Messages

1

18.7 Legacy Series / Re: 18.7.10 and Suricata

« on: January 23, 2019, 05:49:28 pm »

Well, after reverting, I seem to be getting alerts again.  And the rules lists are downloading again.

Thanks, Franco.

I assume if this gets sorted out in the future, when I upgrade to 19.1.x, the reverted version will upgrade at that time too?

2

18.7 Legacy Series / 18.7.10 and Suricata

« on: January 21, 2019, 10:35:05 pm »

Hello.

Are there known issues with Suricata and OPNsense 18.7.10_3?  I just upgraded from 18.7.7, and Suricata doesn't seem like its working any more.  Before the upgrade I would see a fair number of alerts from day to day (mostly informational), but after the upgrade I haven't gotten any!  Seems hard to believe.

I have OPNsense configured to use it on a number of internal interfaces, but not WAN.  And I have chosen Hyperscan as the matching engine.  (I did try the default engine too, but that didn't seem to make a difference.)

I'm using http://testmyids.com to try to stimulate an alert.  This has worked in the past, but nothing happens after the upgrade.

Any ideas?

P.S.  I really love OPNsense.  I've been using it for a couple of years, and I recommend it to others.  Thanks for the great work!

3

18.1 Legacy Series / Re: How to setup and manage 18+ OpnSense centralized

« on: May 16, 2018, 09:39:33 pm »

I am very, very interested in this topic as well.  Have you been able to make any progress on this front using the API?

Question for Opnsense developer's:  What would it take to make this use case a higher priority?  Do you accept private contracts to prioritize work?  Or, in other words, what drives the priorities for developing new features?

Thanks!

4

17.7 Legacy Series / Meaning of letters in the Firewall Log Files "Proto" field

« on: September 26, 2017, 09:21:07 pm »

What does "TCP:SEC" mean in the Firewall Log Files "Proto" field?

I think the "S" means "Syn," but does "E" mean "ECE" and "C" mean "CWR"

OR

is it "S" and "EC" for "Syn" and "ECE"?

I have a lot of this kind of stuff in my Firewall Log files.  Is that normal?

[Edited to add]: Also, do I need to be creating rules to allow this type of traffic?  Or are simple rules to allow only "Syns" sufficient?

Thanks.

5

17.7 Legacy Series / Re: SSL VPN Road Warrior

« on: August 14, 2017, 04:56:02 pm »

Welcome to OPNsense and the forums!

I am a relatively new user too, but I just went through this procedure too.

Step 1
--------
Go to System > Access > Users and find a user authorized for the VPN.
Edit that user by clicking on the pencil icon.
Scroll down to the "User Certificates" section and note the "CA" listed there.  It should be "SSL VPN CA" if you're using the same names as the "How To."

Step 2
--------
Now, go to VPN > OpenVPN > Servers and edit the entry for the newly created VPN server by clicking on the pencil icon.
Scroll down to the "Description" section and note the text there and the port number just above it.  For example, "My SSL VPN Server" and port 1194 if you're using stuff from the "How To."
Scroll further down to the "Peer Certificate Authority" section and note the CA listed there.  It should match the CA you recorded in Step 1 above (i.e. "SSL VPN CA").

Step 3
--------
Go to VPN > OpenVPN > Client Exports and select the Remote Access Server that matches the description and port number from Step 2 above.  For example, "My SSL VPN Server:1194".
Scroll down to "Client Install Packages" and your stuff should be listed there.

If it STILL isn't listed, then my guess is you made a mistake in the "Adding a User" steps.  You MUST "Create an internal Certificate" with the correct certificate authority selected here ("SSL VPN CA") or it won't work.

NOTE!!!

I believe there is an error in the How To's "Step 2 - Firewall Rules" section.  I posted about that in the "Documentation and Translation" Forum.  Check that out too.

Good luck! 

[EDIT: for a small typo and added clarity]

6

Documentation and Translation / Error in "Setup SSL VPN Road Warrior" How to?

« on: August 08, 2017, 08:31:23 pm »

I think there may be a typo in the "Setup SSL VPN Road Warrior" How to:

• Go to the second picture under "Step 2 - Firewall Rules"
• It shows "192.168.2.0/24" as the Source, but I think it should be "10.10.0.0/24" according to the network diagram at the beginning of the article

Either that or I completely don't understand the setup like I thought I did because I don't see "192.168.2.0/24" referenced anywhere else in the article.

Thank you for the write-up though!  I find the OPNsense How to's to be very high quality in general.

7

17.7 Legacy Series / Unbound vs. Dnsmasq

« on: August 02, 2017, 10:43:58 pm »

I noticed in the 17.7 release notes there is mention that Unbound is the new default DNS service.

I don't know enough about DNS or Unbound vs. Dnsmasq to understand the significance of that announcement.

Is Dnsmasq not as secure as Unbound?  Is it not as fully featured?  Does Unbound perform better?  Is Dnsmasq deprecated or scheduled for removal in the future?

If I'm using Dnsmasq now, should I switch?  Does the 17.1 -> 17.7 upgrade package do the switching for me?  Will it transfer my Dnsmasq configuration to Unbound?

Etc.

Thanks for the help!

8

17.1 Legacy Series / Re: 17.1.6 - default gw missing / apinger won't start

« on: June 08, 2017, 04:56:08 pm »

Any ideas, Franco?

9

17.1 Legacy Series / Re: 17.1.6 - default gw missing / apinger won't start

« on: June 05, 2017, 04:34:20 pm »

I'll add my voice to the chorus - I'm having the same issue.

The entry called "WANGW" is marked as "(default)" in System:Gateways:All.

But there is no such indication in System:Gateway:Status.

Is that what you mean, Franco?

Btw, I also have other Gateways defined too.

10

16.7 Legacy Series / Re: Which FW process is associated with which outbound connection

« on: March 14, 2017, 07:14:02 pm »

Well, it looks like the VPN server I had connected to the FW was compromised.  I had the FW configured to be an OpenVPN client to this compromised VPN server.  I disabled the VPN connection on the FW, but the FW still looks like it is spewing SYN packets (DDos) to Twitter IP addresses.

Is it possible the attackers were able to use the VPN tunnel to compromise the FW itself?

I really need a tool that I can use that maps the outbound connection from the FW to a process *on* the FW.

Can anyone help?

11

16.7 Legacy Series / Which FW process is associated with which outbound connection

« on: March 14, 2017, 04:22:35 pm »

Does anyone know of a reason why the *FW* might be making connections to the following Twitter-controlled IPs:
104.244.42.194 and 104.244.42.2 on port 443?  It is happening pretty much constantly...

Is there a command I can run on the FW that will link those outbound connections to a process?  lsof doesn't seem to be present and I can't figure out the right netstat command to do it...

If the FW is somehow participating in a DDoS, I want to know!