Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Noctur

#1
I tried this several years ago following the Wiki official instructions without success. Searching the forum for updated information I find others are having the same issue still, some posts from as far back as 2018 asking for guidance without replies.

Does transparent firewall work? If so, is there a clear set of instructions on how to successfully set it up? I followed the Wiki again yesterday without success. https://docs.opnsense.org/manual/how-tos/transparent_bridge.html There are some bloggers with slightly different instructions, tried a couple, still no success.

My goal is set up an OPNsense appliance between the modem and wifi router in home env for IPS/IDS. TIA
#2
I have tried to block youtube for a while now and was unsuccessful because Youtube is now part of Google. Blocking Youtube has resulted in blocking access to Google services. It is important for me to allow use of Google services, i.e. docs, so I haven't been able to selectively block Youtube until now.

This seems to have worked for me. Youtube is not accessible but Google Docs are. Does anyone foresee an issue with the following approach?

Services >> Unbound DNS >> Overrides.

"+" to Add New

Domain:  www.youtube.com
IP Address: 127.0.0.1
Desc: Youtube Block

Save

I have tried to get around it by going to www.youtube.de and it is still blocked. I haven't tried facebook or twitter, but they seem to be other sites people frequently want to block.

Is there a way to make this subject to a schedule? TIA
#3
In my upgrade from 17.1.12_1 to 18.1.1 I used a backup config file to reinstall my settings. In those settings I had the Snort/VRT rules tagged and had my ID and rules version file input.

On inspection, I noted the packages for Snort VRT and PT Research rulesets were not checked in the packages. Checking the IDS rules, they were not present.

After installing the packages my Snort user ID and rules file version were present. I was able to download and install those rules.

It looks like restoring a prior config is not capturing the all of the installed packages.
#4
Is the update from .12_1 to .13 as noted in the version messages still in the works? I reverted to 17.7.12 until I can sort out the issue I've had with OpenVPN.

BTW - thank you for all the hard work OpnSense team, it is appreciated and it is recognized that there's bound to be hic-ups in major version transitions. TIA
#5
18.1 Legacy Series / [SOLVED] OpenVPN Broken
January 30, 2018, 07:26:38 PM
Updated yesterday, tried to enable several prior OpenVPN clients and while they would indicate connected, no data comes through. Every attempted website returns not found. Note that connecting with TOR browser is successful.

Anyone else seen this?

How can I safely downgrade to the 17.7.12_1 version I was on until this gets sorted out? TIA.
#6
I'm trying to get internal ClamAV / Transparent Proxy scanning going using the How-To on the Wiki (https://wiki.opnsense.org/manual/how-tos/proxyicapantivirusinternal.html). Following the instructions, right after I finish Step 1 on that page, Setup Caching Proxy, I apply and GUI access to the FW is locked out. That persists after reboot at the FW. I have to restore a previous config backup to get things running again.

My setup: 17.7.7_1 running the FreeBSD 11.1 OS from here: https://forum.opnsense.org/index.php?topic=6257.0
Suricata with IPS/IDS
OpenVPN with client operating
Anti-lockout rule is turned off
Standard LAN ports are open via FW rules (http, https, ssh, voip, various email, etc)

When setting up the Caching Proxy, I'm selecting both the LAN and OpenVPN interfaces, No Authentication, No ACL, No Remote BL, Yes on FW Rule no ByPass on LAN (not VPN). I have not completed the last step in that how-to to set up the browser as it will be set up as transparent in the next procedure. This is as far as I get.

What am I doing wrong? TIA for your help.

On a different note, would the devs consider implementing a feature when ClamAV and c-ICAP modules are installed and enabled on a system together that a proxy could also be created with settings automatically defaulted to a config that routes through the two modules for internal AV scanning? Expert users could then tweak default settings to suit more complex configs. This would only be triggered if both were installed. If ClamAV is installed and ICAP is not, it would be understood that the ICAP processor is an external system / separate VM.
#7
The new ClamAV service is a winner! Thank you to the team who made this happen.

For those of us running /var in RAM and who need to manually reload ClamAV signatures, is there a way to automate this such that it runs the reload after a reboot?
#8
http://www.techrepublic.com/article/how-to-stop-isps-from-spying-on-your-iot-devices/

Can this be done with OpnSense?

A search through the forum and wiki don't turn up anything, general internet search and pfsense search doesn't hit either.

#9
With Petya raging, do we need to add in new FW rules to block it or does the current abuse.ch and emerging threats rulesets include it? Reviewing the abuse.ch ransomware rules site does not comment on Petya.

For example, there is a suggestion on the Microsoft Security Blog that blocking ports 139 and 445, as well as disabling SMBv1 and/or installing security update MS17-010 on individual windows machines will prevent an infection. https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

But I wanted to see if either current rulesets or a custom rule would block it further upstream. I've located a SNORT ruleset that addresses Petya specifically from PTSecurity.com (https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759) reproduced below. But going through the motions is moot if current rules suffice.

Choices are 1) new FW rule blocking SMB ports and 2) custom Suricata rules based on the SNORT rules below.. 3) do nothing because its already managed.

Anyone have a better handle on this? TIA

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)

alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)
#10
I need to set up a system with a portion of the service routed through a VPN (OpenVPN) and another set of IPs routed to by-pass the VPN. Both routes should still be inspected by the pf firewall and Suricata. The How-To section of the Wiki doesn't expressly show an example of this. Is there another example of how this is performed that someone could point me to? TIA
#11
Noticed this in the system log... but everything seems to be working.

kernel: arpresolve: can't allocate llinfo for X.X.X.X on em0

em0 is the WAN port. I'm using a VPN. DNS leak and IP test point to the correct termination point. Is this truly an error or simply a message resulting from the use of a VPN? TIA
#12
17.1 Legacy Series / Transparent Firewall
January 07, 2017, 06:22:01 PM
Has anyone been successful in getting a transparent firewall setup on 17.1 beta using the instructions here: https://docs.opnsense.org/manual/how-tos/transparent_bridge.html? Or any other instructions?

I tried a few months ago using 16.x and was unsuccessful using em NICs.
#13
16.7 Legacy Series / Transparent Bridge Setup
November 01, 2016, 04:44:22 PM
All - Trying to set up a transparent bridge as per this document in the How-To section of the Wiki: https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

I've followed directions using the 16.7 production and the 17.1 alpha software and have not met with success.

My setup: i5 quad with 8gb RAM, 240gb SSD, multiple Intel NICs. Cabled up as: DOCSIS 3 Modem --> WAN on opnSense box, LAN on opnSense box --> WAN on Asus AC68U, following the Wiki How-To precisely. I've also tried Modem-->WAN opn, LAN opn -->WAN Asus, Opt2 em2 as Mgt port on opn box --> LAN Asus, with WAN, LAN, Opt1 Bridge WAN/LAN, and Opt2 Mgt port bridged to Opt1 bridge.

I need to retain the AC68U for some features it provides, otherwise I'd set opnSense up as a router. I can get to the management console on opnSense with either cabling/setting scenario, but I cannot get outside. The opnSense sys cannot complete a firmware update check.  Prior to performing the instructions on the How-To, the system works as expected and Suricata & Country filter works.

Any assistance or a point in the right direction appreciated. TIA
#14
I'm new to firewalls, trying to install opnsense for my home network. I've installed opnsense - great and easy process. I'm ready to install openvpn tunnel, suricata and have already had some success with getting them going. But, because I have absolutely no experience with firewalls - I've simply relied on the home router/ap firewall - I don't know where to begin with the firewall rules.

I've spent several days scouring this site and others looking for an initial set of firewall rules that would be helpful for a home user with no experience, but have not been able to find a clear stepwise guide. The rules out there all appear to be additional setups for those who already have their set in place and want to enhance for additional function.

My request is this:

1) If I've missed an initial firewall rules setup guide, would you please list a link and I'll pursue it myself without additional bother to others. Out of the box it appears that opnsense doesn't have any basic rules and doesn't provide internet access and doesn't seem to provide a beginner's settings in the online documentation.

2) If one doesn't exist, would someone please give an example, then list the several modes that should be blocked by a home user? I've found one guide that suggests 'block all on WAN, then lists the various ports that should be opened on the LAN and have followed it, but I am unable to get internet access through. It seems there aren't any 'pass' rules in the WAN tab that allow anything through.

I just don't know where to start. But, I suggest there is a demand for a basic settings tutorial that gets it installed, basic rules in place, and passes internet. There are lots of people interested in doing this now. Check Kickstarter or Indegogo for the small, dedicated security appliances that are being funded because there isn't a simple 'how-to' for the basic home user to set up an opnsense firewall/appliance. They're all interested in a higher degree of security than what is offered by their router/ap.

If the reason something like this doesn't already exist is because the intent is to sell preconfigured appliances or consulting services please let me know and I'll go away. TIA