Topics

1

23.7 Legacy Series / OpenVPN CSO - add a "push route..." block

« on: December 21, 2023, 01:21:04 pm »

Hello. Can I ask you to add a "push route..." block to the CSO? We provide the default gateway through the VPN, but on some clients, certain subnets need to be routed through their gateway. And of course, I hope that it will be possible to add any possible parameters to the CSO for those who are confident in what they are doing.

2

Intrusion Detection and Prevention / [SOLVED] Suricata 4.1.2 does not block traffic

« on: February 01, 2019, 12:25:51 pm »

Hello friends!
I just can not understand what the problem is. Please help, because I do not know what else to do. Suricata  version 4.1.2 does not work. When IPS mode is on, I load a test virus. Alerts appear "test virus is blocked." In the log there is a record "[Drop] [1:7999999:1] OPNsense test eicar virus...", but the file is downloaded without problems.
Tried on the integrated I219-LM network card and on the PCIe card with the Intel® 82576EB chipset. And with vlan and without vlan. The result of one. In the logs, everything is fine - dropped, and the virus is perfectly loaded. Maybe I do not understand something? How to diagnose a problem?
In version 4.0.6 everything was fine. Files did not load.

3

Web Proxy Filtering and Caching / Squid3 helper ext_kerberos_ldap_group_acl crashed

« on: January 11, 2019, 03:31:36 pm »

Hello, Friends!
I use os-web-proxy-useracl and os-web-proxy-sso plugins to create access lists linked on groups of the Windows AD.
At the moment there is a problem. Helper ext_kerberos_ldap_group_acl from the Opnsense repository at work is dumped into the kernel.
...
/usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -m 20 -g Test -D mydomain.ru
...
support_ldap.cc(1128): pid=4848 :2019/01/11 17:00:33| kerberos_ldap_group: DEBUG: Entry 2 "Test" matches group name "Test"
support_ldap.cc(1390): pid=4848 :2019/01/11 17:00:33| kerberos_ldap_group: DEBUG: Unbind ldap server
Segmentation fault (core dumped)
...
(gdb) backtrace
#0  0x000004dc1b2bd68b in ?? () from /lib/libthr.so.3
#1  0x000004dc1b2bc949 in pthread_mutex_lock () from /lib/libthr.so.3
#2  0x000004dc1a69ab42 in k5_cc_mutex_lock ()
   from /usr/local/lib/libkrb5.so.3.3
#3  0x000004dc1a6a5308 in ?? () from /usr/local/lib/libkrb5.so.3.3
#4  0x00000123ba3ee641 in krb5_cleanup() ()
#5  0x00000123ba3f2f89 in get_memberof(main_args*, char*, char*, char*) ()
#6  0x00000123ba3ee35b in check_memberof(main_args*, char*, char*) ()
#7  0x00000123ba3eb73b in main ()
(gdb)
...
In order to identify the problem, i installed clear freeBSD 11.1 and make helper from source codes of squid3 version 3.5.28.
Helper worked without problems.
In this regard, the question:
Whether it is possible to ask to update the helper in a repository on assembled from the latest source code?
Sorry for my English, Andrey.