Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - faunsen

Pages: [1]

Tutorials and FAQs / Monit Mini Howto

« on: June 07, 2017, 06:08:00 pm »

Monit is a software that can check your filesystems, disks, processes, system and many more.
It runs on the firewall host and sends messages or executes actions on various events.
With the os-monit plugin you can configure the Monit daemon.

Installation
To use Monit install the os-monit plugin first. It installs the monit package as a dependency.
After the installation has finished reload the GUI and navigate to Services->Monit->Settings.

Configuration
The first step is to check if the plugin installer has imported your System->Notification settings correctly. Then have a look at the other tabs. To help you get acquainted the installer has added some standard entries.

The order to configure a monitoring is to create Service Tests first, then Services to check and in the end Alerts.

Let's start with the Service Test Settings. A test contains a condition and an action. It can be assigned to one or more services. The Monit documentation shows possible tests. You can simply adopt it by omitting the IF and THEN statements.

The next step is to configure service checks. Depending on the service type we need to set a path or start/stop scripts etc. and assign tests we have defined before. You can assign the same tests to different service checks.

At the Alert Settings tab you can configure to whom sent alerts to on which events and to whom not.
Furthermore you can format the mail text. E.g. Subject: $SERVICE failed on $HOST at $DATE

NOTE: For cluster setups you can synchronize the configuration to the other node if you check Monit System Monitoring
      under System->High Availabilty->Settings. Then go to Firewall->Diagnostics->Filter Reload and click on Force Config Sync.

Status
After starting Moint you can view detailed status information on the Services->Monit->Status page.

System 'firewall.example.com'
  status                       Running
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  load average                 [0.59] [0.41] [0.35]
  cpu                          0.2%us 0.9%sy
  memory usage                 2.6 GB [8.1%]
  swap usage                   0 B [0.0%]
  uptime                       20d 4h 25m
  boot time                    Thu, 18 May 2017 13:27:11
  data collected               Wed, 07 Jun 2017 17:51:23

Filesystem 'RootFs'
  status                       Does not exist
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  data collected               Wed, 07 Jun 2017 17:51:23

Program 'IPMI'
  status                       Status ok
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  last exit value              0
  last output                  System Health: OK, Power Meter: 174 Watts, Ambient Temp: 19 degrees C, Fans: 39 percent
  data collected               Wed, 07 Jun 2017 17:51:23

Examples

FTP Proxy
Check FTP proxy and restart it. If it doesn't run after 5 restarts don't check it again.
Tests
Name: RestartLimit5
Condition: 5 restarts within 5 cycles
Action: Unmonitor
Name: FTPProxy8021
Condition: failed host 127.0.0.1 port 8021 type tcp
Action: Restart

Service
Name: FTPProxy8021
Type: Process
PID File: /var/run/osftpproxy.127_0_0_1_8021.pid
Start: /usr/local/sbin/configctl ftpproxy start 127_0_0_1_8021
Stop: /usr/local/sbin/configctl ftpproxy start 127_0_0_1_8021
Tests: FTPProxy8021, RestartLimit5

HPE ProLiant DL380 G7 via IPMI
Check HPE ProLiant DL380 G7 hardware via IPMI.
Install ipmitool, load the ipmi kernel driver and create a check script.

Code: [Select]

pkg install ipmitool
kldload ipmi
echo 'ipmi_load="YES"' >>/boot/loader.conf.local

create a script /usr/local/bin/CheckIPMI.sh

Code: [Select]

#!/bin/csh

set Status = 0
set FanCount = 0
set FanSum = 0
foreach Line (`/usr/local/bin/ipmitool sdr list | sed 's/ /\\t/g'`)
   set SensorData = `echo $Line | sed 's/\\t/ /g'`
   set SensorName = `echo $SensorData | awk -F\| '{print $1}'`
   set SensorValue = `echo $SensorData | awk -F\| '{print $2}'`
   set SensorStatus = `echo $SensorData | awk -F\| '{print $3}'`
   if ( "$SensorStatus" != "ok" && "$SensorValue" != "disabled" ) then
      echo "$SensorData"
      set Status = 1
   endif
   if ( "$SensorName" =~ "Power Supply*" ) then
      if ( "$SensorValue" == "0 Watts" ) then
         echo "$SensorData"
         set Status = 1
      endif
   endif
   if ( "$SensorName" == "Power Meter" ) set PowerMeter = "$SensorValue"
   if ( "$SensorName" == "Temp 1" ) set AmbientTemp = "$SensorValue"
   if ( "$SensorName" =~ "Fan *" ) then
     @ FanCount = ( $FanCount + 1 )
     set FanValue = `echo $SensorValue | awk '{print $1}' | awk -F. '{print $1}'`
     @ FanSum = ( $FanSum + $FanValue )
   endif
end
if ( $Status == 0 ) then
   @ FanSpeed = ( $FanSum / $FanCount )
   echo "System Health: OK, Power Meter: $PowerMeter, Ambient Temp: $AmbientTemp, Fans: $FanSpeed percent"
endif

exit $Status

Make it executable.

Code: [Select]

chmod +x /usr/local/bin/CheckIPMI.sh
Tests
Name: ExecStatus
Condition: status notequal 0
Action: Alert

Service
Name: IPMI
Type: Custom
Path: /usr/local/bin/CheckIPMI.sh
Tests: ExecStatus

17.1 Legacy Series / [SOLVED] Packet loss

« on: May 09, 2017, 10:57:11 am »

Hi,

as soon as I put a little bit more load on my firewall cluster it looses packets and the TCP connections get closed.
The nodes are ProLiant DL380 G7 with 32GB RAM, two Quad-Core Xeons X5660 and three Quad-Port Intel 82580 NICs. So I assume the hardware is not the problem. It has link aggregation with loadbalance mode on all interfaces.
The system is not under stress. It has approx. 10k sessions. 1% CPU load. Lots of mbufs, no errors, no drops neither on the NICs nor on the switch ports.

At some indefinite point the firewall looses packets.
The trouble starts after acknowledging number 291137. The database server sends packages until the TCP window gets full. But these packages didn't reach the other site as well as the ACK's from the webserver didn't reach the database. And after retransmission timed out the connection is reset from the database server.

The traces were made on the firewall. I've made them on the physical and the lagg interfaces with no difference.

Any ideas where to look further?
And why do I see ICMP packages from the firewall on this TCP connection?

Many thanks
Frank

lagg0 - 192.168.19.0/24

Code: [Select]

330 299.939233  172.16.6.69 -> 192.168.19.4   TCP 54 55353 > ms-sql-s [ACK] Seq=12642 Ack=283137 Win=45312 Len=0
331 299.939238   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0
332 299.939252  172.16.6.69 -> 192.168.19.4   TCP 54 55353 > ms-sql-s [ACK] Seq=12642 Ack=291137 Win=37376 Len=0
333 299.939397   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0
334 299.939572   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0 (Not last buffer)
335 299.939576   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0
336 299.939579   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0 (Not last buffer)
337 299.939582   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0 (Not last buffer)
338 299.939585   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0 (Not last buffer)
339 299.939588   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0 (Not last buffer)
340 299.939591   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0
341 299.939595   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0
342 299.939599   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0 (Not last buffer)
343 299.939602   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0
344 299.939605   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0
345 299.939608   192.168.19.4 -> 172.16.6.69  TCP 1514 ms-sql-s > 55353 [PSH, ACK] Seq=324657 Ack=12642 Win=65536 Len=1460
346 299.939610   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0
347 300.239719   192.168.19.4 -> 172.16.6.69  TCP 1514 [TCP Retransmission] ms-sql-s > 55353 [ACK] Seq=291137 Ack=12642 Win=65536 Len=1460
348 300.239743    192.168.19.31 -> 192.168.19.4   ICMP 82 Destination unreachable (Host unreachable)
349 300.838833   192.168.19.4 -> 172.16.6.69  TCP 1514 [TCP Retransmission] ms-sql-s > 55353 [ACK] Seq=291137 Ack=12642 Win=65536 Len=1460
350 300.838859    192.168.19.31 -> 192.168.19.4   ICMP 82 Destination unreachable (Host unreachable)
351 302.041479   192.168.19.4 -> 172.16.6.69  TCP 1514 [TCP Retransmission] ms-sql-s > 55353 [ACK] Seq=291137 Ack=12642 Win=65536 Len=1460
352 302.041502    192.168.19.31 -> 192.168.19.4   ICMP 82 Destination unreachable (Host unreachable)
353 304.438934   192.168.19.4 -> 172.16.6.69  TCP 1514 [TCP Retransmission] ms-sql-s > 55353 [ACK] Seq=291137 Ack=12642 Win=65536 Len=1460
354 304.438957    192.168.19.31 -> 192.168.19.4   ICMP 82 Destination unreachable (Host unreachable)
355 309.239126   192.168.19.4 -> 172.16.6.69  TCP 1514 [TCP Retransmission] ms-sql-s > 55353 [ACK] Seq=291137 Ack=12642 Win=65536 Len=1460
356 309.239148    192.168.19.31 -> 192.168.19.4   ICMP 82 Destination unreachable (Host unreachable)
357 318.839481   192.168.19.4 -> 172.16.6.69  TCP 60 ms-sql-s > 55353 [RST, ACK] Seq=292597 Ack=12642 Win=0 Len=0
358 329.939143  172.16.6.69 -> 192.168.19.4   TCP 55 [TCP Keep-Alive] [TCP Window Full] 55353 > ms-sql-s [ACK] Seq=12641 Ack=307137 Win=131328 Len=1
359 329.939261   192.168.19.4 -> 172.16.6.69  TCP 60 ms-sql-s > 55353 [RST] Seq=307137 Win=0 Len=0

lagg1 - 172.16.6.0/24

Code: [Select]

329 299.939251  172.16.6.69 -> 192.168.19.4   TCP 60 55353 > ms-sql-s [ACK] Seq=12642 Ack=283137 Win=45312 Len=0
330 299.939261   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0
331 299.939271  172.16.6.69 -> 192.168.19.4   TCP 60 55353 > ms-sql-s [ACK] Seq=12642 Ack=291137 Win=37376 Len=0
332 299.939273   192.168.19.4 -> 172.16.6.69  TDS 1514 Unknown Packet Type: 0
333 299.939321  172.16.6.69 -> 192.168.19.4   TCP 60 55353 > ms-sql-s [ACK] Seq=12642 Ack=299137 Win=29440 Len=0
334 299.939492  172.16.6.69 -> 192.168.19.4   TCP 60 55353 > ms-sql-s [ACK] Seq=12642 Ack=307137 Win=21504 Len=0
335 299.939636  172.16.6.69 -> 192.168.19.4   TCP 60 [TCP Window Update] 55353 > ms-sql-s [ACK] Seq=12642 Ack=307137 Win=69376 Len=0
336 299.940190  172.16.6.69 -> 192.168.19.4   TCP 60 [TCP Window Update] 55353 > ms-sql-s [ACK] Seq=12642 Ack=307137 Win=131328 Len=0
337 318.839520   192.168.19.4 -> 172.16.6.69  TCP 54 ms-sql-s > 55353 [RST, ACK] Seq=292597 Ack=12642 Win=0 Len=0
338 329.939156  172.16.6.69 -> 192.168.19.4   TCP 60 [TCP Keep-Alive] [TCP Window Full] 55353 > ms-sql-s [ACK] Seq=12641 Ack=307137 Win=131328 Len=1
339 329.939300   192.168.19.4 -> 172.16.6.69  TCP 54 ms-sql-s > 55353 [RST] Seq=307137 Win=0 Len=0

17.1 Legacy Series / [SOLVED] Port Forwarding/Rewriting

« on: February 10, 2017, 11:45:13 am »

Hi,

is it possible to have a kind of dynamic port forwarding or port rewriting?

Clients in network A should access servers in network B which are listening on port 1 via port 2.
Accessing the servers port 1 directly should be prohibited.

A simple port forwarding doesn't work because I need the destination IP and a list for every server would exceed the administrative effort.

Any ideas?

Thanks,
Frank

Development and Code Review / [SOLVED] MultiOptionField

« on: November 07, 2016, 05:27:17 pm »

Hi,

for a new plugin I need the OptionField but with multiple selection.
The InterfaceField type for example has such a multiple selection.

Is it possible to do the same with a simple list?
Or is there a way to define an ArrayField that occurs as a multiple_select in the UI?

Kind regards
Frank

Tutorials and FAQs / FTP Proxy Howto

« on: November 02, 2016, 05:25:02 pm »

Allow FTP Traffic
This how-to describes the steps to allow FTP traffic from your local network to the internet and from the internet to a FTP server protected by your OPNsense firewall.

Prerequisites
To allow FTP traffic we have to redirect all FTP connections to a local FTP proxy server which dynamically inserts and removes firewall rules according to the FTP port commands.
Additionally we need rules to allow traffic on the local interface to this proxy.

For the setup of the proxy we use the "Ftp Proxy" plugin. It was released with OPNsense 16.7.8.

Forward FTP Proxy
The forward proxy enables internal clients to connect to FTP servers on the internet.

To add a new FTP proxy server navigate to Services->FTP Proxy and click on the Add Button bottom right.
Now you see a dialog with the proxy settings.

For now you can leave the defaults.


NOTE: If the outbound NAT address is different than the primary interface address you need to specify the NAT address as "Source Address".
      This is probably the case in clustered setups with CARP.

Clicking on Save changes creates a new FTP proxy server and starts it. Be patient, this takes a few seconds.
Now this proxy listens on 127.0.0.1 on port 8021 and you should see it as a new entry in the proxy server list.

The green background indicates that the proxy is running. If the background appears yellow it is disabled and stopped.

Next we create rules to allow and redirect FTP from LAN interface to the proxy.
Go to Firewall->NAT->Port Forward and click on the Add Button.
Here we change following options:
   Interface: LAN
   Destination: any
   Destination port range: FTP
   Redirect target IP: 127.0.0.1
   Redirect target port: (other) 8021

This will create a redirect rule for all FTP connections to the internet

and a rule to allow FTP connections to the proxy. (See Firewall->Rules->LAN)

Apply these changes and you can connect FTP server on the internet.

Reverse FTP Proxy
The reverse proxy enables access from internet to a local FTP server behind the firewall.
Clients connecting the firewall via FTP will be redirected to a local FTP proxy and then to the internal FTP server.

So let's create a new FTP proxy and configure the "Reverse address" to point to the internal FTP server at 192.168.1.15.

Here we need the rules to redirect the traffic from the WAN Interface to the proxy as well.
Go to Firewall->NAT->Port Forward and add a new rule:
   Interface: WAN
   Destination: WAN address
   Destination port range: FTP
   Redirect target IP: 127.0.0.1
   Redirect target port: (other) 8022

And additionally to the auto generated rules we allow FTP access to the WAN interface.

Apply the changes and the FTP server is accessible from the internet.

16.7 Legacy Series / FTP Proxy

« on: July 04, 2016, 06:17:56 pm »

Hi,

I have a simple OPNsense firewall setup with a WAN and a LAN interface and want to make a FTP connection.
As far as I understood I have to use the FTP proxy for that.

The proxy config is:
General Proxy Settings
Enable proxy: checked

FTP proxy settings
FTP proxy interfaces: lan
FTP proxy port: 2121
Enable Transparent Mode: checked

Accessing port 21 from LAN is allowed per rule and I can make a control but no data connection.
Squid is listening on 127.0.0.1:2121.

Do I need additional rules, anchors, redirects etc.?

Kind regards
Frank

Pages: [1]