without waiting for you to draw your moderator sword, as there is no resolution in sight anyway for anything that I bring up. Let open sense remain in its current state. This is the worst thing I can do to it, by the way.

Ran Apache reports and found more records for which alias type block rules exist. Open sense is really this: open. Open wide.

This is a question to be directed at your virtualisation platform.

Are you representing the vendor?

Stock driver does not work in VMs. Does open sense use an out-of-tree custom QAT driver for virtualized environments, or is it stock that does not work in VMs?

You are barking up the wrong tree. No one gives if the Unbound project doesn't know about it. OPNsense cannot fix issues in every upstream project they pull from. So please someone interested in getting this resolved file an issue with Unbound.

Was waiting for you to show up. Didn't take long.

With the addition of 2x more hosts that should be allowed to talk to an external provider, I disabled the single host-type rule that I had and added another.
For this new rule, I created a host-type alias and included all the 3x LAN hosts in it.
The destination of the old and new rule remains the same: it is a network-based alias that includes 3x networks of my providers, and a port-type rule that includes 2x port ranges.
The rule is for TCP/UDP.
The end result is such that when I disabled the old rule, the old host lost its connection to one of the providers. Only when I enable the old rule does it reconnect.

This is not the 1st time I notice that alias-based rules do not work reliably. I literally can't trust them at all at this point. I keep trying, with every next version of open sense, but this is not getting any better.
Bottom line is that IP host based rules work fine, for both source and destination, but host and network type alias-based rules work intermittently or do not work at all, and there is no pattern to this. The alias is a great idea, but if it does not work, then it should not be offered, until it is figured out and coded 100% reliably. We are not joking here. This is not a party. This is not a dog and pony show. We use the firewalls for access and security.

I am just pissed off because this will lead nowhere.

And you believe that it allows you to lash out at strangers? Hmm.

This is not a trivial issue. This is huge. Unbound simply goes tits up, having been given a valid DNS entry. This is bizarre. This is disgrace. Oh, and by the way, it turns our that this issue EXISTS. Surprise, surprise!

https://github.com/opnsense/core/issues/8051

As to this likely going nowhere, your assessment is probably spot-on: no one gives.

It is exactly with this configuration that Unbound crashes

The definition of the problem. A crash from user input that has not been rejected for being in valid is a disgrace for any developer.

By the way, you are sounding too defensive and aggressive, for a user. Have a horse in this race?

Good to know, but this does not help me. The crash is 100% reproducible: add a wildcard - it crashes and fails to restart. Remove the wildcard - it restarts. This is not something that users should discuss among ourselves but rather something that dev team should become concerned about.

I add *.domain.com, and Unbound goes tits up.
I remove this record, and it starts up.
Anything can be done about this?

Did you just edit the rules?

Maybe it's an active state of a rule you removed. Try clearing the state table.

All of this went over my head.

What do you mean by 'just edit'? Like, right now, moments ago? No, they have been last saved/rebooted etc for quite some time. We are running on them since the migration on Nov 1st.

What is an 'active state of a rule I removed'?

How does one clear the state table?

I've given this whole thread a read and here's my 2c:

A sysadmin with 30+ years of xp here. I run infrastructure for a hosting company, for a dozen of clients of small to medium sizes.
As such, I and my customers are not interested, in any way, shape, and form, in the traditional "threat" detection. We are interested in the blocking of web contact form and email spam, and we achieve this mostly by blocking all things hosting. Everything that comes from hosting providers is considered a threat, plain and simple. Hosting providers are everyone's enemies. So I simply integrated with an API that tells me whether the visitor is from a hosting company, in which case they are given a boot, or from consumer internet providers, in which case we let our tried and tested set of rules to take an action. Nothing that is of my or my customer's concerns can get past my multiple layers of firewalls, and this has been proven many times by all kinds of pen test companies that my customers used to hire until they realized that it's money well wasted, so they cut down on this.

Having said it, what can Q-feeds offer us?

Some rule is logging. It has no label. When I click on the info and then on the rid link, the screen refreshes, and I do not get to see which rule it is.
I went over all of the rules, including expanding the hidden auto-rules, and out of all of them only two rules that block IPv6 are set to log, but the logging is for IPv4, so they are not my suspects.
How can I find out which rules are logging?
Why is clicking on the rid link not showing me that?