Topics

I'm experiencing an inconsistency between tunable names and description on the main Tunables page and individual settings.

I reverted to the default tunables, but the inconstancies persist.

An example:

I just came across this.

*NIX vulnerability lets attackers hijack VPN connections.

CVE-2019-14899

https://www.bleepingcomputer.com/news/security/new-linux-vulnerability-lets-attackers-hijack-vpn-connections/

I came across this discussion and I wonder if or how this change to Mozilla/Firefox could impact on OPNsense?

https://support.mozilla.org/en-US/kb/firefox-dns-over-https

"In the US, Firefox by default directs DoH queries to DNS servers that are operated by CloudFlare, meaning that CloudFlare has the ability to see users' queries."

Disabling Firefox's automatic switch to DoH
https://www.snbforums.com/threads/disabling-firefoxs-automatic-switch-to-doh.58910/

I noticed this today. I don't know when this began, or if it's only me who is affected. Time in Dashboard seems to correspond to time on my Mac though.

root@xxxxxxxx:~ # ntptime
ntp_gettime() returns code 0 (OK)
  time e0db421d.293293d0  Thu, Jul 18 2019 21:08:13.160, (.160928974),
  maximum error 230285 us, estimated error 153 us, TAI offset 0
ntp_adjtime() returns code 0 (OK)
  modes 0x0 (),
  offset -204.688 us, frequency 53.608 ppm, interval 4 s,
  maximum error 230285 us, estimated error 153 us,
  status 0x2001 (PLL,NANO),
  time constant 6, precision 1.000 us, tolerance 496 ppm,
  pps frequency 53.609 ppm, stability 0.000 ppm, jitter 0.000 us,
  intervals 0, jitter exceeded 0, stability exceeded 0, errors 0.


https://www.linuxquestions.org/questions/slackware-14/ntpd-kernel-reports-time_error-0x2041-clock-unsynchronized-4175636606/

Edit.

I made a new search and found out that the issue has been covered.

https://forum.opnsense.org/index.php?topic=9967.msg45447#msg45447

Is it safe to assume that OPNsense 19.1 will be using Unbound ver. 1.8.3? If so, and I need to revert to an earlier version, like ver. 1.8.1 (I'm using DNS-over-TLS), can I when 19.1 goes live use Unbound from the 18.7 branch to do so?

opnsense-revert -r 18.7.8 unbound


Thanx

miroco

Unbound surprisinly quit after an update to 18.7.9. I've been using DNS-over-TLS for a long time now without issues and was surprised over the fact. Reverting to the previous Unbound version 1.8.1 solved the problem.

Dec 13 21:43:04   kernel: -> pid: 86093 ppid: 1 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Dec 13 21:43:04   kernel: [HBSD SEGVGUARD] [unbound (86093)] Suspension expired.
Dec 13 21:43:04   kernel: pid 86093 (unbound), uid 59: exited on signal 11
Dec 13 21:24:43   kernel: -> pid: 1801 ppid: 1 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Dec 13 21:24:43   kernel: [HBSD SEGVGUARD] [unbound (1801)] Suspension expired.
Dec 13 21:24:43   kernel: pid 1801 (unbound), uid 59: exited on signal 10

miroco

Does anyone have experience with the Ubiquiti AirCube ISP and/or AC? The AirCube is a consumer grade WiFi access point. The "ISP" version is 2.4 Ghz only device, whereas the "AC" version supports both 2.4 and 5 GHz mode. The May 7th firmware changelog (the latest) contains a comprehensive description of features.

https://www.ubnt.com/accessories/aircube/

https://www.ubnt.com/downloads/firmwares/airCube/v2.2.0/changelog.txt

https://community.ubnt.com/t5/airCube/bd-p/airCube

https://www.youtube.com/watch?v=UnYRT7wI-Vs

A few points of sale in the EU.

https://www.amazon.co.uk/
https://www.amazon.de/
https://www.eurodk.com/
https://www.irishwireless.net/

In view of the upcoming speculative execution kernel patch för amd64, planned for 18.1.5 and the APU2C4 board.

https://forum.opnsense.org/index.php?topic=7595.0

PC Engines - about Spectre and Meltdown vulnerabilities

http://pcengines.ch/spectre.htm

On one hand a microcode update seems to be necessary in part to mitigate the effects of the Spectre vulnerability. On the other hand it seems that PC Engines standpoint is that "the vulnerability must be handled at the OS level". That's consistent with the upcoming patch, but not a word about a microcode update?

Is there a discrepancy, or have I misunderstood the complexity of the problem?


Regards,


Miroco

Suricata and port 443

As soon as I enable IPS mode under Intrusion Detection, the No-IP DynamicDNS update fails. This also makes my OpenVPN Server to fail. It's a road warrior style configuration using port 443.

I sat out to try the abuse.ch ruleset and IPS. The ruleset does not seem to play a part in this, but IPS definitely does. The mandatory 3x hardware offloading is disabled.

Sep 14 20:38:348         opnsense:/usr/local/etc/rc.dyndns: curl error occurred: Failed to connect to dynupdate.no-ip.com port 443: Operation timed out

If I uncheck IPS mode, the problem goes away and I can connect to my OpenVPN server.

Sep 14 20:47:36         opnsense:/usr/local/etc/rc.bootup: DynamicDNS (xxxxxxxxxxxx.ddns.net): (Success) DNS hostname update successful.

I'm on OPNsense ver. 17.7.2


Perhaps a related issue.

https://forum.opnsense.org/index.php?topic=4727.0

Miroco