Topics

1

German - Deutsch / Erfahrungen mit Intel Celeron CPU's mit IPS/IDP

« on: February 15, 2021, 10:14:22 am »

Hallo zusammen,

habe ne APU4, damit geht IPS nicht wirklich. Max. 80 mbit/s. Suche nach beserer Hardware und wollte nachfragen, ob jemand Erfahrungen mit den Celeron CPU's hat:

Intel Celeron N4100
Oder der J9100

Habe in Zukunft max. 400 mbit/s Download und würde gerne IPS mitlaufen lassen, damit aber möglichst den Durchsatz erreichen.

Gruss
Roger

2

Web Proxy Filtering and Caching / Signal App only working if SNI enabled

« on: February 01, 2021, 08:40:44 am »

Hello,

I have an old tablet, which i would like to have SSL Inspection enabled. But this will not work for Signal, even if .whispersystems.org and .signal.org are inserted into no ssl bump sites.

It still reclams the certificate, e.g.:
kid1| ERROR: negotiating TLS on FD 30: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (1/-1/0)

Does anybody know, how i can handle Signal having ssl inspection enabled? Btw. the proxy is not transparent.

3

20.7 Legacy Series / Proxy and Clam

« on: January 28, 2021, 10:20:50 am »

How far does it still make sense, checking for viruses on the proxy, as lots/most/whatever webservers already use hstsc if we just use SNI? In that case, the content cannot be checked, i think.

This traffic will not be checked, isn't it?

Just for comprehension.

4

21.1 Production Series / Squid SSL [Solved]

« on: January 27, 2021, 11:19:17 am »

Hi,

I tried for an old tablet having Squid using SSL Bump (without transparent proxy) - default listening is on port 3129.

On the tablet i get a reduced connection. Strange. On the sense, i see also not listening anything to port 3129 (which perhaps causes this).

And even more strange, the traffic gets - as it seems - inspected, as https://-download from eicar is recognized in c-icap...

usually i expected no inspection of traffic, as it is not listening on 3129 (SNI, btw. is disabled...)

Are there perhaps changes in squid, that could cause this?

5

21.1 Production Series / NGINX problem with https server

« on: January 20, 2021, 11:21:44 pm »

Since the upgrade to 21.1-rc...my https-reverse-proxy does no longer start.

Logs say:
SSL_CTX_load_verify_locations("/usr/local/etc/nginx/key/trust_upstream_4fa78829-e9c2-4d1b-b07d-3223d324f828.pem") failed (SSL: error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found)

in the mentionned path, i can find a pem. This error holds nginx from start. if i remove TLS-support from the server, the services starts again.

Somebody with a good idea?

6

21.1 Production Series / Update to 21.1 not possible

« on: January 14, 2021, 11:05:47 am »

Hello,

RC1 is not yet advised on my box. This according to the bug mentionned in the announcment. Will there be a fix (e.g. analogue to the update to 20.7., where first another update had to be done before the update to 20.7 was possible)?

7

20.7 Legacy Series / Double NAT - Provider Modem

« on: January 14, 2021, 09:29:06 am »

Hello,

I have a DOCSIS-Cablemodem, which was in bridged mode. Unfortunately, i had lots of packet losses in the last time. So i had to switch to router mode. The opnsense (where all traffic flows on it) is in dmz (i have mail- and webserver from the outside)

Since i changed the way, i get max 100mbps passing via opnsense. Before, it was up to 700 mbps without any problem. I think now, this is a problem of natting opnsense and the modem.

Easy, i disabled natting on the sense, nothing more worked. Of course, as the sense with nat got the ip from the isp-router, without natting all clients behind the sense come now up with their own ip instead of the natted from the wan-port of the sense.

I'm a little bit out of ideas. Does anybody have a "similar" installation? How did you solve this for you?

Thanks!

8

20.7 Legacy Series / [Solved, RFC needed?] NGINX as IMAP reverse proxy

« on: October 25, 2020, 01:21:34 pm »

i got nginx at 80% as reverse proxy for dovecot running. 80% because i don't get the external ip of the client transferred to the mailserver.

if i enable proxy protocol, the connection will not be accepted. Does anybody have an idea? Eventually i was searching false, but google did not reply that much on imap on reverse proxy

all i would need is having the external ip in the logs of dovecot.

Thx,
Ruggerio

9

20.7 Legacy Series / Suricata - Engine?

« on: August 03, 2020, 04:14:29 pm »

Hi,

When testing 20.7 from iso, i always used Aho Ken Steele, no problems with memory.

Now, in 20.7 Production, memory goes up nearly 70% for suricata and the system is swapping. This was not the case before. I changed for now to "reduced memory implementation", but still lots of memory used and swap.

thx!
Ruggerio

10

20.7 Legacy Series / Postfix not logging

« on: July 31, 2020, 11:06:01 am »

Hey,

Since upgrading to 20.7, Postfix shows no more logs.

Cheers,
Roger

11

20.7 Legacy Series / Squid/C-ICAP Error

« on: April 08, 2020, 08:14:04 am »

Since the upgrade, C-ICAP shows the following error:

Wed Apr 8 08:06:51 2020, 24221/803493376, ci_simple_file_new: Can not open temporary filename in directory:/var/tmp/

Shouldn't this be /tmp?

Comment: changed this in /usr/local/etc/c-icap/c-icap.conf from /var/tmp to /tmp and now it works.

Perhaps this has something to do, that i set a separate temp-directory in settings.

12

20.7 Legacy Series / [SOLVED] Postfix not logging

« on: April 02, 2020, 02:08:20 pm »

The postfix-logs are also after a few reboots empty (in GUI and shell).

13

19.7 Legacy Series / Postfix: Mails duplicating several times

« on: December 07, 2019, 07:43:52 pm »

Since the last update of postfix, i get some (not all) Mails duplicated or even multiplicated.  Somebody else having this issue?

The message-id btw. is always the same, on each messsage.

14

Intrusion Detection and Prevention / Suricata 5: Errors in Rules

« on: November 03, 2019, 08:51:13 am »

After having Suricata 5 now on dev, i switched over for more testing (and not kidnapping the old thread). After the 1st night, i saw the following error in the logs:

suricata[18490]: [100221] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/doc/yxnwvvy5wrni8vr0ofa4_9xshl2gx-804312145|/"; http_uri; depth:54; isdataat:!1,relative; content:"tapclicktalk.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_10_10; reference:url, urlhaus.abuse.ch/url/243231/; classtype:trojan-activity;sid:81106331; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 7246

and following:
    suricata[18490]: [100221] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Invalid hex code in content - /clients/doc/yxnwvvy5wrni8vr0ofa4_9xshl2gx-804312145|/, hex /. Invalidating signature.

Wow, so suricata 5 recognized it, but will not do anything with it. Is this an error in the ruleset of urlhaus.ch?

btw. i disabled proxy, also for comparison of downloads on my apuc4. With the usual performance fiddling, i got a downloadrate of 270mb/s, using aho-corasick. Never got that before, neither only on proxy, nor only mit ips (yes, ips enabled) - also a big wow!

15

Intrusion Detection and Prevention / IPS and DHCP

« on: September 16, 2019, 07:52:08 am »

Hello,

I still cannot geht IP's via DHCP on VLAN's, if IPS is enabled. Did i miss sometihing, or is for VLAN's a "special" configuration needed, which i missed?

I disabled all the things on the interface, vlan filtering is on standard. Promicuous mode is disabled.

Thx!