Topics

[Use case:]

Hi guys,

Who can help me figure out what I am doing wrong in configuring a policy.

Use case:
* enabled IPS
* Enabled ET telemetry/emerging-web_client
* Created a policy to drop instead of alert
- selected appropriate rulesets
- modified yellow highlighted fields (see screenshot)
- Selected nothing for remaining fields (assuming this means 'all selected'
* Tested ET telemetry/emerging-web_client with a payload from https://www.wicar.org/test-malware.html

Result:
* Alert is raised, but threat is allowed, not dropped

Screenshots:
See attached

[Hardware / firmware:]

Hi all,

Just updated to last V20.1.6 version which required a reboot. Last few reboots after firmware updates I notice that the Bug Reporter reports an issue, which I diligently submit through the crash report feature. As this is more or less a black hole, I am wondering if I need to submit this issue as a genuine bug on the Github, or if it is something that is specifically related to my hardware or setup. Don't really know how long this has been going on, but I got the feeling that this has been playing since initial 20.1 update.

Anyone got pointers where to look further?

Hardware / firmware:
* OPNsense 20.1.6-amd64
* APU2D4 bios    v4.11.0.5
* KINGSTON SUV500MS120G mSATA drive


Last few lines of the automated bug report:

Waiting (max 60 seconds) for system process `vnlru' to stop... done
Waiting (max 60 seconds) for system process `bufdaemon' to stop... done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining... 3 2 0 0 done
All buffers synced.
swap_pager: I/O error - pagein failed; blkno 2130660,size 4096, error 5
panic: swap_pager_force_pagein: read from swap failed
cpuid = 0
__HardenedBSD_version = 1100056 __FreeBSD_version = 1102000
version = FreeBSD 11.2-RELEASE-p18-HBSD  f08b5f14327(stable/20.1)
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0120af5700
vpanic() at vpanic+0x17c/frame 0xfffffe0120af5760
panic() at panic+0x43/frame 0xfffffe0120af57c0
swapoff_one() at swapoff_one+0x7d5/frame 0xfffffe0120af5850
swapoff_all() at swapoff_all+0x117/frame 0xfffffe0120af5890
bufshutdown() at bufshutdown+0x3d4/frame 0xfffffe0120af58e0
kern_reboot() at kern_reboot+0x198/frame 0xfffffe0120af5930
sys_reboot() at sys_reboot+0x447/frame 0xfffffe0120af5980
amd64_syscall() at amd64_syscall+0xa38/frame 0xfffffe0120af5ab0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0120af5ab0
--- syscall (55, FreeBSD ELF64, sys_reboot), rip = 0x40a0b4a11da, rsp = 0x74fde2f7afc8, rbp = 0x74fde2f7b030 ---
KDB: enter: panic
panic.txt0600005613652636352  7154 ustarrootwheelswap_pager_force_pagein: read from swap failedversion.txt0600007013652636352  7543 ustarrootwheelFreeBSD 11.2-RELEASE-p18-HBSD  f08b5f14327(stable/20.1)

https://nordvpn.com/nl/blog/official-response-datacenter-breach/

[Requirements:]

Hi All,

APU Boards and housings do not come with a power button, so when the box becomes unresponsive, the only way to realize a reboot by yanking the power cable from the wall socket and reinsert it. So I decided to install a hardware button in the housing.

Researched topics:

• 
  http://www.pcengines.info/forums/?page=post&id=9F0D3DB1-09F8-4E67-9271-9E29D0CA43B8&fid=DF5ACB70-99C4-4C61-AFA6-4C0E0DB05B2A
• https://doc.astlinux.org/userdoc:board_pcengines_apu2

Requirements:
2 jumpercables with sufficient wire length
1 momentary switch (push-to-make)
some heat shrink tube
7mm drill

Steps:

• Solder the momentary switch to the jumper cables and insulate the contact points
  
• Install the momentary switch in one of the holes that are reserved for a WiFi antenna. I had to enlarge the hole with a 7mm drill, because the hole is not round. It has a flat side at the bottom.
• Connect the jumper cables to the proper pin header (J2). Make sure you use the 2nd and 3rd pin of the row of pins.

The power button works with a short press and shuts down the system. Long button press is a hard stop. Pressing the button again powers the device again. Mission accomplished.

Code Select Expand

login: >>> Invoking stop script 'beep'
>>> Invoking stop script 'freebsd'
Stopping redis.
Waiting for PIDS: 33751.
Stopping php_fpm.
Waiting for PIDS: 617.
Stopping maltrailserver.
Stopping maltrailsensor.
Waiting for PIDS: 78101.
ntopng not running?
Stopping nginx.
Waiting for PIDS: 90908.
Stopping flowd_aggregate...done
Stopping flowd.
Waiting for PIDS: 50464 72791.
>>> Invoking stop script 'backup'
>>> Invoking backup script 'captiveportal'
>>> Invoking backup script 'dhcpleases'
>>> Invoking backup script 'duid'
>>> Invoking backup script 'netflow'
Stopping flowd_aggregate...done
flowd_aggregate already running?  (pid=70631).
>>> Error in backup script 'netflow'
>>> Invoking backup script 'rrd'
>>> Invoking stop script 'config'
ovpns2: link state changed to DOWN
Waiting (max 60 seconds) for system process `vnlru' to stop... done
Waiting (max 60 seconds) for system process `bufdaemon' to stop... done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining... 7 3 0 done
All buffers synced.
Uptime: 3m15s
uhub2: detached
acpi0: Powering system off


Hi,

I am trying to compile HTOP on my OPNsense installation, but it somehow seems to fail. I used to have HTOP on a previous version 18.x, but after a re-install of the whole system somewhere between 18.x and 19.x HTOP got lost. Now I fail to 'make' HTOP again.

Initially followed https://forum.opnsense.org/index.php?topic=7796.msg35915#msg35915.

When this did not work, searched for clues in https://forum.opnsense.org/index.php?topic=10020.msg45771#msg45771

Cannot get things to work, so any help appreciated. Error log below.

Code Select Expand


root@OPNsense:/usr/ports/sysutils/htop # opnsense-code tools ports
Fetching origin
Already up to date.
Fetching origin
Already up to date.
root@OPNsense:/usr/ports/sysutils/htop # opnsense-code -f src
Cloning into '/usr/src'...
remote: Enumerating objects: 1292, done.
remote: Counting objects: 100% (1292/1292), done.
remote: Compressing objects: 100% (820/820), done.
remote: Total 173060 (delta 575), reused 671 (delta 455), pack-reused 171768
Receiving objects: 100% (173060/173060), 407.22 MiB | 3.04 MiB/s, done.
Resolving deltas: 100% (97754/97754), done.
Checking out files: 100% (74065/74065), done.
root@OPNsense:/usr/ports/sysutils/htop # make install
===>   htop-2.2.0_1 depends on package: autoconf>=2.69 - not found
===>   autoconf-2.69_3 depends on executable: gm4 - not found
===>   m4-1.4.18_1,1 depends on executable: makeinfo - not found
===>   texinfo-6.6_2,1 depends on executable: help2man - not found
===>   help2man-1.47.11 depends on executable: gmake - found
===>   help2man-1.47.11 depends on package: perl5>=5.30.r1<5.31 - not found
===>  Configuring for perl5-5.30.0
First let's make sure your kit is complete.  Checking...
Would you like to see the instructions? [n]
Locating common programs...
Checking compatibility between /bin/echo and builtin echo (if any)...
Symbolic links are supported.
Checking how to test for symbolic links...
You can test for symbolic links with 'test -h'.
Checking for cross-compile
No targethost for running compiler tests against defined, running locally
Good, your tr supports [:lower:] and [:upper:] to convert case.
Using [:upper:] and [:lower:] to convert case.
aix                     greenhills              os400
aix_3                   haiku                   posix-bc
aix_4                   hpux                    qnx
altos486                i386                    riscos
amigaos                 interix                 sco
atheos                  irix_4                  sco_2_3_0
aux_3                   irix_5                  sco_2_3_1
bitrig                  irix_6                  sco_2_3_2
bsdos                   irix_6_0                sco_2_3_3
catamount               irix_6_1                sco_2_3_4
convexos                isc                     solaris_2
cxux                    isc_2                   stellar
cygwin                  linux-android           sunos_4_0
darwin                  linux                   sunos_4_1
dcosx                   lynxos                  super-ux
dec_osf                 midnightbsd             svr4
dos_djgpp               minix                   svr5
dragonfly               mips                    ti1500
dynix                   mirbsd                  ultrix_4
dynixptx                mpc                     umips
epix                    ncr_tower               unicos
esix4                   netbsd                  unicosmk
fps                     newsos4                 unisysdynix
freebsd                 nonstopux               utekv
freemint                openbsd                 uwin
gnu                     opus                    vos
gnukfreebsd             os2
gnuknetbsd              os390
Which of these apply, if any? [freebsd]

Some users have reported that Configure halts when testing for
the O_NONBLOCK symbol with a syntax error.  This is apparently a
sh error.  Rerunning Configure with ksh apparently fixes the
problem.  Try
        ksh Configure [your options]

Operating system name? [freebsd]
Operating system version? [11.2-release-p12-hbsd]
Installation prefix to use? (~name ok) [/usr/local]
AFS does not seem to be running...
What installation prefix should I use for installing files? (~name ok)
[/usr/local]
Getting the current patchlevel...
Build a threading Perl? [y]
Use which C compiler? [cc]
Checking for GNU cc in disguise and/or its version number...
Now, how can we feed standard input to your C preprocessor...
Directories to use for library searches?
[/usr/lib /usr/local/lib /usr/lib/clang/6.0.0/lib /usr/lib]
What is the file extension used for shared libraries? [so]
Make shared library basenames unique? [n]
Build Perl for SOCKS? [n]
Try to use long doubles if available? [n]
Checking for optional libraries...
What libraries to use? [-lpthread -lm -lcrypt -lutil]
What optimizer/debugger flag should be used?
[-O2 -pipe -DHARDENEDBSD -fPIE -fPIC -fstack-protector-all -fno-strict-aliasing ]
Any additional cc flags?
[-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include]
Let me guess what the preprocessor flags are...
Any additional ld flags (NOT including libraries)?
[-pthread -Wl,-E  -fstack-protector-strong -L/usr/local/lib]
Checking your choice of C compiler and flags for coherency...
Checking to see how big your integers are...
Checking to see if you have long long...
Checking to see how big your long longs are...
Computing filename position in cpp output for #include directives...
<inttypes.h> found.
Checking to see if you have int64_t...
Checking which 64-bit integer type we could use...
We could use 'long' for 64-bit integers.
Try to use maximal 64-bit support, if available? [y]
Checking if your C library has broken 64-bit functions...
Checking for GNU C Library...
Shall I use /usr/bin/nm to extract C symbols from the libraries? [n]
Checking for C++...
Checking to see how big your double precision numbers are...
Checking to see if you have long double...
ldexpl() found.
Checking to see how big your long doubles are...
Checking the kind of long doubles you have...
You have x86 80-bit little endian long doubles.
What is your architecture name [amd64-freebsd]
Add the Perl API version to your archname? [n]
Threads selected.
...setting architecture name to amd64-freebsd-thread.
Multiplicity selected.
...setting architecture name to amd64-freebsd-thread-multi.
This architecture is naturally 64-bit, not changing architecture name.
Pathname where the public executables will reside? (~name ok)
[/usr/local/bin]
Use relocatable @INC? [n]
Pathname where the private library files will reside? (~name ok)
[/usr/local/lib/perl5/5.30]
Where do you want to put the public architecture-dependent libraries? (~name ok)
[/usr/local/lib/perl5/5.30/mach]
Other username to test security of setuid scripts with? [none]
I'll assume setuid scripts are *not* secure.
Does your kernel have *secure* setuid scripts? [n]
Installation prefix to use for add-on modules and utilities? (~name ok)
[/usr/local]
Pathname for the site-specific library files? (~name ok)
[/usr/local/lib/perl5/site_perl]
List of earlier versions to include in @INC? [none]
<malloc/malloc.h> NOT found.
<malloc.h> NOT found.
Checking to see how big your pointers are...
Do you wish to wrap malloc calls to protect against potential overflows? [y]
Do you wish to attempt to use the malloc that comes with perl5? [n]
Your system wants malloc to return 'void *', it would seem.
Your system uses void free(), it would seem.
Pathname for the site-specific architecture-dependent library files? (~name ok)
[/usr/local/lib/perl5/site_perl/mach/5.30]
Do you want to configure vendor-specific add-on directories? [n]
Colon-separated list of additional directories for perl to search? [none]
Support DTrace if available? [y]
Where is the dtrace executable? (~name ok) [/usr/sbin/dtrace]

*** Configure:  Fatal Error:  /usr/sbin/dtrace doesn't support -h flag
***
*** Your installed dtrace doesn't support the -h switch to compile a D
*** program into a C header. Can't continue.

===>  Script "Configure" failed unexpectedly.
Please report the problem to mat@FreeBSD.org [maintainer] and attach the
"/usr/obj/usr/ports/lang/perl5.30/work/perl-5.30.0/config.log" including the
output of the failure of your make command. Also, it might be a good idea to
provide an overview of all packages installed on your system (e.g. a
/usr/local/sbin/pkg-static info -g -Ea).
*** Error code 1

Stop.
make[5]: stopped in /usr/ports/lang/perl5.30
*** Error code 1

Stop.
make[4]: stopped in /usr/ports/misc/help2man
*** Error code 1

Stop.
make[3]: stopped in /usr/ports/print/texinfo
*** Error code 1

Stop.
make[2]: stopped in /usr/ports/devel/m4
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/devel/autoconf
*** Error code 1

Stop.
make: stopped in /usr/ports/sysutils/htop
root@OPNsense:/usr/ports/sysutils/htop #


[question: same as b and 2????]

Forgive me my ignorance, but who can clarify for me why there are more interfaces mentioned in some dropdown boxes than that actual Assigned interfaces are defined?

I have three interfaces defined in Interfaces:Assignments:
1) LAN
2) OpenVPN interface (ovpnc2)
3) WAN

Under Unbound outbound interfaces there are 5:
a) LAN (same as 1 above)
b) VPN Client (same as 2 above)
c) WAN (same as 3 above)
d) OpenVPN server (new, due to remote access configuration (not under 1,2,3 above)
e) OpenVPN client (question: same as b and 2????)

What would be the difference between the interfaces b) and e)? Is there any difference in functionallity?

See also attached screenshots

Hi,

General question regarding the Log files in OPNsense.

All "log file"  pages show the latest 50 lines (as per setting in diag_logs_template.inc). There is a search box present to search for other lines (if you know what to search for), but is there a way to browse log entries older than the latest 50 lines? I cannot find it.

If there is no other option, it would be nice to have a 'next'  button to show the next batch of 50 lines, or a [1] [2] [3] [4] navigation in order to browse each set of 50 lines.

Hi All,

Who has some suggestions on how to debug an unresolved URL of which I am most certain that it should exist.

I get a DNS_PROBE_FINISHED_NXDOMAIN DNS error on www.synology-forum.nl of which I am sure it exists.

OPNsense Setup:
I have setup Unbound with Bind DNSBL according https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/
This is working fine in almost all cases and usual blocked sites I expect to be actively blocked by the DNSBL.

For mentioned synology-forum site I expect it to be legit, but run into a block and I do not know how/why.

Checks performed:
1) Checked Unbound log file, which results in a THROWAWAY error from BIND at 127.0.0.1
2) Checked the BIND DNSBL entries at /usr/local/etc/namedb/dnsbl.inc. the URL is not on any blacklist
3) Checked BIND log file, which results in the log shown below.

If I disable the BIND forward, Unbound resolves the URL without problems.

Big Question: what is causing Bind to not resolve the url?

[

Code Select Expand

12-Jan-2019 13:37:25.625 query-errors: info: client @0x54c39e2d600 127.0.0.1#32753 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:25.624 query-errors: info: client @0x54c39e2d600 127.0.0.1#52141 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:25.624 query-errors: info: client @0x54c39e2d600 127.0.0.1#27259 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:25.623 query-errors: info: client @0x54c39e2d600 127.0.0.1#54978 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:25.621 query-errors: info: client @0x54c3b1f2000 127.0.0.1#34524 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:10644
12-Jan-2019 13:37:17.951 query-errors: info: client @0x54c3ad0f000 127.0.0.1#10908 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.950 query-errors: info: client @0x54c3ad0f000 127.0.0.1#17174 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.948 query-errors: info: client @0x54c3ad0f000 127.0.0.1#43277 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.948 query-errors: info: client @0x54c3ae7aa00 127.0.0.1#24151 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.947 query-errors: info: client @0x54c3ae7aa00 127.0.0.1#11468 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.946 query-errors: info: client @0x54c3ae7aa00 127.0.0.1#12382 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.946 query-errors: info: client @0x54c3ae78e00 127.0.0.1#18119 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.944 query-errors: info: client @0x54c3ae7aa00 127.0.0.1#47096 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.941 query-errors: info: client @0x54c3ae7aa00 127.0.0.1#25162 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:6086
12-Jan-2019 13:37:17.938 query-errors: info: client @0x54c3b1f7400 127.0.0.1#10239 (www.synology-forum.nl): query failed (SERVFAIL) for www.synology-forum.nl/IN/A at query.c:10644
12-Jan-2019 13:37:17.917 lame-servers: info: host unreachable resolving 'www.synology-forum.nl/A/IN': 2001:9a0:2001:1::53:1#53
12-Jan-2019 13:37:17.916 lame-servers: info: host unreachable resolving 'www.synology-forum.nl/A/IN': 2001:9a0:2003:1::53:3#53
12-Jan-2019 13:37:17.916 lame-servers: info: host unreachable resolving 'www.synology-forum.nl/A/IN': 2001:9a0:2002:1::53:2#53


When inspecting the BIND log in more detail I see more of these resolve issues for known existing URLs like:

12-Jan-2019 13:42:06.790   lame-servers: info: broken trust chain resolving '236.28.59.37.in-addr.arpa/PTR/IN': 213.251.188.144#53
12-Jan-2019 13:42:05.045   lame-servers: info: host unreachable resolving 'notepad-plus-plus.org/A/IN': 2603:5:2272::18#53
12-Jan-2019 13:36:50.089   lame-servers: info: broken trust chain resolving '165.225.132.31.in-addr.arpa/PTR/IN': 31.132.224.5#53
12-Jan-2019 13:36:50.026   lame-servers: info: SERVFAIL unexpected RCODE resolving '182.244.72.144.in-addr.arpa/PTR/IN': 198.208.42.12#53
12-Jan-2019 13:36:49.752   lame-servers: info: SERVFAIL unexpected RCODE resolving '182.244.72.144.in-addr.arpa/PTR/IN': 198.208.43.11#53
12-Jan-2019 13:36:49.334   lame-servers: info: host unreachable resolving 'ns2.astra-mir.ru/AAAA/IN': 2001:678:17:0:193:232:128:6#53
12-Jan-2019 13:35:53.186   lame-servers: info: host unreachable resolving 'services.sonarr.tv/A/IN': 2400:cb00:2049:1::adf5:3bb8#53

I tried using a transparent proxy to realize a blocklist through Remote ACL (Shallalist), because the Bind/Unbound option does not seem to work (see this topic). The transparent proxy works when browsing webpages, but I experience streaming issues with my Teufel Raumfeld streaming radio.

Each time I disable the port forwards to the proxy, streaming starts working again, so it has something to do with the proxy. After trying a lot of things and pulling my hair for a few days, I think I found a solution by changing the forwarded_for configuration directive in squid.conf from "forwarded_for on" to "forwarded_for transparent".

After starting the service, I can now stream without issues, but I noticed that OPNsense did change this option back to "forwarded_for on" in squid.conf after starting. So now I am wondering: did the service actually load "forwarded_for transparent" and then overwrite again with "forwarded_for on" from the GUI?

Who can answer this question and how can I make "forwarded_for transparent" stick if this is the solution for my problem?   

All,

Help needed.

Somehow I messed something up with the user access rights on the GUI access system which now effectively blocks any new changes that I try to make. Root user does not have access rights anymore.



What I tried to do: remove unused menu entries by deselecting them in the 'admin' group. Don't know what I did exactly to cause this issue. My mouse got stuck somehow and I made a wrong move by selecting something. In my impression I did nothing wrong, but how do I now resolve this issue?

Please find attached GUI settings of 'root user.

Hi All,

First of all, I would like to say Hello! I built myself a PCengines APU2d4 box on which I installed OPNsense. Currently going through a strong learning curve, which is fine, but now puts me in a position where I am a bit puzzled  ;D

I configured OPNsense as DHCP server and would like to identify my devices in the DHCP leases table a bit more easily, based on a description. Most devices only show generic manufacturer info under the MAC address, but do not provide a Hostname or a more verbose description.

I tried creating a static mapping for the MAC address but am not necessarily looking for a static IP lease. Therefore I did not fill in the IP address in the edit box. According to the help it says "If no IPv4 address is given, one will be dynamically allocated from the pool", but if I follow this way, the MAC address is shown as ' static'  in the leases table without an IP. i.e.: I have created a static lease without a visible dynamic IP.

Is this a bug, or is there another way to create an easily identifiable indicator for the MAC addresses that have obtained a dynamic lease?

Looking forward to your suggestions..