OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of tja »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - tja

Pages: [1]
1
23.7 Legacy Series / CVE-2023-48795
« on: December 27, 2023, 07:54:01 am »
hi.

i stumbled over
https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
also see
https://nvd.nist.gov/vuln/detail/CVE-2023-48795

as far as i (try to) understand the attack needs to be MITM and can downgrade the secure channel(s) to unsecure/observable.
but i dont quite grasp how to interpret the relation to the "ssh client" CVE's (f.e. CVE-2023-46445).

researching further i find that my opnsense 23.7.10_1 uses openssh-portable 9.3.p2_2,1 - for which at least the repo for the 9.3 version (https://github.com/openssh/openssh-portable/tree/V_9_3) seems to be unchanged since july - but i obviously know nothing about the dev process of opensense so i cant see if "our" package is already patched against this kind of attacks.

can someone more knowledgeable step up and help me out here ?

tia,tja...

2
21.1 Legacy Series / installing a newer version of a plugin
« on: May 14, 2021, 10:29:08 am »
hi,


i would like to install a newer version of a plugin:

on my production box:
...
os-dyndns-1.23_2               Dynamic DNS Support
...

devel version is
...
New packages to be INSTALLED:
   os-dyndns-devel: 1.23_2
...

github shows:
...
PLUGIN_NAME=      dyndns
PLUGIN_VERSION=      1.24
PLUGIN_COMMENT=      Dynamic DNS Support
PLUGIN_MAINTAINER=   franco@opnsense.org

.include "../../Mk/plugins.mk"
...


how could i install the github version without going full opnsense development version ?


tia,tja...

3
21.1 Legacy Series / Multiple OpenVPN Clients makes connection fail and work alternating
« on: February 15, 2021, 07:17:05 am »
hi,

i have a very strange phenomenon on my 21.1.1 home gw.

i had a openvpn tunnel (client) to my employer which i used permanently the last year thanks to these strange times.

as i added a second client to another site the fun started: every other connection attempt - may it be icmp or ssh or whatever - fails as if it hangs on one of the firewalls inbetween. the working attempt is ok.

i checked the routing table on my side and the routing is ok. every vpn client has its own interface and the routing table entries are correct.

i need to (outbound) NAT on both sites and have (manual) configured both sites accordingly and seems to be ok as it works (half the time).

after some hours of search i used tcpdump on both openvpn interfaces and i can see that the failing attempts will be sent from the wrong interface.
what i mean is that f.e.
- the first (failing) attempt for a ping to a host in net B will be sent from the ovpn if for net A
- the second (working) attempt for a ping to a host in net B will be sent from the ovpn if for net B

the routing table is ok and the only thing i could think of to explain this behavior is something in the NAT process.
i suspect that i could tinker with "Translation / target" in the NAT settings (which is "Interface Address" now) - but i will get a different ip from the other side each time so how do i correctly set this ?

im not used to pf - is there a command to show outbound NAT settings ?

tia, tja...

4
20.1 Legacy Series / opening WebIF and ssh does not work, hidden pf rules ?!?
« on: May 25, 2020, 12:13:52 pm »
hi,


for lab usage i installed 20.1 as guest on a debian KVM host.

if i try to add a rule to open https/443 & ssh/22 on the WAN side i cannot connect either service regardless if i add the rule to the WAN rules or to floating.

block private networks is unchecked (the WAN side is in a 10.x.x.x net).
if i use logging on the rule i can see that it is used and passed/green.

if i manually disable pf via pfctl -d i can connect from the WAN side thou so the networking aspect seems to work fine.

i tried to start anew with a fresh install but the problem is there right at the start.


tia,tja...

5
18.7 Legacy Series / freeradius bug ?!?
« on: August 13, 2018, 11:51:15 am »
hi,

i still have issues with freeradius.

almost always when i create a freeradius user or modify one i have to restart the firewall.

it seems to me the UI changes conf.xml and forgets to change /usr/local/etc/raddb/mods-config/files/authorize - or the file is locked somehow as changed fields in the UI applied correctly to conf.xml but are unchanged in authorize and radiusd (tested with -X) will use the old values.
restarting the service will only help in rare cases - almost always i have to reboot.

is there some misconfiguration on my end or did i stumble upon a bug ?

wbr,tja...

6
18.1 Legacy Series / freeradius
« on: July 05, 2018, 07:30:33 am »
hi all,

1st i have to say that opnsense works very well and (comin from pf*) i like the fresh ui very much. thx for this amzing project.

unfortunatly i have massive problems with WPA2-Enterprise and opnsense 18.1.11/os-freeradius 1.7.0 on a atom D525 box.

i use it with a couple of openwrt routers as APs (which btw worked flawlessly with my previous installation of pf*). they have cloned OSes and are configured identical. the troubles are with all APs so i have ruled them out for now.

some wifi devices cant authenticate while others with the very same credentials can. some devices will work with some credentials but not with other credentials.
the devices in question are all across the landscape, android in various versions, notebooks with linux (mostly xubuntu)/OSX/win10. i can see no pattern in that regard.
my own dell xps 13 will connect with xubuntu but not with win10 whatever i try (using the same credentials).

sometimes rebooting the opnsense box will help. restarting freeradius alone did never help.

in the log (and radiusd -X, see below) i get ...
Code: [Select]
06:29:53 2018 : Auth: (207) Login incorrect (mschap: MS-CHAP2-Response is incorrect): [[i]USER[/i]/<via Auth-Type = eap>] (from client glw3aAP0 port 0 via TLS tunnel)or
Code: [Select]
eap_peap: ERROR: TLS Alert read:fatal:access denied
eap_peap: SSL_read Error
eap_peap: ERROR: Error in fragmentation logic
eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied
eap_peap: ERROR: [eaptls process] = fail
eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed

on the device i get authentication errors or just cannot connect messages.

i know for sure that the credentials are correct as other devices will connect with the same credentials plus i checked config.xml.

i tried to debug with the help of manual starting radiusd with the "-X" flag but even when " Log Authentication Request"/" Log Authentication Bad Password"/" Log Authentication Good Password" is checked no passwords whatsoever are to be found in the debug output - so i cant say for sure that radius got the right credentials. i guess radius is compiled with some sort of "no password output whatsoever" compile flags.

i have not enough experience with freeradius to interpret the debug output of radiusd -X further - but i see no red lines besides "mschap: ERROR: MS-CHAP2-Response is incorrect" and the subsequent "eap_peap:   ERROR: The users session was previously rejected: returning reject (again.)" or the "eap_peap: ERROR: TLS Alert read:fatal:access denied ..." sequence.

is someone out there using a compareable setup and could point me in the right direction ?

tia,tja...

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2