Messages

1

20.1 Legacy Series / Squid keeps stopping and not coming back up

« on: August 21, 2020, 11:12:22 pm »

Every few days I have to manually restart SQUID. It comes right back up, but why is it stopping and not automatically restarting? It's incredibly fustrating!

How do I determine why that is happening?
Can we get an auto-heal feature for all services?

If this auto-heal of services already exists, then either

1) How do I set it up ?

OR

2) If service restart is automatically there, how can i determine why my manual restart of SQUID works when auto doesn't?

Edit: Upgrading but highly doubt that will fix as this has been ongoing since version 17.

2

20.7 Legacy Series / Re: Feature Requests: Alias and Rule related

« on: June 02, 2020, 09:24:34 pm »

I see you are the pro. On our next network meeting I will forward your suggestion to abandon the existing B- and C-Class net blocks in favor for NAT-bottlenecks.

That's hysterical you make me laugh. I'm not saying abandon them. I'm saying using them as internal is no longer commonly done, and NAT is only a bottleneck if your design is poor. Give me a break. Plenty of companies have 10000+ users on a corporate network where NAT is not a problem. I manage devices where there's that many internal users and also easily that many users hitting NAT Inbound from external. Issues like port exhaustion only occurs in extreme cases, and there's easy methods to prevent that in enterprise gear.

3

20.7 Legacy Series / Re: Feature Requests: Alias and Rule related

« on: May 29, 2020, 11:25:13 pm »

Before ip4 address became close, public ips where the common away to build networks. Most universities don't use any RFC1918 addresses till today, even printer, access points, etc. have public ips. NAT and RFC1918 addresses are more home user style and got popular due to lack of ip4 addresses.

That was true, not any longer. These days almost all corporations, even many very large international coprorations use RFC1918 IPs for internal. Are there still some that use their public IP blocks wastefully? Yes. But they are in the extreme minority.

As for IPv6, it would still be best to exclude the link local and special purpose IP ranges from Public Internet IPs.

Did not know what they used for feature requests; the forums seemed likely though.

4

20.7 Legacy Series / Re: Feature Requests: Alias and Rule related

« on: May 27, 2020, 06:46:01 pm »

Right, but that's a company using Public IPs for private IPs and would have to consider that. It honestly would affect an extremely small subset of customers. The advantages are more significant such that I think the argument is silly.

But bigger question: Why are my other questions getting ignored?

5

20.7 Legacy Series / Re: Feature Requests: Alias and Rule related

« on: May 26, 2020, 07:48:59 pm »

To 1.:
Beside of this: what is internet? For you as private user with one isp assigned public IP, everything not RFC1918 and multi/broadcast is internet. For companies that own public network blocks, things look different.

Basically all internet route-able addresses. Just because a company owns IP blocks and uses them as internal IPs doesn't mean it's not Internet Routeable. IMO it's foolish and wasteful, but that's neither here nor there. They are still Internet routeable and a company like that would have to be aware that an Internet Alias would include those IPs. I don't think it's unreasonable to provide an InternetIPv4 and InternetIPv6 alias built-in. It's pretty ubiquitous and other companies provide it for ease of management.

To 2.:

Of course you can only nest aliases of same type. You can group aliases of type network, but cannot add ones of type port. Logic.

Not for us autistic types. We question basic logic because it is usually not clearly defined logic that takes into account all possible variables. For example: can a group be nested with a type of URL and a type of Network? It's reasonable to conclude they can, but it's not defined if it will work. Make sense?

What about #3 questions?

6

20.7 Legacy Series / Re: Feature Requests: Alias and Rule related

« on: May 22, 2020, 11:50:37 pm »

Yes, I'm on the latest 20.1.7.

1. This doesn't really work as I would want Not RFC1918 and Not Multicast and Not Loopback and NOT SpecialPurpose and NOT Broadcast and NOT etc. I guess since #2 actually exists I can manually create this, but it would certainly be better if it was just built-in!

2. Really? That's great news! The drop-down didn't mention using Alias' as an option, and since the drop-down was specific, I didn't expect anything but what was specified as the option in the drop-down to work, but I see in description it says they can be nested which I don't remember from before. By the way, which drop-down Type option would be correct for nesting? Should it match the Parent Alias type?

3. Also great news! That said, which Drop-Down would I use for this? Also the "Type" could seriously use some help in the "Help" area for this and #2! What is External? What is URL and URL Table and Network Group?

4. Of all these items, this is a "most wanted"

5. Thanks, I think I can make that work.

Thanks!

7

20.7 Legacy Series / Feature Requests: Alias and Rule related

« on: May 21, 2020, 06:59:48 pm »

Multiple Alias based and firewall rule based feature requests:

1. Built-in Aliases for InternetIPv4 addresses and InternetIPv6 addresses. This would basically make it easier to specify all Internet IP ranges in a rule which would automatically exclude all other address types such as RFC1918, multicast, etc.

2. Alias Groups. This is an Alias which contains multiple other Alias names. Useful when you want to create multiple hosts like GoogleDNS1 GoogleDNS2 Level3DNS1 Level3DNS2, then create a group PublicDNS which would contain those 4 alias' names. This also applies to services, such as a "HTTP" group for ports 80 and 8080, and "HTTPS" group for ports 443 and 4443, so a Service Group Alias would contain both "HTTP" and "HTTPS" as entries in the Alias Service Group.

3. DNS Alias' and DNS Groups. If a DNS name can be an alias that the firewall resolves, this would be very helpful for making rules to internet applications, and would need to also account for the fact that some FQDNs resolve to multiple IPs. Then a DNS Group would be an Alias with multiple FQDNs.

4. Rules to allow multiple Sources, Destinations, and Services. This makes rules much easier to manage. If I can create one rule like below examples it's much more concise, less error prone, and easier to manage. I'd otherwise have to create multiple Alias' and multiple rules or both which quickly becomes confusing for an environment with many VLANs and many restrictions.

Example:
Source: Host1 or Host2 or AliasGroup1
DST: AliasGroup2 or AliasGroup3
Services: WebBrowsing or SSH

Another example:
Source: AliasGroup
DST: InternetIPv6 or InternetIPv4
Services: WebBrowsing

5. Ability to reverse priority of Floating rules and interface specific rules. I like to use the Floating rules as General Purpose Allow rules which apply to most of my network, and the specific interface rules for more specific denials or allows which I want to override the floating rules. This helps keep the Floating rules limited to smaller numbers of rules which makes management easier and less error prone, as the alternative is to create Floating deny rules above the general purpose allow which gets messy fast. Thus if I could have the Interface rules have priority over the Floating rules, this would work much better for this sort of design.

Thanks!

8

19.7 Legacy Series / Re: [Upgrade Issue] Squid restarting every minute due to Segment Violation

« on: September 12, 2019, 10:51:09 pm »

Well, after that blew up the OPNsense UI, I couldn't even ssh into it. I ended up having to reboot the VM, but all is working now. Thanks.

9

19.7 Legacy Series / Re: [Upgrade Issue] Squid restarting every minute due to Segment Violation

« on: September 12, 2019, 09:08:35 pm »

Well that completely blew up OPNsense. UI Totally stopped responding.

10

19.7 Legacy Series / Re: [Upgrade Issue] Squid restarting every minute due to Segment Violation

« on: September 12, 2019, 07:52:17 pm »

Ah that makes a massive difference in whether I do so or not! The Support tab should have said such!

11

19.7 Legacy Series / Re: [Upgrade Issue] Squid restarting every minute due to Segment Violation

« on: September 12, 2019, 06:43:26 pm »

No, because I have quite a bit of config - it's used on 6 different VLANs.

12

19.7 Legacy Series / Re: [Upgrade Issue] Squid restarting every minute due to Segment Violation

« on: September 12, 2019, 04:25:43 pm »

Anyone?

13

19.7 Legacy Series / [Upgrade Issue] Squid restarting every minute due to Segment Violation

« on: September 10, 2019, 07:55:46 pm »

Version:
OPNsense 19.7.3-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019

Issue Logs:
Sep 10 13:54:30   (squid-1): FATAL: Received Segment Violation...dying.
Sep 10 13:54:30   (squid-1): FATAL: The /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 10MB helpers are crashing too rapidly, need help!

Those logs keep repeating approximately every minute. Squid service does show running. A restart has no affect on the issue. The symptom is inaccessibility of all webpages as if the proxy is not running.

Thanks for any help!

14

19.1 Legacy Series / Enhancement Req - Enhance GUI logging for Service Failures

« on: February 28, 2019, 03:47:03 pm »

I upgraded to the latest Prod version of OPNsense yesterday, and Squid no longer started. Squid logs were completely blank, so I had to resort to starting squid via console, which showed the error. It was unhappy with a nobump entry. I see that under System->Log File->General, we do have logs for the services, however it doesn't provide detail on the error and I had to resort to attempting to start the service via console. Can we enhance the GUI logging to include the detailed errors for a failure. Below I show the difference in logs from GUI and manually starting the Service:

Logs from GUI:

Code: [Select]

Feb 28 09:30:07 root: /usr/local/etc/rc.d/squid: WARNING: failed to start squid
Feb 28 09:30:07 squid: Bungled /usr/local/etc/squid/squid.conf line 30: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
Logs from console:

Code: [Select]

root@OPNsense:/var/log # service squid start
Starting squid.
2019/02/28 09:30:07| ERROR: '.site.com' is a subdomain of 'site.com'
2019/02/28 09:30:07| ERROR: You need to remove '.site.com' from the ACL named 'bump_nobumpsites'
FATAL: Bungled /usr/local/etc/squid/squid.conf line 30: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
Squid Cache (Version 3.5.28): Terminated abnormally.
CPU Usage: 0.020 seconds = 0.013 user + 0.007 sys
Maximum Resident Size: 67200 KB
Page faults with physical i/o: 0
/usr/local/etc/rc.d/squid: WARNING: failed to start squid
root@OPNsense:/var/log #

Thanks!

15

18.7 Legacy Series / Re: [EnhancementRequest] Web Proxy SSL NoBump sites and Bypass proxy

« on: November 29, 2018, 06:20:48 pm »

ATM it only works best when you have a large text file managing all domains separated by comma so you can just paste it.

Thanks, I guess I can make do with that method for now. I'd still like to see my enh for groups for organization reasons though. But that brings up another issue I had forgotten about: Different NoBump lists for different source Subnets/VLANs. There is no option to accomplish this, so I added it to my original post.

Regarding "no-proxy" you'd need a nat exception not to push it to proxy.

Yes, I am using a No RDR (aka Do not Nat) rule for now to prevent Nat of the specific device/destination, but as I don't allow anything to Internet by default on my 4 server and DMZ VLANs, it actually requires a minimum of 2 rules: 1 for No RDR and 1 for firewall allow (No RDR doesn't have the option for auto-FW rule). Then for Destinations I want to prevent Proxy on for multiple VLANs, it requires a No RDR rule for each VLAN.

So it gets very messy very fast, so you can see why it would be far better to have it managed in one location with one setting. Less mess equates to better security because there's far less likelihood for it to get done wrong when removing or changing things.