Topics

1

22.7 Legacy Series / Checksum mismatch for python39-3.9.15 is this a known issue?

« on: November 10, 2022, 07:53:34 pm »

Code: [Select]

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.7.7_1 (amd64/LibreSSL) at Thu Nov 10 18:48:17 CET 2022
>>> Check installed kernel version
Version 22.7.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.7.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
os-acme-client 3.14
os-dyndns 1.27_3
os-theme-rebellion 1.8.8
os-wireguard-devel 1.13
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: ........
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/io.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/os.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/posixpath.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/re.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/site.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/stat.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/threading.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/token.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/tokenize.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/traceback.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/types.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/typing.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/uu.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/warnings.cpython-39.pyc
python39-3.9.15: checksum mismatch for /usr/local/lib/python3.9/__pycache__/weakref.cpython-39.pyc
Checking all packages..... done
>>> Check for core packages consistency
Core package "opnsense" has 63 dependencies to check.
Checking packages: ................................................................. done
***DONE***

2

19.7 Legacy Series / OPNsense SSH hardening

« on: October 03, 2019, 06:34:12 pm »

Hello Folks,

just had a look on the SSH service default configuration and was wondering why it supports so may outdated key, kex and mac algorithms.

Why not hardening it?

Code: [Select]

$ ssh-audit opnsense
[...]
# algorithm recommendations (for OpenSSH 8.0)
(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove
(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256                  -- key algorithm to remove
(rec) -hmac-sha1                            -- mac algorithm to remove
(rec) -hmac-sha2-256                        -- mac algorithm to remove
(rec) -hmac-sha2-512                        -- mac algorithm to remove
(rec) -umac-64@openssh.com                  -- mac algorithm to remove
(rec) -umac-128@openssh.com                 -- mac algorithm to remove
(rec) -hmac-sha1-etm@openssh.com            -- mac algorithm to remove
(rec) -umac-64-etm@openssh.com              -- mac algorithm to remove

The argument is probably backwards compatibility, but I thought OPNsens is the firewall for the paranoid ones

Maybe not like here, but in general

Best Regards,
Hover

3

19.7 Legacy Series / Second gateway on the same interface with a different IP and own routing

« on: April 02, 2019, 09:15:56 pm »

Hey OPNsense forum,

Im pretty new her and new to OPNsense and pf as packet filter. I running a PC-Engines APU2 board for my OPNsense setup.
It divides my home office LAN from my private LAN like this:

https://pastebin.com/RYJbjsP0

       
I configured the OPNsense box to do NAT for my private and for Office LAN. I also installed WireGuard on OPNsense so the box can act as an VPN Endpoint.

What I want to do is to setup a second gateway on the OPNsense (10.0.2.254) on the LAN interface and an gateway (10.0.0.254) on the OpenWRT box so the clients can decide if they want to tunnel all their traffic via WireGurad by using the 0.254 gateway or direct internet connection on the 0.1 gateway.

Under Linux this is easy; add an eth0:x device give it a different IP address. The rest can be handled using ip / iprout2 to manage that the the second gateway uses 10.0.2.254 as gateway and this gateway should tunnel everything through 10.0.1.1 to the internet.

I tried to set up things but ended up in somehow breaking (web interface wasn’t starting anymore, could not ping 10.0.2.1 anymore)  the configuration of the LAN interface on the OPNsense box, by adding a VLAN to the igb0 interface and giving that VLAN interface a different mac address.

I’m not sure how to achieve what I want on the OPNsense (Hardnend BSD) using the web interface or if there is a problem with my NIC drivers (Intel i210AT)  I have to admit.

I’m running the 19.7 version of OPNsense, because I want to run a WireGuard instance

Can some here help me on fixing my problem.

Best regards,
Hover