Topics

I have upgraded to 21.1.3 this morning and tried the new health-check feature. One line in the output caught my attention:

python37-3.7.10: checksum mismatch for /usr/local/lib/python3.7/lib-dynload/_sha1.so

I SSH'd into the box and run "ls -l" for this file:

-rwxr-xr-x  1 root  wheel  23200 Mar  8 18:56 /usr/local/lib/python3.7/lib-dynload/_sha1.so

SHA256 of it is 5766a1b659b7e022cbdeeaf6a7a43f6e537ddefbd3dd420ade6a37edf86abc71

I ran the file through VT and it came back clean - https://www.virustotal.com/gui/file/5766a1b659b7e022cbdeeaf6a7a43f6e537ddefbd3dd420ade6a37edf86abc71/detection

After reinstalling python37 package, the issue went away. The size and timestamp of the file did not change, but the checksum is now 972e976dfd77b703ed0104723f12db94d5f0fdcb92761e0ca5e380d65cc6b10e

Running both files through strings command results in the exact same output. Binary diffing the suspicious and valid files shows some odd bytes being different here and there, but the diffs do not look too suspicious to my untrained eye.

Did anyone see the same issue by any chance? Do you think I should be concerned?

Thank you

Hi,

One of the networks I administer has a requirement to try and prevent tunneling out. I know that it is impossible to do reliably, but there must be some "best effort" solutions. This net has all ports besides 80 and 443 blocked for connecting out. I can't require everyone on the inside to use web proxy, so forcing everyone through the proxy is not an option.

Does anyone know of a plugin or an easily scripted solution that would terminate "suspicious" TLS sessions - ones lasting long time and exhibiting other "suspected tunneling" characteristics?

Thank you,

Aleksey

Hi,

After the upgrade from 18.7 to 18.7.1 DHCP server stopped working with the following error message in the log: "dhcpd: no such user: dhcpd"

Did anyone run into it? Any troubleshooting tips?

Thank you.

Hi,

I'm trying to make Splunk forwarder for FreeBSD work on OPNsense and it seems to be working ok, except for the fact that it gets really confused by the circular logs.

Does anyone know if it is possible to disable circular logging and save log events to disk files in an old-fashioned way?

Thank you.

Hi,

Is there any way to edit /etc/hosts entries via UI? I know, similar functionality exists when enabling Unbound or DNSMasq, but I am using neither and just need to alter name resolution on the firewall for one hostname.

Thank you.

Does anyone know if it is possible to have unbound log the client IP for every request it receives?

Hi,

Does anyone know if it is possible to have Suricata configured to save the packets that generated every alert?

Quite often the alert itself does not have enough information to investigate the events, and being able to analyze the captures would be really helpful.

Thank you,

Aleksey

Hi,

I am running 17.7.7_1 and deployed the newly published Telegraf plugin. It works fine except for one missing item - network traffic. Seems like Telegraf does not report NIC activity counters. The firewall has two Intel NICs, both using stock 7.6.1-k driver. Does anyone here run Telegraf plugin with NIC counters being reported ?

Thank you,

Aleksey

Hi,

I am running 17.7.7_1 with Suricata enabled, however I can't find an option to capture the traffic that causes the alerts to be generated. Is this feature (saving packet captures of flagged traffic) supported in OPNSense or by Suricata in general? A lot of Suricata alerts are impossible to investigate without being able to review the PCAPs of the traffic.

Thank you,

Aleksey

Hi,

I am running 17.7.7_1 with Unbound recursive DNS server enabled on the gateway. I can't find an option to log the IP address of the client for each DNS request processed by Unbound. It is captured if logging verbosity is increased to debug level, but then too much junk gets logged too. Does anyone know if there is a good way to log  IP of the requesting client for each DNS query?

Thank you,

Aleksey