Messages

1

General Discussion / Re: Moving pfsense->OPNSense with Unifi VLANs

« on: January 08, 2020, 10:03:35 am »

i have also a opnsense, with 2 switches and 2 ap's from ubiquity. I installed my own controller. Everything works fine, even with the vlan's.

I left nat as-is (not hybrid), but copied the default rules from lan-interface to the vlans. Most important rule at the end of each vlan (depends on how paranoid you are) for me was the outgoing rule on each interface, from vlan-network to any (Blocked rules apply before).

Important is, that networks in opnsense are configured in the unifi-controller the same way.

2

19.7 Production Series / Re: OPNSense GUI / CLI not accessable

« on: December 29, 2019, 03:05:54 pm »

i got some time to have a view on my firewall.

1st of all, itried, if it happens too on devel-version 20.1. in Short, yes it does.

i took a look in the logs, where i found, that suricata crashed according of to less swap. i have none and spent one now to the system.

Might it be, that network stack gets in troubles, if suricata crashes?

3

19.7 Production Series / Re: OPNSense GUI / CLI not accessable

« on: December 29, 2019, 02:34:42 pm »

sorry for late reply, as i am in vacancy for the moment.

I face the same issue, but not on a vm, it's a pc-engines apu4d on 4 GB RAM. Fortunatetly, my son "reboots" the machine, if he can't game (on my advise )

I thought, it might be a cron-job, as e.g. acme-update or perhaps also the update of ips-signatures. As this behaves today the first time whilst the day, and i remember, that on this time, no job ist running, it would not be the reason.

Even if WUI and CLI is not accessible, the LAN-interface is pingable.

4

19.7 Production Series / Re: Postfix: Mails duplicating several times

« on: December 09, 2019, 08:57:56 am »

confirm. Did not help. so waiting for next release...

5

19.7 Production Series / Re: Postfix: Mails duplicating several times

« on: December 08, 2019, 10:12:01 am »

thx! i reverted back to 1.11 meanwhile.

6

19.7 Production Series / Postfix: Mails duplicating several times

« on: December 07, 2019, 07:43:52 pm »

Since the last update of postfix, i get some (not all) Mails duplicated or even multiplicated.  Somebody else having this issue?

The message-id btw. is always the same, on each messsage.

7

Web Proxy Filtering and Caching / Re: HAProxy - Firewall rules

« on: December 02, 2019, 12:20:54 pm »

You have to make rules source WAN destination localhost to the Ports you offer the internet. E.g. your haproxy listens to port 80 public for your webserver:

Port 80 Source WAN Target Localhost. Port is whatever you defined in haproxy as port for your public server.

8

19.7 Production Series / Re: Gateway monitoring - High RTTD

« on: November 11, 2019, 10:39:33 am »

Important information about hardware i have the same.

The problem persist on my installation, if Suricata and Proxy (transparent!) have been used. Making then huge downloads (nice test, centos-download = 6.6 gb), this really brakes the connection.

I really think, either use suricata, or proxy, but not both at the same time. And proxy not as transparent.

9

Intrusion Detection and Prevention / Re: Suricata rule load errors: abuse.ch/URLhaus

« on: November 06, 2019, 09:04:55 am »

wow, those guys are quick. Got a short response, should be solved. Can anyone test?

10

Intrusion Detection and Prevention / Re: Suricata rule load errors: abuse.ch/URLhaus

« on: November 06, 2019, 07:20:16 am »

I haven't found a possibliy to file a bug. I contacted them by mail. Hopefully it gets fixed.

11

Intrusion Detection and Prevention / Re: Suricata rule load errors: abuse.ch/URLhaus

« on: November 04, 2019, 06:52:03 am »

Hi,

This should be reported upstream, i think.

12

Intrusion Detection and Prevention / Re: Suricata 5: Errors in Rules

« on: November 04, 2019, 06:49:38 am »

yes, they did. But i haven't used suricata 4 for quite a while, might be, that within an update of the rules also the error came in.

I just got the errors from abuse.ch/urlhaus. I think, it's related to https://forum.opnsense.org/index.php?topic=14715.0, so if its just this one, i would leave it, as i haven't seen further errors til now.

13

Intrusion Detection and Prevention / Suricata 5: Errors in Rules

« on: November 03, 2019, 08:51:13 am »

After having Suricata 5 now on dev, i switched over for more testing (and not kidnapping the old thread). After the 1st night, i saw the following error in the logs:

suricata[18490]: [100221] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/doc/yxnwvvy5wrni8vr0ofa4_9xshl2gx-804312145|/"; http_uri; depth:54; isdataat:!1,relative; content:"tapclicktalk.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_10_10; reference:url, urlhaus.abuse.ch/url/243231/; classtype:trojan-activity;sid:81106331; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 7246

and following:
    suricata[18490]: [100221] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Invalid hex code in content - /clients/doc/yxnwvvy5wrni8vr0ofa4_9xshl2gx-804312145|/, hex /. Invalidating signature.

Wow, so suricata 5 recognized it, but will not do anything with it. Is this an error in the ruleset of urlhaus.ch?

btw. i disabled proxy, also for comparison of downloads on my apuc4. With the usual performance fiddling, i got a downloadrate of 270mb/s, using aho-corasick. Never got that before, neither only on proxy, nor only mit ips (yes, ips enabled) - also a big wow!

14

Intrusion Detection and Prevention / IPS and DHCP

« on: September 16, 2019, 07:52:08 am »

Hello,

I still cannot geht IP's via DHCP on VLAN's, if IPS is enabled. Did i miss sometihing, or is for VLAN's a "special" configuration needed, which i missed?

I disabled all the things on the interface, vlan filtering is on standard. Promicuous mode is disabled.

Thx!

15

19.7 Production Series / Re: Protect Postfix/IMAP

« on: September 06, 2019, 01:32:30 pm »

Hi,

There is an open ticket on github for this.

i have meanwhile fail2ban on my servers installed, which block ips with more than 3 failed logins completely on the route.

unfortunately, i am not that experienced. But since opnsense now with syslogd should have to possibility to receive logs from a mailserver, i plan (not in short time) to have my mailservers logging to opnsense also and havng opnsense blocking the ips.

I have not yet tried and cannot confirm if its working. In my mind, it should