Messages

1

Zenarmor (Sensei) / Re: Advanced Security coming soon?

« on: January 15, 2022, 07:53:23 pm »

To sum up:

* I know what alises are;
* I know how to insert a list of aliases;
* I know that 95% of the lists of aliases are free (gratis).

But even then I cannot find the proper balance.

A man worked in a factory and worked on the same machine all his life. This machine was unique and whenever it broke down, he would fix it. He was the only person who used the machine and the only one who could fix it and keep it running.

The time came for the man to retire. The whole company turned out and wished him well.

A couple of months later, the machine broke down. There was no replacement in existence so the Company Director rang the man and asked him to come in as a consultant to have a look at the machine and fix it.

The man came in, spent 15 minutes looking over the machine, pressing his ear to it, peering into gaps until he reached in to his bag and brought out a hammer. He then gave the machine a small tap and lo and behold, the machine was FIXED!

The director was overjoyed and asked the man to send him his invoice.

The invoice arrived for £10,000. The director was furious and immediately rang the man and demanded that he send a breakdown of the invoice and the tasks he performed.

He received the following:

Hitting the machine with a hammer        ..            ..            ..            £5.00

KNOWING where to hit the machine with a hammer       ..            £9995.00



The director paid the invoice without complaint.

2

Zenarmor (Sensei) / Re: Zenarmor & IPv6: Bad Combo (At least on ATT Fiber/US)

« on: January 14, 2022, 01:13:05 pm »

Have you upgraded to 22.1.r1? Maybe it behaves differently.

3

Zenarmor (Sensei) / Re: Zenarmor & IPv6: Bad Combo (At least on ATT Fiber/US)

« on: January 13, 2022, 01:54:36 pm »

That's quite true, Zenarmor chokes IPv6 if you have hardware checksum offload and/or hardware TCP segmentation offload enabled.

4

Zenarmor (Sensei) / Re: Trusting Sensei

« on: January 13, 2022, 01:24:58 pm »

Listen, my calculation is this: I will stop paying for Kaspersky (my internet provider provides me with 20 licenses for F-Secure, branded with the name of the provider). So, I will be still covered in respect to using an antivirus, and I will pay two licenses for Zenarmor: one for my house and one for the house of my parents.

So, whether it's Kaspersky or Zenarmor who reads my data it is pretty much the same situation.

5

22.1 Release Candidate Series / Re: 22.1.r1

« on: January 12, 2022, 09:14:47 am »

I did not know it will get released so soon.

6

22.1 Release Candidate Series / 22.1.r1

« on: January 12, 2022, 08:00:47 am »

I'm on 22.1.r1 (opnsense-update -fur 22.1.r1), but it wants to update to 22.1.b3.

LibreSSL if that matters.

If I switch to community version, it says "The release type "opnsense" is not available on this repository."

https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/libressl/Latest/opnsense-update.txz says 22.1.b3.

https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/libressl/Latest/opnsense-devel.txz says 22.1.b_141.

====

Okay, done like this:

# nano /usr/local/etc/pkg/repos/OPNsense2.conf

With the following content:

OPNsense2: {
  fingerprints: "/usr/local/etc/pkg/fingerprints/OPNsense",
  url: "pkg+https://pkg.opnsense.org/${ABI}/snapshots/libressl",
  signature_type: "fingerprints",
  mirror_type: "srv",
  priority: 22,
  enabled: yes
}

pkg update -f
pkg upgrade -f
reboot
Option 12 in the menu. Choose 22.1.r1. Let it reboot, and bingo!

I'm running now OPNsense 22.1.r_3 LibreSSL.

7

Zenarmor (Sensei) / Re: Advanced Security coming soon?

« on: January 07, 2022, 04:51:32 pm »

As I said, I am not expert, and if I were to use aliases, I would block too much. So, I was speaking about me and people like me, who can either trust the experts or behave like paranoid dabblers.

I did use pfBlockerNG and decided it is not my thing.

8

Zenarmor (Sensei) / 22.1.b3

« on: January 06, 2022, 01:18:49 am »

I was testing 22.1.b3_321 (based on FreeBSD 13) and there is no Zenarmor installation for it. I know that the beta version does not have plugins.

9

22.1 Release Candidate Series / Re: Is version 22 being built on FreeBSD 13

« on: December 29, 2021, 03:55:57 am »

# uname -a

10

Zenarmor (Sensei) / Re: Advanced Security coming soon?

« on: December 28, 2021, 01:09:23 am »

Well, I am not a security expert. So for me the choice is between paranoid dabbler and trusting a security company to do the hard work. A paranoid dabbler adds aliases till the internet browsing no longer works properly. If I trust the company is sit down and relax.

11

Zenarmor (Sensei) / Re: Anything from Zenarmor/Sensei for Log4Shell?

« on: December 20, 2021, 06:33:36 am »

Now updated to elasticsearch5-5.6.8_7

12

Zenarmor (Sensei) / Re: Trusting Sensei

« on: December 13, 2021, 08:20:34 am »

I don't plead "I have nothing to hide" (e.g. my credit card number).

But I do plead that I don't bother that SunnyValley reads my websurfing data.

You should know that lack of privacy may also work to exonerate you of committing a crime.

If I want to do something that passes unseen through Zenarmor, I use VPN (e.g. Opera with VPN).

But no, as long as you use the internet you have no privacy, you're just fooling yourself that you have privacy.

And sometimes not using the internet does not protect you from data leaks from the government, or insurance companies, or hotel chains.

As the saying goes, Google knows a lot about you, even if you have never used it.

So, it is all a matter of trust: do you trust security professionals or do you trust the DD-WRT or Lineage OS approach (if it works, fine, if not, wait till someone bothers to address that bug).

13

21.7 Production Series / Re: Configuring WiFi crashes the system

« on: December 13, 2021, 07:59:23 am »

No panic. I get invited nicely to submit a crash report. The firewall does not stop working.

This is the reworked config:

Code: [Select]

    <opt4>
      <if>ath0_wlan0</if>
      <wireless>
        <mode>hostap</mode>
        <standard>11ng</standard>
        <protmode>off</protmode>
        <ssid>my_own_network</ssid>
        <channel>1</channel>
        <channel_width>ht/20</channel_width>
        <authmode/>
        <txpower>99</txpower>
        <distance>0</distance>
        <regdomain>etsi</regdomain>
        <regcountry>GB</regcountry>
        <reglocation>indoor</reglocation>
        <wpa>
          <macaddr_acl/>
          <auth_algs>1</auth_algs>
          <wpa_mode>2</wpa_mode>
          <wpa_key_mgmt>WPA-PSK</wpa_key_mgmt>
          <wpa_pairwise>CCMP</wpa_pairwise>
          <wpa_group_rekey>60</wpa_group_rekey>
          <wpa_gmk_rekey>3600</wpa_gmk_rekey>
          <passphrase>my_own_password</passphrase>
          <ext_wpa_sw/>
          <ieee8021x/>
          <enable>1</enable>
        </wpa>
        <auth_server_addr/>
        <auth_server_port/>
        <auth_server_shared_secret/>
        <auth_server_addr2/>
        <auth_server_port2/>
        <auth_server_shared_secret2/>
        <wme>
          <enable>1</enable>
        </wme>
        <apbridge>
          <enable>1</enable>
        </apbridge>
        <wep>
          <key/>
        </wep>
        <hidessid/>
        <pureg/>
        <puren>
          <enable>1</enable>
        </puren>
        <ieee8021x/>
        <turbo/>
      </wireless>
      <descr>OPT4</descr>
      <enable>1</enable>
      <spoofmac/>
      <ipaddr>192.168.133.8</ipaddr>
      <subnet>24</subnet>
    </opt4>


14

21.7 Production Series / Re: Update Error

« on: December 13, 2021, 06:43:55 am »

Yeah, 21.7.6 was a smaller update, which did not include its own kernel.

15

21.7 Production Series / Configuring WiFi crashes the system

« on: December 12, 2021, 11:10:13 pm »

Hi, I have already sent the crash report.

When trying to configure WiFi, it crashed. The easy way it says something about cannot clone WiFi adapter, due to lacking BSSID support or something like that.

Here is what works:

Code: [Select]

<opt4>
      <descr>OPT4</descr>
      <if>ath0_wlan0</if>
      <wireless>
        <mode>hostap</mode>
        <standard>11ng</standard>
        <protmode>off</protmode>
        <ssid>my_own_network</ssid>
        <channel>1</channel>
        <channel_width>ht/20</channel_width>
        <authmode/>
        <txpower>99</txpower>
        <distance>0</distance>
        <regdomain>EIST3</regdomain>
        <regcountry>GB</regcountry>
        <reglocation>indoor</reglocation>
        <wpa>
          <macaddr_acl/>
          <wpa_mode>2</wpa_mode>
          <wpa_key_mgmt>WPA-PSK</wpa_key_mgmt>
          <wpa_pairwise>CCMP</wpa_pairwise>
          <wpa_group_rekey>60</wpa_group_rekey>
          <wpa_gmk_rekey>3600</wpa_gmk_rekey>
          <passphrase>my_own_password</passphrase>
          <ext_wpa_sw/>
          <wpa_eap_client_mode>PEAP</wpa_eap_client_mode>
          <wpa_eap_inner_auth>MSCHAPV2</wpa_eap_inner_auth>
          <wpa_eap_inner_id/>
          <wpa_eap_inner_password/>
          <wpa_eap_cert>61ad9b3de6747</wpa_eap_cert>
          <wpa_eap_ca/>
          <enable/>
        </wpa>
        <auth_server_addr/>
        <auth_server_port/>
        <auth_server_shared_secret/>
        <auth_server_addr2/>
        <auth_server_port2/>
        <auth_server_shared_secret2/>
        <wme>
          <enable/>
        </wme>
        <apbridge>
          <enable/>
        </apbridge>
      </wireless>
      <enable/>
      <ipaddr>192.168.133.8</ipaddr>
      <subnet>24</subnet>
      <spoofmac/>
    </opt4>
I copied it from pfSense, restored the edited config, and this is part of the now working Opnsense config.