Messages

Hello. Use the "Advanced" switch in instance setup. (top left corner)
After check " Username as CN" and duplicate-cn, if need.

Hello. Can I ask you to add a "push route..." block to the CSO? We provide the default gateway through the VPN, but on some clients, certain subnets need to be routed through their gateway. And of course, I hope that it will be possible to add any possible parameters to the CSO for those who are confident in what they are doing.

Hello. Can I ask you to add a "push route..." block to the CSO? We provide the default gateway through the VPN, but on some clients, certain subnets need to be routed through their gateway. And of course, I hope that it will be possible to add any possible parameters to the CSO for those who are confident in what they are doing.

Also, for some reason, disappeared list with action setting (drop/alert) in "Alert info" window. It is not comfortable. Nobody knows how to return?

I managed to succesfully install GeoIP and Suricata 4.0.5 on OPNsense 19.1

Hello!
Tell me how to install suricata 4.0.5 in opnsense 19.1?
Best Regards/

Hello friends!
I just can not understand what the problem is. Please help, because I do not know what else to do. Suricata  version 4.1.2 does not work. When IPS mode is on, I load a test virus. Alerts appear "test virus is blocked." In the log there is a record "[Drop] [1:7999999:1] OPNsense test eicar virus...", but the file is downloaded without problems.
Tried on the integrated I219-LM network card and on the PCIe card with the Intel® 82576EB chipset. And with vlan and without vlan. The result of one. In the logs, everything is fine - dropped, and the virus is perfectly loaded. Maybe I do not understand something? How to diagnose a problem?
In version 4.0.6 everything was fine. Files did not load.

Hi guys!
Tell me one more question:
Plugin os-web-proxy-sso ignores System -> Servers -> LDAP settings, such as Auth Container and Extendet Query &(memberOf...).
That is, the access tester does not authorize users who are not suitable for Auth Container and Extendet Query filters, and os-web-proxy-sso plugin authorizes all domain users. Is this normal behavior?

Ok, Thanks, we'll wait.

Hello, Friends!
I use os-web-proxy-useracl and os-web-proxy-sso plugins to create access lists linked on groups of the Windows AD.
At the moment there is a problem. Helper ext_kerberos_ldap_group_acl from the Opnsense repository at work is dumped into the kernel.
...
/usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -m 20 -g Test -D mydomain.ru
...
support_ldap.cc(1128): pid=4848 :2019/01/11 17:00:33| kerberos_ldap_group: DEBUG: Entry 2 "Test" matches group name "Test"
support_ldap.cc(1390): pid=4848 :2019/01/11 17:00:33| kerberos_ldap_group: DEBUG: Unbind ldap server
Segmentation fault (core dumped)
...
(gdb) backtrace
#0  0x000004dc1b2bd68b in ?? () from /lib/libthr.so.3
#1  0x000004dc1b2bc949 in pthread_mutex_lock () from /lib/libthr.so.3
#2  0x000004dc1a69ab42 in k5_cc_mutex_lock ()
   from /usr/local/lib/libkrb5.so.3.3
#3  0x000004dc1a6a5308 in ?? () from /usr/local/lib/libkrb5.so.3.3
#4  0x00000123ba3ee641 in krb5_cleanup() ()
#5  0x00000123ba3f2f89 in get_memberof(main_args*, char*, char*, char*) ()
#6  0x00000123ba3ee35b in check_memberof(main_args*, char*, char*) ()
#7  0x00000123ba3eb73b in main ()
(gdb)
...
In order to identify the problem, i installed clear freeBSD 11.1 and make helper from source codes of squid3 version 3.5.28.
Helper worked without problems.
In this regard, the question:
Whether it is possible to ask to update the helper in a repository on assembled from the latest source code?
Sorry for my English, Andrey.

Привет!
Не нашлось решение?
Сегодня понаблюдал, что происходит. Позапускал отдельно ext_kerberos_ldap_group_acl
Происходит следующее: как только начинается рекурсивный поиск в LDAP, процесс ext_kerberos_ldap_g начинает бешено жрать память, и продолжает даже после того, как поиск завершен. После того, как память успешно выжирается, система глушит его (Segmentation fault) и привет семье.
Такое ощущение, что он по рекурсии зацикливается. Завтра еще попробую покопать...

Hello!
I also set the sarg to the Opnsense server. But did not integrate into it.
The configuration is done by changing the /usr/local/etc/sarg.conf file
Made changes for authorization in the file /usr/local/etc/inc/plugins.inc.d/webgui.inc
1. Added "mod_auth" to the server.modules
2. Added the line $lighty_config = "include \"/usr/local/etc/lighttpd/conf.d/auth.conf\"\n"
3. Specified the authorization parameters in the file /usr/local/etc/lighttpd/conf.d/auth.conf
~~~~~~
auth.backend                 = "plain"
auth.backend.plain.userfile  = "/usr/local/etc/lighttpd/lighttpd.user"

auth.require               = ( "/squid-reports/" =>
                               (
                                 "method"  => "basic",
                                 "realm"   => "Sarg Authentication",
                                 "require" => "user=browser"
                               ),
                             )
~~~~~~~~
If you can, write down your steps.

... I'll post a step by step integration process of the software inside OPNSense...

Hi Michele,
You have everything worked out? Can describe the process?

Andrew