Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - SecAficionado

Pages: [1] 2

General Discussion / DNS issue with random MAC device

« on: November 04, 2024, 01:37:24 am »

Hello,

I have an issue that I have seen reported by others, but I think I was able to identify opnsense as the culprit, not my device.

I have a small IoT device that, for whatever reason, does not have a hardware MAC address. It generates a random address every time it boots up. I am looking into writing a custom u-boot for it to hard-code an address, but for now it has a new address each time it boots.

As an initial temporary measure, I created a startup script that brings down the interface, assigns a fixed MAC address and brings the interface back up. That is successful in getting the DHCP server to assign the static IP address that I want to use, but as others have reported, the IoT device does not have internet access after that change.

I was able to trace the issue to a logging problem. I am using Unbound DNS and when looking at the logs, I see entries for dhcp reporting a new dynamic IP address for the device as it boots up, but no report for the static assignment when the MAC address changes. It's as if Unbound does not realize there was a change and does not reply to requests from the static IP/MAC.

If the dhcp server is supposed to notify Unbound, then it would appear it is a dhcp server bug or misconfiguration. If Unbound is supposed to notice the change and respond accordingly, then the issue is there.

Any assistance is appreciated.

22.7 Legacy Series / Poor performance with Realtek NICs

« on: July 29, 2022, 02:38:21 am »

Hello,

I know this is an endless subject and a moving target, but I want to document my experience in any case.

I got a good deal on a mini PC with a Celeron J3455 CPU and two Realtek NICs (I think they are RTL8168). I wanted to install opnsense to replace a larger PC to reduce power consumption. I knew Intel NICs were the better choice, but I thought I would give it a try.

I was pleasantly surprised to see that a config running Suricata in IPS mode gave me 900+ Mbps on tests, but then saw that the interfaces would go down, showing "no carrier" errors after an hour or so of service. Only a reboot seemed to fix the problem. I installed the Realtek plug-in (BTW, thanks for that!) and had stable NICs that lasted days without issues, but then I could only get 400Mbps speeds. The driver was the only change.

My Internet connection is 1Gbps which means I can't use this mini PC as my firewall at the moment. Some FreeBSD forums seem to indicate that the native (re) driver has seen improvements over time, so I might be able to get speed and stability from a future version. They also mention that those improvements seem to go away between major releases.

Considering the current system's power consumption, I ordered a much more expensive mini PC with intel NICs, which I will be configuring soon. It will pay for itself eventually with power savings, but I would have preferred to be able to work with the good deal I got.

Does anyone else have similar experiences with getting only 50% speeds using the factory drivers? Can I use older drivers that perform better?

20.7 Legacy Series / Unbound DNS Upstream TLS option

« on: December 08, 2020, 10:11:48 pm »

Hello,

As stated in the unbound.conf page (https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/), there is an option to turn on upstream TLS. I always assumed that by entering data into Unbound DNS/Miscelaneous/DNS over TLS Servers, this option would be turned on, but I spent some time examining the config files and I don't see an entry to enable it.

Code: [Select]

server:
   tls-upstream: yes

I believe the statement above would be needed to actually turn the feature on, in addition to the path to the certificates and the servers/ports. The latter two options are added in /usr/local/unbound/miscelaneous.conf, but I don't think the traffic is actually encrypted unless the tls-upstream option is used.

Can someone a) verify that my understanding is correct, and if so, b) direct me to the proper way to file this as a bug in the interface?

Thanks!

20.7 Legacy Series / 20.7.5 Health Audit Bug?

« on: December 05, 2020, 05:41:03 pm »

Hi there,

When I clicked on Audit/Health on the Opnsense GUI, I got the following output:

Code: [Select]

***GOT REQUEST TO AUDIT HEALTH***
>>> Check installed kernel version
Version 20.7.4 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 20.7.4 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for and install missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Checking core packages: .................................................................... done
***DONE***

Everything looks good, except I have version 20.7.5. Is this a typo in the check script, or is it really checking against the previous version?

Thanks in advance for your help!

General Discussion / Let's Encrypt changing its root CA certificate -- Possible breaking changes

« on: December 03, 2020, 02:57:23 pm »

UPDATED Dec 21, 2020
Please see post in the thread below about fix for older Android devices from IdenTrust and Let's Encrypt

UPDATED Dec 5, 2020
Let's Encrypt switched to a new CA on Dec 3, 2020, and any certificates renewed or issued with default settings are affected. There is a hotfix for 20.7.5 to prevent Opnsense from reporting issues with the validity of renewed/new certificates. Please see the thread below for the link.

The original post mentions that the change will happen in January 2021, but Let's Encrypt already made the change. Presumably to coincide with their 5th year anniversary.

--- Original Post ---

If you use Let's Encrypt certificates for your firewall and perhaps other internal servers, this might affect you. Your certificates may start giving certain users/clients warnings that they are not valid, starting in January 2021. Please read on.

Currently, the root CA for Let's Encrypt is cross signed by another CA, which was widely available 5 years ago. This made Let's Encrypt's certificates valid from day 1 on many systems, including legacy systems. That root CA is up for renewal on September, 2021, and Let's Encrypt will replace it with a new CA, which is not cross-signed. This should not be a problem for any system that is regularly patched, but it is likely to be an issue with legacy systems that are not regularly updated, or for IoT setups that don't get new certificate store updates.

When you renew any Let's Encrypt certificates after January 2021, you will get certificates signed by the new CA. This may break SSL/TLS for those older/IoT systems. To help with the transition, Let's Encrypt will allow clients to request certificates signed with the old root. That will give you time to make whatever changes you need (including migrating to a different CA) before the September 2021 deadline when all new certificates will be signed by the new CA.

More info at https://letsencrypt.org/2020/11/06/own-two-feet.html

There are two other free alternatives to Let's Encrypt, which use the same setup: Buypass, and ZeroSSL. Migrating to either one could be as simple as changing the URL for the certificate request.

19.7 Legacy Series / Help with random reboots

« on: August 06, 2019, 04:27:21 am »

Hi there,

I am experiencing random reboots on my system (19.7.1). Not sure where to start looking for the cause. I don't think they are necessarily CPU panics, but I can't prove it yet. I have no problem with the command line, but I'm still a noob when it comes to Free-BSD. Browsing through the System logs with the web GUI has not given me anything. I can see when the system is starting, but I can't see when or why it went down.

Which file/directory is the best place to start looking? I have two approximate times to look for in the logs that can hopefully tell me how the system went down.

This is my home firewall and I don't really have a need for 24/7 internet, so my firewall goes down every day at night and starts in the morning. I don't think this is a stability issue, unless there are known problems with some CPUs or hardware.

My system is as follows:
OPNsense 19.7.2-amd64 -- Updated on 8/5/2019
FreeBSD 11.2-RELEASE-p12-HBSD
LibreSSL 2.9.2 -- Soon to revert back to OpenSSL
Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz (4 cores)
8GB RAM
450GB HDD
Intel Gig Network cards for LAN and WAN
Plugins:
Suricata with Hyperscan enabled
UnboundDNS with DNSSEC enabled
WebProxy with some ACLs

This system should be overpowered for its load. Even with Suricata running, I never see significant memory usage and have lots of it assigned to Squid, for faster browsing. I don't think I had these problems before 19.7.1, but I can't be sure unless I dig into my log files. I work from home often, though, and I would definitely notice firewall reboots if they happened during office hours. I really think this is a new issue.

Thanks in advance for any help/advice.

Intrusion Detection and Prevention / Proposed config change for Suricata

« on: February 10, 2019, 05:22:50 pm »

Hello,

I was experiencing the same issue as is discussed in this post https://github.com/NethServer/dev/issues/5152, which says that unless the WAN IP address(es) is(are) in the Home Networks list, a number of Suricata rules won't fire.

To replicate it, I followed these steps:

Created a new fingerprint rule in Services/Intrusion Detection/Administration/User defined
The rule is an Alert with all the fields left blank and set to Alert, which should show all traffic passing through
Hit Apply

I did not get any alerts from Suricata.

Then, I added my WAN interface IP address to Services/Intrusion Detection/Administration/Settings in the Home Networks field. I should say that Suricata was configured to look at LAN and WAN. Immediately after pressing Apply, I saw a flood of alerts, as I had expected before. I disabled the test Alert fingerprint rule and I started seeing blocked connections that were simply passing through before without firing any alerts.

The proposed change is to Add the WAN IP address to Home Networks when the WAN network is selected in the corresponding drop down. It might even make sense to enable it by default.

Thanks!

Development and Code Review / [SOLVED] Help with Cron jobs sub menu

« on: January 27, 2019, 11:30:10 pm »

Hi there,

I want to add an extra option to the list of commands in the cron jobs menu (System:Settings:Cron), but I need some help. I'll refer to paths in the Github pages (https://github.com/opnsense/core).

I think that the page is generated by the code in src/opnsense/mvc/app/[controllers|models|views]/OPNsense/Cron, but I can't figure out how the actual sub menu of commands is generated, so I can add the new task to be scheduled (pls see attachment).

I'm looking for it in an XML file, but I can't find it. My understanding of the process may be wrong. I'm just now dabbling into the GUI framework and structure.

Thanks in advance for your help!

18.7 Legacy Series / Spurious kernel panics

« on: January 26, 2019, 10:08:26 pm »

Hi there,

In the last week I've had two kernel panics during boot, after upgrading to 18.7.10. The latest one was this morning.

There seems to be no problem during normal operation, it is just during boot that I see the problem.

Please let me know if you need any additional information about my setup.

Thanks!

18.1 Legacy Series / Need help with 18.1.4 Suricata changes

« on: March 13, 2018, 12:59:53 am »

Hi,

After the 18.1.4 update, suricata complains about syslogd. The log tab under IPS has never shown any entries other than "/var/log/suricata.log yielded no results". However, now I am getting an error with red letters!

In the release notes there is an item:
* intrusion detection: proper syslog with drops, requires log file reset

Are the two items related? Any directions on how to help suricata use /var/log/suricata.log and how to reset the log file are welcome.

Thanks!

18.1 Legacy Series / GUI Issue - record counter is broken in log viewer

« on: February 13, 2018, 02:55:35 am »

This is an old one, and not urgent. I always see it and then forget to report it, but here it finally is:

When I look at log entries, for example IPS alerts, I see the option to display 7, 50, 100, etc. Selecting the higher number works and I do see X number of records each time, but the record counter at the bottom always seems to be stuck in the smallest number increments.

Let's say there are 235 alerts and I am showing 500 at a time, the bottom will read displaying 1 to 7 out of 501, instead of 1 to 235 out of 235. Similarly, when there are more than 500 records and I go to the send page, I see 8 to 14 out of 1001 instead of 501 to 1000 out of "actual total".

The records seem to be all there, but it's just the counter that is broken.

18.1 Legacy Series / Two requests

« on: January 28, 2018, 04:23:24 am »

Hi there,

First, there's a couple of fresh vulnerabilities in curl, so 7.58 is out. Can you please include it in 18.1?

Second, this one might be a more mid to long term request: can you please migrate the rest of the legacy pages that put stuff in /var to their proper place? Unbound is the one example I ran into.

I would like to get my feet wet on contributing to opnsense. Is this something I can try? I'll take a look and see if it's not too above my head.

Thanks!!

17.7 Legacy Series / Need help configuring Unbound DNS

« on: January 27, 2018, 11:01:28 pm »

Hello,

I have been looking at the details of the DNS configuration in order to enable DNSSEC on my opnsense box. However, I am having trouble getting it to work correctly.

I went to the Services/Unbound DNS/Settings tab and checked the boxes to enable DNNSEC and some hardening options (no version, etc). I click save and everything looks good and happy. In spite of that, when I log into the box and check the contents of /usr/local/etc/unbound, I do not see root.key, icannbundle.pem, or root-anchors.(p7s, xml) files. Unbound has a built in anchor, but their web site recommends getting the latest files.

More concerning, though, I checked the contents of /usr/local/etc/unbound/unbound.conf and none of my selected options were unchecked in the config file. So, now I am wondering if I am even looking at the right place. Is the config file used at all, are these options passed in the command line at startup, or is there another config file I should be inspecting?

I am running opnsense 17.7.12, libressl flavor, on an AMD Athlon 64 x2 box.

Thanks for your help!
P.S. I just saw the thread about updating to 1.6.8 and the instructions provided worked.

17.7 Legacy Series / 17.7.11 not working on VMs

« on: December 29, 2017, 05:26:49 am »

Hello,

As the subject says, I cannot get OPNsense to work on VirtualBox VMs since the update to 17.7.11. I usually upgrade on a VM first to test a few things before doing the real upgrade in my network, but the latest upgrade killed my VMs. They do not connect or have connectivity problems and any other VMs behind the firewall are left without internet service. They can connect to the firewall itself and manage it, but cannot see the outside world.

I tried in a Windows 10 Host, VirtualBox 5.1.30 and a Mac OS High Sierra, VirtualBox 5.2.2. In the Windows host I can get connectivity from the firewall VM, ping external hosts and so on, but the clients are cut off. In the Mac, the WAN interface does not work well. There is no IPv4 address, only IPv6, and all the VMs are left without internet access.

I will be happy to provide diagnostic info, just let me know where to start.

Thanks!

17.7 Legacy Series / 17.7 Preferred way to block countries via GeoIP?

« on: August 30, 2017, 03:38:23 am »

Hi there,

As it says in the subject, I'd like to know the preferred way to block countries using GeoIP. The reason I ask is because there is contradictory information between the wiki and the Forums. In the wiki there is an example for using Suricata to block a set of countries. Googling, though, there is a link to an answer in the forum with quick instructions on how to block countries using firewall rules and aliases.

So, supposing we have a firewall with Suricata enabled and running, what is the best way to block countries using GeoIP? What are the memory considerations? I tried to build a table for United States (not) and got out of memory errors on a box with 8GB of memory. Is that sign of a bug, or was I simply trying to do something stupid?

Suricata seemed to work OK, but the logs became unmanageable. Using tables the logs are nice and clean, but I wonder if it works the same. Am I overloading the system with one over the other methodology? CPU usage seemed pretty low on both and, other than the out of memory error in the logs, the memory usage graphs showed lots of free memory.

Anyway, I know there is no simple answer, but I'd like to have some parameters to consider so I can make an informed decision. If the answer is "trial and error", then what should I look for? Memory usage? CPU usage? Error logs? What are the trade-offs? Are both options equally secure, or insecure?

Thanks in advance for your help!

Pages: [1] 2