Topics

1

23.1 Production Series / Facebook owned sites blocked when syncookies are used.

« on: May 28, 2023, 02:58:18 pm »

Facebook owned sites, including whatsapp.com, are effectively blocked when setting:

Code: [Select]

Firewall->Settings->Advanced->Enable syncookies = always
No other site seems to be affected.

Using Wireshark on the WAN connection from my Opnsense box to my modem shows that, with syncookies enabled, no response is obtained from facebook owned sites for the transmitted Opnsense reconstructed SYN.

I do not know whether facebook et al object to the constant tcp sequence number of 64240 as reported  here: https://forum.opnsense.org/index.php?topic=34236.0 or because  tcp options are removed from the SYN by the syncookie mechanism.

The problem is resolved by setting

Code: [Select]

Firewall->Settings->Advanced->Enable syncookies = none
Edited: Version is OPNsense 23.1.8-amd64

2

23.1 Production Series / Security issue with syncookie sequence numbers

« on: May 28, 2023, 02:46:27 pm »

When running OPNsense 23.1.8-amd64 with Firewall->Settings->Advanced->Enable syncookies = 'always' I have noticed that the reconstructed SYN sent by Opnsense to the remote destination always uses exactly the same tcp Sequence Number of 64240. I have verified this occurs with several well known destinations. I note that 64240 is the default tcp window size on my systems.

I believe that using exactly the same static sequence number in tcp SYN, is a security issue.

Here is an example of a Wireshark decoded initial SYN on my external WAN interface (syncookies enabled)

Code: [Select]

Internet Protocol Version 4, Src: <MY PUBLIC IP ADDRESS>, Dst: 157.240.252.60
Transmission Control Protocol, Src Port: 37615, Dst Port: 443, Seq: 0, Len: 0
    Source Port: 37615
    Destination Port: 443
    [Stream index: 0]
    [Conversation completeness: Incomplete, SYN_SENT (1)]
    [TCP Segment Len: 0]
    Sequence Number: 0    (relative sequence number)
    Sequence Number (raw): 64240
    [Next Sequence Number: 1    (relative sequence number)]
    Acknowledgment Number: 0
    Acknowledgment number (raw): 0
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x002 (SYN)
    Window: 0
    [Calculated window size: 0]
    Checksum: 0x8392 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
        [Time since first frame in this TCP stream: 0.000000000 seconds]
        [Time since previous frame in this TCP stream: 0.000000000 seconds]

I would guess that this is a known issue but I am unable to find a reference to it.

 

3

23.1 Production Series / ddclient and ClouDNS

« on: May 05, 2023, 03:30:20 pm »

I see that ClouDNS is now supported by Opnsense Dynamic DNS (ddclient).  However, having selected ClouDNS in the 'Service' field drop down list, it is not clear where my ClouDNS apikey needs to be put.

As an experiment I tried using various combinations of the following fields:
Username
Password
resourceid (using advanced mode)
Hostname= mydomain.eu

In each case the log showed an error similar to:
WARNING: skipping host: mydomain.eu: 'dynurl=' is an invalid string.

It seems as if the Opnsense GUI does not allow the ddclient data item 'dynurl' to be set. Is this a bug on the Opnsense GUI?

I should note that similar comments have recently been put on the  22.7 Legacy forum.

Opnsense version=OPNsense 23.1.7_2-amd64

4

22.1 Legacy Series / Successfully using IPS mode Suricata with VLANs and without Promiscuous mode

« on: March 09, 2022, 12:31:28 pm »

My question is: why does IPS mode with vlans work without using Promiscuos mode on 22.1 and 21.7?

I have read the Opnsense documentation on using IPS mode with vlans and I have also seen various posts about related issues.

After many months of trying to get IPS mode with vlans to work stably, I finally succeeded with opnsense 21.7 by ignoring one piece of official advice: I do not use Promiscuous mode on my interfaces or with Suricata.

Of course, it might be that my configuration is incorrect or inconsistent or even that it has uncovered a bug somewhere. But the point is, on my hardware at least, it seems to work on 22.1 as it did on 21.7.

Below is a summary of my configuration.  I use IPS on two internal interfaces (LAN and DMZ) both with vlans. The hostname of my Opnsense firewall is OHM.

Hardware: Intel J3160 4 core box with 4x Intel i210-AT Gigabit Ethernet
Opnsense version: OPNsense 22.1.2_1-amd64

Interfaces:LAN (igb1):  Promiscuous mode: no
Interfaces:DMZ (igb3): Promiscuous mode: no

Interfaces: Settings
Hardware CRC: disabled
Hardware TSO: disabled
Hardware LRO: disabled
VLAN Hardware Filtering: disabled

Services: Intrusion Detection: Administration
Enabled: yes
IPS mode: yes
Promiscuous mode: No
Pattern matcher: Hyperscan
Interfaces: DMZ,LAN

Here is the evidence confirming that promiscuous mode is not activate on any interface:
root@OHM:~ # ifconfig | grep -i prom
pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33160

Here is the evidence that Suricata is indeed listening on the hardware and the vlans
Extract from /var/log/suricata/latest.log:
<Notice> -- opened netmap:igb3/R from igb3: 0x855a93000
<Notice> -- opened netmap:igb3^ from igb3^: 0x855a93300
<Notice> -- opened netmap:igb3^ from igb3^: 0x881093000
<Notice> -- opened netmap:igb3/T from igb3: 0x881093300
<Notice> -- opened netmap:igb1/R from igb1: 0x8ac693000
<Notice> -- opened netmap:igb1^ from igb1^: 0x8ac693300
<Notice> -- opened netmap:igb1^ from igb1^: 0x8d7c93000
<Notice> -- opened netmap:igb1/T from igb1: 0x8d7c93300
<Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.

To verify that Suricata is indeed triggering, I have crafted a few non invasive custom rules (one drop and one alert) which trigger only when I do certain actions on the network. By the way, once you create a rule, before testing it you need to await the 'rule reload complete' Suricata log entry - this can take many minutes.  On triggering my test conditions, the relevant Suricata log entries are indeed there.

5

21.1 Legacy Series / How can I change a single rule in IDS/IPS from Drop to Alert?

« on: February 02, 2021, 07:28:57 pm »

I would like to modify the action of a single IDS/IPS rule from Drop to Alert because it is generating false positives on my system.

Making the change directly on the rule in the Rules tab and applying has no effect.

I can see no way of using the Policy settings to target a single rule. It seems that I can only use Policy for a whole class of rules.

Can somebody help me do this please?

6

20.1 Legacy Series / OpenVPN Client Export: does not generate any client config for download

« on: July 06, 2020, 03:05:07 pm »

I have OPNSense 20.1.8_1 on which I have a fully working OpenVPN server.

When I access the OpenVPN Client Export GUI function and select my OpenVPN server, there are no buttons to allow download of the client configuration. I attach a screenshot.

This worked until very recently. 

Are there any server configuration parameters that could prevent the client config export?

Can someone point me in the right direction to help me resolve this issue please?

7

20.1 Legacy Series / os-dyndns plugin: Error on adding an entry

« on: July 03, 2020, 06:27:23 pm »

I am using Opnsense 20.1.8

Whenever I try to add a Dynamic DNS entry I always get the following red Opnsense error message:
  The following input errors were detected:
      The TTL value needs to be a valid integer number.

The problem is that there is no TTL field on the screen for me to modify.

Can someone help me resolve this please?

8

20.1 Legacy Series / How can I dynamically add an ipv4 address to a blocklist?

« on: May 11, 2020, 08:49:54 am »

When an ipv4 address from the internet attempts to connect to a specific group of closed ports on my firewall, I would like the  address to be automatically added to a blocklist (i.e. a pf Table). Addresses on the blocklist are denied all access to the firewall. Addresses would be removed from the blocklist after a fixed amount of time (say 1 day).

What is the best way of doing this on OPNsense?

I suppose that one way of doing it might be to produce a script to listen on the firewall logs and when a trigger event occurs add the offending address to an Alias.   But, if I can, I would prefer to use distributed OPNsense software.