Messages

1

General Discussion / Re: Application Filter for OPNsense

« on: Today at 01:22:47 pm »

Hii,

Please Refer this post to see how I am implementing the app filter on my OPNsense machine in my lab, this is just my weekend project but I am looking forward for guidance in here, I am missing on a small configuration part which has become untraceable for me, although this method needs refinement, but it can get my work done for smaller seating areas.

https://forum.opnsense.org/index.php?topic=44230.msg220600#msg220600

looking forward for help

Best,
VivekSP

2

General Discussion / Difficulty Applying Firewall Rules for Network alias for my custom app filter

« on: November 25, 2024, 10:19:03 am »

Hi Guys,

I’ve developed an application filter that utilizes ntop's network analytics to dynamically populate IPs based on the network interface, then assign these IPs to the corresponding pfTable. In my firewall rules, I block the alias at the destination while using the intended interface from ntop as the source. While the solution works, it’s slower than expected, and I’m still optimizing the rule for faster performance. Any suggestions to improve the speed of blocking the application access more promptly would be appreciated.

The issue arises when I try to apply the rule to a specific network alias, such as restricting access for a particular subnet. I’m unable to create a rule that restricts only that specific network alias while maintaining the application filtering logic. I would appreciate any guidance on how to achieve this functionality or optimize my current approach.

Thanks in advance,
VivekSP

3

General Discussion / Re: Missing .crt Download Option in CA Management (OPNsense 24.7)

« on: November 18, 2024, 09:35:34 am »

Hii Franco,

Im perticularly facing the issue while configuring the web filter using squid and OPNproxy. This is the same issue I had raised here: https://forum.opnsense.org/index.php?topic=41817.msg205619#msg205619 , .PEM is getting installed but while browsing it is popping up with error that not able to reach the site.

Best,
VivekSP

4

General Discussion / Re: Missing .crt Download Option in CA Management (OPNsense 24.7)

« on: November 08, 2024, 11:47:32 am »

Hi,
I was actually trying to setup web proxy and I faced several issues while setting it up, I was wandering if this was the case, In my research came across this for the understanding of certs, https://stackoverflow.com/questions/63195304/difference-between-pem-crt-key-files

I also tried renaming the file from pem to crt but it wasn't of any help. Incase you can guide in this matter further would be of great help.

Thanks!

5

General Discussion / Re: Configuration backups

« on: November 08, 2024, 08:36:57 am »

Hi Patrick,

I have already setup my gdrive for the backups but for git repos and nextcloud any reference URLs/ documentation for the same will be helpful.

Thanks

Best,
VivekSP

6

General Discussion / Missing .crt Download Option in CA Management (OPNsense 24.7)

« on: November 08, 2024, 08:31:33 am »

I've recently migrated a user’s device to OPNsense 24.7 and noticed that the CA management interface has transitioned from legacy code to MVC. While generating a certificate, I can’t seem to find the option to download the .crt file, which was available in previous versions. This is critical for his setup as we rely on accessing the .crt for distribution and further integration.

I've checked available documentation from OPNsense and Zenarmor, but they all reference the older interface where the .crt download option is still mentioned. Have I missed an alternative method for downloading the certificate in 24.7, or is this functionality being updated in an upcoming release?

If there are any new best practices or workflows for managing certificates with this update, I’d appreciate any guidance or references.

Best,
VivekSP

7

Development and Code Review / Re: Building OPNsense from Source

« on: September 20, 2024, 12:17:30 pm »

Hi,

I'm trying to automate the build process for my newer commits in core.git. Does OPNsense currently have any CI/CD mechanisms implemented? If not, are there any recommended practices or tools to streamline this process?

Any leads would be appreciated.

Thanks,
VivekSP

8

General Discussion / Trouble in Unbound with Blocking Persistence

« on: September 16, 2024, 06:16:00 am »

Hello,

I am attempting to block specific websites using Unbound. However, when I block web such as WhatsApp or YouTube, the restrictions persist even after I clear all policies in the DNSBL and flush the state table. The blocked services only resume functioning after a few hours.

Could you please advise if there might be an error in my procedure, or suggest a method to expedite the process?

Thank you.

9

General Discussion / Re: Cron Job for updating Unbound DNSBLs

« on: September 14, 2024, 10:26:54 am »

I went under System/Settings/Cron

Hi,

How can I extend this list on my own, I went through the code but couldn't find anything related to adding anything in the cron from the UI, I could find All the actions.d commands there but no clue on how to add/remove items from that list.

Can anyone help me with this? Thanks in Advance!

Best,
VivekSP

10

General Discussion / Re: Does NTOPNG itself scan networks and/or hosts ?

« on: September 14, 2024, 10:15:46 am »

Hi,

I have been leveraging traffic flow data from ntopng to automate the population of the pftable with IP addresses associated with specific applications. I then create firewall rules to block these IP addresses using an alias. While this approach effectively blocks most applications, I encounter difficulties blocking high-profile services such as YouTube and other Google applications. These services continuously use dynamically changing IP addresses.

I am seeking advice on enhancing this mechanism to better handle the dynamic nature of these applications. Specifically, I would like to improve the speed at which the pftable is updated and develop a more robust strategy to address the challenge of dynamic IP addresses.

Any insights or recommendations would be greatly appreciated. Thank you in advance!

Best,
VivekSP

11

Web Proxy Filtering and Caching / Re: Error while starting squid

« on: September 09, 2024, 02:48:59 pm »

Hi franco,

The issue of Segmentation fault still persists upon reloading the service, I even updated my machine to 24.7.3_1

Code: [Select]

template reload Deciso/Proxy: OK
template reload OPNsense/ProxySSO: OK
Segmentation fault
Performing sanity check on squid configuration.
2024/09/09 12:46:28| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/09/09 12:46:28| Starting Authentication on port 127.0.0.1:3128
2024/09/09 12:46:28| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2024/09/09 12:46:28| Starting Authentication on port [::1]:3128
2024/09/09 12:46:28| Disabling Authentication on port [::1]:3128 (interception enabled)
2024/09/09 12:46:28| Starting Authentication on port 127.0.0.1:3129
2024/09/09 12:46:28| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2024/09/09 12:46:28| Starting Authentication on port [::1]:3129
2024/09/09 12:46:28| Disabling Authentication on port [::1]:3129 (interception enabled)
2024/09/09 12:46:28| WARNING: empty ACL: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
2024/09/09 12:46:35| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2024/09/09 12:46:35| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2024/09/09 12:46:35| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2024/09/09 12:46:35| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2024/09/09 12:46:35| Processing Configuration File: /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf (depth 1)
2024/09/09 12:46:35| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2024/09/09 12:46:35| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2024/09/09 12:46:35| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2024/09/09 12:46:35| WARNING: HTTP requires the use of Via
2024/09/09 12:46:35| Set Current Directory to /var/squid/cache
Segmentation fault


12

Web Proxy Filtering and Caching / Re: Error while starting squid

« on: September 09, 2024, 08:38:17 am »

Hi Franco,

I applied the patch you mentioned, but now the issue is in restarting the service, I am able to start the service however, it is again giving the Segmentation failed error.

Code: [Select]

template reload Deciso/Proxy: OK
template reload OPNsense/ProxySSO: OK
Segmentation fault
Performing sanity check on squid configuration.
2024/09/09 06:36:07| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/09/09 06:36:07| Starting Authentication on port 127.0.0.1:3128
2024/09/09 06:36:07| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2024/09/09 06:36:07| Starting Authentication on port [::1]:3128
2024/09/09 06:36:07| Disabling Authentication on port [::1]:3128 (interception enabled)
2024/09/09 06:36:07| Starting Authentication on port 127.0.0.1:3129
2024/09/09 06:36:07| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2024/09/09 06:36:07| Starting Authentication on port [::1]:3129
2024/09/09 06:36:07| Disabling Authentication on port [::1]:3129 (interception enabled)
2024/09/09 06:36:07| WARNING: empty ACL: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
2024/09/09 06:36:13| Processing Configuration File: /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf (depth 1)
2024/09/09 06:36:13| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2024/09/09 06:36:13| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2024/09/09 06:36:13| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2024/09/09 06:36:13| Processing Configuration File: /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf (depth 1)
2024/09/09 06:36:13| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2024/09/09 06:36:13| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2024/09/09 06:36:13| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
2024/09/09 06:36:13| WARNING: HTTP requires the use of Via
2024/09/09 06:36:13| Set Current Directory to /var/squid/cache
Segmentation fault

Looking forward for a resolution.

Best,
VivekS

13

General Discussion / How to Dynamically Visualize IDPS and C-ICAP Logs on the New Dashboard?

« on: August 16, 2024, 07:39:50 am »

Hey everyone,

I'm really impressed with the new dashboard, and I've been working on visualizing the IDPS and C-ICAP logs by adding two new widgets. I've already created static charts for this, but now I'm looking to make these charts dynamic, updating in real-time with the system's counters for malware, trojans, viruses, etc., detected.

Does anyone have any suggestions on how I can pull this data from logs or any other sources to feed into these charts? Any hints or tips on the best approach to achieve this would be greatly appreciated!

Thanks in advance!

14

General Discussion / Re: Captive Portal: Issues, User logout not working

« on: August 07, 2024, 08:56:24 pm »

Hi there,

I was debugging the problem from the backend and found some issues that, the actions.d commands for captive portal, particularly the disconnect command which runs with configdprun, has mismatched parameter values
So you can debug and solve the disconnect parameters in actions.d or you can just remove the zoneid from the configdprun of accesscontroller of captive portal API.

here https://github.com/opnsense/core/pulls/7740

Be careful though, I haven't tested it with multiple zones.

cheers,
VivekSP

15

General Discussion / Creating Domain-Specific Policies with OPNproxy

« on: August 07, 2024, 08:40:19 pm »

Hi everyone,

I've recently upgraded my OPNsense setup to version 24.7 and have been exploring the default policies for OPNproxy. I noticed that the content filtering options are organized by categories in a dropdown menu. However, I'm interested in creating policies for specific domains, such as applying a policy specifically to Facebook, rather than using broader categories like "social-media."

Is there a way to achieve this level of granularity with the current OPNsense version? If not, is there another solution or approach to accomplish domain-specific policies?

Thank you in advance for your help!

Best regards,
VivekSP