Topics

1

18.7 Legacy Series / 18.7.10 and Suricata

« on: January 21, 2019, 10:35:05 pm »

Hello.

Are there known issues with Suricata and OPNsense 18.7.10_3?  I just upgraded from 18.7.7, and Suricata doesn't seem like its working any more.  Before the upgrade I would see a fair number of alerts from day to day (mostly informational), but after the upgrade I haven't gotten any!  Seems hard to believe.

I have OPNsense configured to use it on a number of internal interfaces, but not WAN.  And I have chosen Hyperscan as the matching engine.  (I did try the default engine too, but that didn't seem to make a difference.)

I'm using http://testmyids.com to try to stimulate an alert.  This has worked in the past, but nothing happens after the upgrade.

Any ideas?

P.S.  I really love OPNsense.  I've been using it for a couple of years, and I recommend it to others.  Thanks for the great work!

2

17.7 Legacy Series / Meaning of letters in the Firewall Log Files "Proto" field

« on: September 26, 2017, 09:21:07 pm »

What does "TCP:SEC" mean in the Firewall Log Files "Proto" field?

I think the "S" means "Syn," but does "E" mean "ECE" and "C" mean "CWR"

OR

is it "S" and "EC" for "Syn" and "ECE"?

I have a lot of this kind of stuff in my Firewall Log files.  Is that normal?

[Edited to add]: Also, do I need to be creating rules to allow this type of traffic?  Or are simple rules to allow only "Syns" sufficient?

Thanks.

3

Documentation and Translation / Error in "Setup SSL VPN Road Warrior" How to?

« on: August 08, 2017, 08:31:23 pm »

I think there may be a typo in the "Setup SSL VPN Road Warrior" How to:

• Go to the second picture under "Step 2 - Firewall Rules"
• It shows "192.168.2.0/24" as the Source, but I think it should be "10.10.0.0/24" according to the network diagram at the beginning of the article

Either that or I completely don't understand the setup like I thought I did because I don't see "192.168.2.0/24" referenced anywhere else in the article.

Thank you for the write-up though!  I find the OPNsense How to's to be very high quality in general.

4

17.7 Legacy Series / Unbound vs. Dnsmasq

« on: August 02, 2017, 10:43:58 pm »

I noticed in the 17.7 release notes there is mention that Unbound is the new default DNS service.

I don't know enough about DNS or Unbound vs. Dnsmasq to understand the significance of that announcement.

Is Dnsmasq not as secure as Unbound?  Is it not as fully featured?  Does Unbound perform better?  Is Dnsmasq deprecated or scheduled for removal in the future?

If I'm using Dnsmasq now, should I switch?  Does the 17.1 -> 17.7 upgrade package do the switching for me?  Will it transfer my Dnsmasq configuration to Unbound?

Etc.

Thanks for the help!

5

16.7 Legacy Series / Which FW process is associated with which outbound connection

« on: March 14, 2017, 04:22:35 pm »

Does anyone know of a reason why the *FW* might be making connections to the following Twitter-controlled IPs:
104.244.42.194 and 104.244.42.2 on port 443?  It is happening pretty much constantly...

Is there a command I can run on the FW that will link those outbound connections to a process?  lsof doesn't seem to be present and I can't figure out the right netstat command to do it...

If the FW is somehow participating in a DDoS, I want to know!