1
18.7 Legacy Series / IDS and SSL
« on: October 07, 2018, 03:55:38 pm »
Does opnsense IDS block connections made with SSL?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
18.7 Legacy Series / SSL Proxy Config question
« on: October 06, 2018, 04:49:23 pm »
Sorry about the cross post but I'm unable to delete my first post.
I have SSL transparent proxy working for most sites except for a few odd cases and I'm not sere how to resolve the issue.
When I go to certain websites https://somewebsite.com my firewall is blocking it with the message
Access Denied: URL https://11.22.33.44/*
I added somewebsite.com to my proxy whitelist AND to the "SSL no bump sites" but I am still getting the error.
Can someone offer insight as to why the domain is getting resolved by the proxy URL as an IP and then getting blocked? Are there any work arounds?
Usually "Access Denied" message shows the URL blocked, not the actual IP address. Reading up on squid indicates this might be due to multiple DNS servers providing conflicting results and squid flagging the website. The sites in question are certain government websites which are likely hosting one URL on multiple IP addresses. I've tried adding the IP addresses to the "SSL no bump sites" as well but that doesn't work.
I have SSL transparent proxy working for most sites except for a few odd cases and I'm not sere how to resolve the issue.
When I go to certain websites https://somewebsite.com my firewall is blocking it with the message
Access Denied: URL https://11.22.33.44/*
I added somewebsite.com to my proxy whitelist AND to the "SSL no bump sites" but I am still getting the error.
Can someone offer insight as to why the domain is getting resolved by the proxy URL as an IP and then getting blocked? Are there any work arounds?
Usually "Access Denied" message shows the URL blocked, not the actual IP address. Reading up on squid indicates this might be due to multiple DNS servers providing conflicting results and squid flagging the website. The sites in question are certain government websites which are likely hosting one URL on multiple IP addresses. I've tried adding the IP addresses to the "SSL no bump sites" as well but that doesn't work.
3
Web Proxy Filtering and Caching / SSL Proxy Config question
« on: October 03, 2018, 02:38:01 pm »
I got the SSL proxy working yesterday for most sites except for a few cases and I'm not sere how to resolve the issue.
This morning when I go to https://somewebsite.com on a PC it connects after warning me about a security SSL issue...no problem here. When I access the same website using an ipad my firewall is now blocking it with the message
Access Denied: URL https://11.22.33.44/*
I added somewebsite.com to my proxy whitelist AND to the "SSL no bump sites" but I am still getting the error.
Can someone offer insight as to why the domain is getting resolved by the proxy URL as an IP and then getting blocked?
This morning when I go to https://somewebsite.com on a PC it connects after warning me about a security SSL issue...no problem here. When I access the same website using an ipad my firewall is now blocking it with the message
Access Denied: URL https://11.22.33.44/*
I added somewebsite.com to my proxy whitelist AND to the "SSL no bump sites" but I am still getting the error.
Can someone offer insight as to why the domain is getting resolved by the proxy URL as an IP and then getting blocked?
4
18.7 Legacy Series / Looking for someone with working lightsquid and sarg running on their system
« on: September 13, 2018, 06:29:29 pm »
I'm trying to get lightsquid and sarg running on my system but am running into problems with the scripts expected date formats vs what my system is generating
my squid access.log generates lines in the format
XXX.XXX.XXX.XXX - XX:XX:XX:XX:XX:XX - [13/Sep/2018:00:00:20 -0400] "POST http://somewebsite HTTP/1.1" 403 4171 "-" "Mozilla/5.0 (Linux; )" TCP_DENIED:HIER_NONE
but when I run lightparser.pl I don't get any output and sarg -x gives me script date input errors like
SARG: Loop detected in getword_atoll after 0 bytes.
SARG: Line=" [13/Sep/2018"
SARG: Record=" [13/Sep/2018"
SARG: searching for 'x2f'
SARG: Invalid date in file "/var/log/squid/access.log"
Can somebody post a couple of lines from their access log so I can compare what's going on?
my squid access.log generates lines in the format
XXX.XXX.XXX.XXX - XX:XX:XX:XX:XX:XX - [13/Sep/2018:00:00:20 -0400] "POST http://somewebsite HTTP/1.1" 403 4171 "-" "Mozilla/5.0 (Linux; )" TCP_DENIED:HIER_NONE
but when I run lightparser.pl I don't get any output and sarg -x gives me script date input errors like
SARG: Loop detected in getword_atoll after 0 bytes.
SARG: Line=" [13/Sep/2018"
SARG: Record=" [13/Sep/2018"
SARG: searching for 'x2f'
SARG: Invalid date in file "/var/log/squid/access.log"
Can somebody post a couple of lines from their access log so I can compare what's going on?
5
18.7 Legacy Series / Trying to figuring out why website is getting blocked by web proxy...
« on: September 13, 2018, 04:00:18 pm »
Is there an easier way to determine why a website gets blocked by web proxy?
"The following error was encountered while trying to retrieve the URL: http://www.bing.com/
Access Denied."
For some reason "bing.com" is now getting blocked and all I get in my log file is
TCP_DENIED:HIER_NONE
I am using remote blacklists so I am assuming one of them is flagging the website...why bing is suddenly blacklisted is beyond me...I'd like to figure out which one is causing the problems
"The following error was encountered while trying to retrieve the URL: http://www.bing.com/
Access Denied."
For some reason "bing.com" is now getting blocked and all I get in my log file is
TCP_DENIED:HIER_NONE
I am using remote blacklists so I am assuming one of them is flagging the website...why bing is suddenly blacklisted is beyond me...I'd like to figure out which one is causing the problems
6
18.7 Legacy Series / Help with WIFi errors
« on: September 12, 2018, 06:25:07 pm »
I was able to successfully configure a USB WiFi adapter to run a guest network with Captive Portal using no wireless authentication eg. no WEP or WPA
I'm trying to use either WEP or WPA or WPA2 with a shared password, however, I m unable to connect because I keep getting "incorrect password for network" error on the device and my wireless logfile shows:
Sep 12 12:17:44 hostapd: run0_wlan1: WPA rekeying GTK
Sep 12 12:17:44 hostapd: run0_wlan1: WPA GMK rekeyd
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx IEEE 802.1X: unauthorizing port
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx WPA: event 2 notification
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: disassociated
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx MLME: MLME-DELETEKEYS.request(xx:xx:xx:xx:xx:xx)
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx MLME: MLME-DEAUTHENTICATE.indication(xx:xx:xx:xx:xx:xx, 2)
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx IEEE 802.1X: unauthorizing port
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx WPA: event 3 notification
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx WPA: PTKSTART: Retry limit 4 reached
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx WPA: EAPOL-Key timeout
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx WPA: Not in PTKINITDONE; skip Group Key update
Sep 12 12:17:43 hostapd: run0_wlan1: WPA rekeying GTK
Can anyone offer any insight as to why opnsense is rejecting the shared key?
I'm trying to use either WEP or WPA or WPA2 with a shared password, however, I m unable to connect because I keep getting "incorrect password for network" error on the device and my wireless logfile shows:
Sep 12 12:17:44 hostapd: run0_wlan1: WPA rekeying GTK
Sep 12 12:17:44 hostapd: run0_wlan1: WPA GMK rekeyd
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx IEEE 802.1X: unauthorizing port
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx WPA: event 2 notification
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: disassociated
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx MLME: MLME-DELETEKEYS.request(xx:xx:xx:xx:xx:xx)
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx MLME: MLME-DEAUTHENTICATE.indication(xx:xx:xx:xx:xx:xx, 2)
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx IEEE 802.1X: unauthorizing port
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx WPA: event 3 notification
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx WPA: PTKSTART: Retry limit 4 reached
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx WPA: EAPOL-Key timeout
Sep 12 12:17:43 hostapd: run0_wlan1: STA xx:xx:xx:xx:xx:xx WPA: Not in PTKINITDONE; skip Group Key update
Sep 12 12:17:43 hostapd: run0_wlan1: WPA rekeying GTK
Can anyone offer any insight as to why opnsense is rejecting the shared key?
7
18.7 Legacy Series / Question about adding additional WiFi network via USB
« on: August 23, 2018, 02:56:59 pm »
Are there any good tutorials out there about adding USB WiFi devices on Opnsense?
I keep running into problems where enabling a USB WiFi causes all DNS and DHCP to break on my wired networks.
Here's what I'm trying to do:
Add a USB WiFi device to my Opnsense box to run a dedicated guest WiFi network separate from my main wired and wireless network.
I keep running into problems where enabling a USB WiFi causes all DNS and DHCP to break on my wired networks.
Here's what I'm trying to do:
Add a USB WiFi device to my Opnsense box to run a dedicated guest WiFi network separate from my main wired and wireless network.
8
18.7 Legacy Series / Bug? 18.7 Text Field Edit Problems Safari
« on: August 21, 2018, 05:03:24 pm »
After updating to 18.7 I've discovered "Access Control List" data fields are now un-editable on Safari. Other similar data fields are also affected.
I am unable to add new or edit data fields to Whitelists as the data is now displayed as a static drop down list box.
I can still view and edit the data in firefox.
Is this a known issue?
I am unable to add new or edit data fields to Whitelists as the data is now displayed as a static drop down list box.
I can still view and edit the data in firefox.
Is this a known issue?
9
General Discussion / Suricata bug in OPNsense 18.1.10-i386?
« on: June 28, 2018, 03:21:47 pm »
I recently installed OPNsense 18.1.8-i386 after my IPFIRE system got corrupt after an update.
After getting the system configured I let it do an update to OPNsense 18.1.10-i386.
What I'm finding is that Suricata is causing my download bandwidth go from 40Mbit with Suricata disabled to 4Mbit with it enabled. The other problem I am finding is that my ping times to my firewall start to increase from 0.3ms average to 10,000+ms and it starts dropping packets and eventually the firewall locks up and becomes unresponsive. Stopping Suricata makes everything run well again.
I am running OPNsense 18.1.10-i386 on a Intel(R) Celeron(R) CPU N3150 @ 1.60GHz (4 cores) with 16GB RAM and 120GB SSD.
I'm not sure if I was getting network slowdowns with Suricata prior to the update. I tried re-installing Suricata but it doesn't make a difference.
I'm at the point of either a complete re-install back to 18.1.8 to test the difference or going back to IPFIRE or PFSENSE. So far I like many of the OPNSENSE features but Suricata unstability is a deal breaker for me.
Has anybody else seen this issue?
I was running 4 rules under Suricata which is monitoring LAN+WAN traffic:
1. Alert for incoming packets to countries other than US/CA
2. Alert for outgoing packets to countries other than US/CA
3. Drop incoming packets from a list of countries like CHINA, Africa, Middle East, Eastern Europe
4. Drop outgoing packets from a list of countries like CHINA, Africa, Middle East, Eastern Europe
The other odd part was that Suricata was Alerting for rule 1+2 for all LAN IP . Is there a way to exclude private IP LAN traffic from rules 1+2 from being flagged in the country codes? I want Suricata to tell me which IP addresses on my LAN are trying to make connections to black listed countries.
After getting the system configured I let it do an update to OPNsense 18.1.10-i386.
What I'm finding is that Suricata is causing my download bandwidth go from 40Mbit with Suricata disabled to 4Mbit with it enabled. The other problem I am finding is that my ping times to my firewall start to increase from 0.3ms average to 10,000+ms and it starts dropping packets and eventually the firewall locks up and becomes unresponsive. Stopping Suricata makes everything run well again.
I am running OPNsense 18.1.10-i386 on a Intel(R) Celeron(R) CPU N3150 @ 1.60GHz (4 cores) with 16GB RAM and 120GB SSD.
I'm not sure if I was getting network slowdowns with Suricata prior to the update. I tried re-installing Suricata but it doesn't make a difference.
I'm at the point of either a complete re-install back to 18.1.8 to test the difference or going back to IPFIRE or PFSENSE. So far I like many of the OPNSENSE features but Suricata unstability is a deal breaker for me.
Has anybody else seen this issue?
I was running 4 rules under Suricata which is monitoring LAN+WAN traffic:
1. Alert for incoming packets to countries other than US/CA
2. Alert for outgoing packets to countries other than US/CA
3. Drop incoming packets from a list of countries like CHINA, Africa, Middle East, Eastern Europe
4. Drop outgoing packets from a list of countries like CHINA, Africa, Middle East, Eastern Europe
The other odd part was that Suricata was Alerting for rule 1+2 for all LAN IP . Is there a way to exclude private IP LAN traffic from rules 1+2 from being flagged in the country codes? I want Suricata to tell me which IP addresses on my LAN are trying to make connections to black listed countries.
Pages: [1]