Messages

@monstermania

Das mit dem ClamAV wuerde ich mir auch ueberlegen, da die Software anscheinend nicht besonders oft geupdated wird [1].





[1] http://tmowizard.square7.ch/wordpress/2017/10/15/sicherheit-am-pc-vi-ubuntu-clamav-verantwortungslos/

@Gargamel:

If you want to a small linux image for the PI you can use the DietPI image.

@Franco: Before you smash more SD Cards, you can use emulation ;)

Du kannst ein remount auf rw (read/write) machen, dann solltest du es installieren koennen von der CLI.

sudo mount -o remount,rw /partition/identifier /mount/point

If I understand you correctly then vlans are much faster from the usage. Because the vlan-id is within the network package and stripped from you kernel. If you use virtual networking with virtual cpus you will have more overhead. You need to manage at least 2 different network stack with almost the same content (arp, ips, etc.).

Why are you not using VLAN and openvpn without virtualization --> so create your VLAN-Interface etc.

I doubt that it is better to generate more overhead (virtualization) and hope that the throughput is better at the end. Furthermore which kind of virtualization do you have in mind?
E.g. you can use kvm or docker with virt networking. 

I don't think that raspi is so much better in overclocked state. The network interface (even the internal one) is connected via USB-Stack which limits the performance. If you stack more usb-nics into the raspi then you won't get a high performance boost anyway.

Ich hatte auch meine Probleme mit USB-LAN-Adaptern. Als erstes gibt es ein Plugin fuer OPNSense was den Start verzoegert, da es USB-LAN-Adapter gibt, die erst nach einer bestimmten Zeit sich beim System melden. Andere probleme hatte ich, wenn der Switch ein Link-Down durchfuehrt um Strom zu sparen, da einige USB-LAN-Adapter ebenfalls auf ein Link-Signal warten, bis sie sich beim System anmelden. So zu sagen, wenn beide dann auf ein initiales SIgnal warten, wird das etwas laenger dauern :).

I tried this a little while ago but the problem was the strong swan implementation. I tried the openbsd ipsec and there I got this working though.

Is this topic still a thing? I finally got this working but I have noch komplete documentation. I would prefere to do a step by step appoarch with some one who needs this setup and use the descriptions to provide a how-to.

Hi Franco,

thanks for your reply. I tried to change this setting, but as mentioned within the tools usage page, the '-S' flag is not going to work with an IP-address.
I tried the following on my own. I recognized, that the target address for the netflows was not pingable so I added a route to this IP through the gateway interface of the opnsense, then I was able to ping the target. But the flows were missing anyways. Is there a source of information about the routing behavior were I can read about how BSD routes traffic from the interfaces?

Thanks Loden_Richard

Hi folks,

I have a problem with my current setup. I have a netflow collector installed within my network and want to send my netflow octets to this collector. Unfortunately my collector is only reachable via IPsec, so if I set the netflow configuration up to send the packets to this collector I don't see the packages on the other side of the tunnel. My opnsense host is also the connections endpoint of the IPsec tunnel.
Does someone know how to solve this issue?

Thanks Loden_Richard

The plan is within a small network environment is the best place to search actively for vulnerabilities from the edge firewall. All zones connected to the connected network (e.g. internet) are reachable from that point. Alternatively a jail could be hosted with a running vuln. scanner.
I am sure for big networks within companies it would not apply if opnsense is used as edge firewall. I have seen installations for separating internal networks from each other and for that reason it could be a nice feature to be able scan the network which should be separated.
e.g. a scada network (which is not my installation but is an argument for a specific installation of openvas):


The firewalls could also do an additional active security scanning service for ensuring patch levels and so on.

Bump!

If the question is not specific enough then please provide some information how to integrate openvas ;-)