OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of AdSchellevis »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - AdSchellevis

Pages: [1] 2 3 ... 42
1
19.7 Production Series / Re: GEOIP Aliases Aren't Resolved
« on: November 14, 2019, 11:04:29 am »
Hi Brian,

The log message isn't necessarily an error, it communicates that it can't decode the string to idna (which isn't a problem).

A long time ago we accepted several commits which in retrospective we shouldn't have done, they where aimed to provide cyrillic language support and came with a lot of issues. (I think this specific mess originates from https://github.com/opnsense/core/pull/2492 and surrounding PR's)

Since "AO BF BI BJ BW ..." isn't a valid IDN string (http://unicode.org/reports/tr46/) it returns the original one in this case, which is actually good. (I've added the log message at some point to be able to track these issues more easily).

Usually issues around geoip are either matching the wrong traffic or not being able to fetch the source data, the last one is easy to check using "Firewall -> Diagnostics -> pfTables" (alias should contain the country ranges).

We have thought about removing the IDN support in full at some point in time, since the way it's implemented will always be flawed, but for now we decided to leave it as is.

Best regards,

Ad

2
Development and Code Review / Re: What is this snippet's effect, in the volt template?
« on: November 12, 2019, 08:55:03 am »
Originally it came from https://github.com/opnsense/core/commit/4c736c65060c926ecc9eb7539b93454559e9d2d4 intended to display "wide" forms, see "Administration -> Intrusion detection -> Rule" for its usage.

It's not at the top of my priority list, but I wouldn't mind removing the parameter if both form types still look decent. As far as I see, we only use it in IDS at the moment, so it should be easy to refactor and test.

3
Development and Code Review / Re: Implementing a better ICMP selector in filter rules
« on: November 06, 2019, 07:56:13 pm »
The firewall code is refactored legacy code, which doesn't align very well with the development documents in place.

Since we don't offer support for migrating legacy configurations, we rather keep the stored structure as is for as far as possible. The specific change your proposing might therefor be challenging.

Personally I've never been a great fan of these combined rules, but that doesn't mean you can't suggest a change, as long as it's small and manageable.

If you make sure icmptype only lists the items applicable to both, it probably already generates the correct ruleset:

https://github.com/opnsense/core/blob/eeae08415038e80285c100c5e4c425830adc40b3/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php#L223-L230

I would suggest to keep IPv6 and the related icmp6-type as is to limit the scope of the change.

It would probably be possible to fix this in javascript, since the items in icmptype should exist in icmp6-type when proto IPv4+IPv6 is selected.

https://github.com/opnsense/core/blob/6bb03c18068b816f75d4e40fbee6887886733e5a/src/www/firewall_rules_edit.php#L872-L897


Best regards,

Ad

4
19.7 Production Series / Re: Strange gateway behaviour (question to devs)
« on: October 29, 2019, 08:36:17 am »
Which it shouldn't be if you don't want to force gateways....

Usually the outcome for these toggles can be viewed in the firewall rules ("Automatically generated rules" for either the interface or floating rules in case of the force gw toggle).

5
19.7 Production Series / Re: Strange gateway behaviour (question to devs)
« on: October 28, 2019, 05:49:46 pm »
TLDR: "Disable force gateway" unchecked in **Firewall ‣ Settings ‣ Advanced** and using the same interface?

(see https://docs.opnsense.org/manual/firewall.html)

6
19.7 Production Series / Re: After Update to 19.7.2 Service "flowd_aggregate Insight Aggregator" is stopped
« on: September 20, 2019, 10:26:18 am »
@Conti  can you open a new issue on GitHub with the exact same crashdump? There are likely broken flow records in your data, but the aggregator should skip those. I’ll try to take a look somewhere next week.

7
19.7 Production Series / Re: [Solved] Captive Portal not allowing Internet Access
« on: September 13, 2019, 01:31:27 pm »
@digital_aje you can create a PR for the change on GitHub, the base template can be found here https://github.com/opnsense/core/tree/master/src/opnsense/scripts/OPNsense/CaptivePortal/htdocs_default

8
19.7 Production Series / Re: Captive Portal not allowing Internet Access
« on: September 12, 2019, 08:42:46 pm »
It looks like after testing, the merge left a line which shouldn't have been there, https://github.com/opnsense/core/commit/2a72b99a9dda11e9daf352d1ae8af3e7bebb26bf

To install on 19.7.4:
Code: [Select]
opnsense-patch 2a72b99


Since the entries in the ipfw table won't be removed automatically, easiest procedure is to restart the firewall and test again.

9
19.7 Production Series / Re: After Update to 19.7.2 Service "flowd_aggregate Insight Aggregator" is stopped
« on: September 09, 2019, 01:11:27 pm »
disk full or damaged?
Code: [Select]
df -h Might help finding the first one. The error itself is likely not related to flowd_aggregate, usually this means it's a victim of hardware related issues.

10
19.7 Production Series / Re: After Update to 19.7.2 Service "flowd_aggregate Insight Aggregator" is stopped
« on: September 05, 2019, 08:37:00 am »
Your output seems incomplete, the relevant parts seem to be missing.
You can always flush all stats in Reporting -> Settings -> Netflow data if you want to remove the current stats and start from scratch.

11
19.7 Production Series / Re: Syslog-NG - assign a remote port other than 514
« on: September 03, 2019, 01:37:33 pm »
If your looking for how the old categories were matched, you best look at the "legacy" remote template
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Syslog/syslog-ng-legacy-remote.conf


portal auth for example is application "captiveportal".

12
19.7 Production Series / Re: Syslog-NG - assign a remote port other than 514
« on: September 01, 2019, 11:04:13 am »
I've just pushed a patch (in the issue) to fix the legacy version, it's scheduled for removal in this ticket https://github.com/opnsense/core/issues/3540 (We tend to only remove these things in major versions)

13
19.7 Production Series / Re: Syslog-NG - assign a remote port other than 514
« on: August 31, 2019, 10:29:18 am »
@shans22 For tracking purposes, please reference to the GitHub issue as well when you create one, it helps others finding possible solutions https://github.com/opnsense/core/issues/3682

Quote
you best use System --> Settings --> Logging / targets, it supersedes "Remote Syslog Servers", which will likely be removed in 20.1


14
19.7 Production Series / Re: kernel: pflog0: promiscuous mode dis-/enabled every 15 min
« on: August 28, 2019, 11:06:49 am »
Usually this means that another process is trying to reload the filter over and over again, other log files and lines might shed some light on it. (backend, general in system).

Issues with a network card, leading to a lot of reconnects could be a possible reason.

15
19.7 Production Series / Re: After Update to 19.7.2 Service "flowd_aggregate Insight Aggregator" is stopped
« on: August 27, 2019, 08:34:11 pm »
similar might be something different, if it's the exact same, maybe the patch didn't apply properly, in which case you better upgrade tomorrow and try again (19.7.3 is scheduled for tomorrow).

You can always dump the output here, so we can take a look.

Pages: [1] 2 3 ... 42
OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2