Topics

Afternoon,
well... i reinstalled OPNsense but it seems to drop a crash report every now and then.

Can you give me some tips on how to troubleshoot hardware on BSD?

fsck show me this
71464 files, 683570 used, 115473836 free (4716 frags, 14433640 blocks, 0.0% fragmentation)
** /dev/gpt/efifs (NO WRITE)
** Phase 1 - Read FAT and checking connectivity
** Phase 2 - Checking Directories
** Phase 3 - Checking for Lost Files
6 files, 254 MiB free (520804 clusters)
MARK FILE SYSTEM CLEAN? no

***** FILE SYSTEM IS LEFT MARKED AS DIRTY *****

Any way to check this deeper?
Memory to check?

thank you!
armin

A non-numeric value encountered in /usr/local/sbin/carp_service_status on line 51

Hi all
the above error keeps poping up on the GUI.
Not sure how to handle it.

Any recommendations?

thanks
cheers A

OPNsense 22.1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1m 14 Dec 2021

Hello,
i would like to ask for recommendations on blocking SSH to the outside tunneled through port 443 or 80.
As these ports are common and usually open.

Info:
Edit '/etc/ssh/sshd_config' file
Use following configuration for port:
Port 22
Port 443
Restart ssh using 'service sshd restart'

Now i would be able to connect to the outside world using a Web port.

Is there a way to prevent that on the firewall?
- IDS
- Proxy

Thank you for your input!
best wishes Armin

Evening,
i am struggeling with one of my severs.
Scenario:

DMZ - Server 192.168.10.102 / Port TCP 502
LAN - Server 192.168.1.100 / *
Alias Host - 192.168.10.103

The DMZ Server only accepts connections from the DMZ subnet.
The LAN Server should poll some details from the DMZ Server.
NAT is needed to translate the LAN Server IP to an IP on the DMZ subnet so it will be accepted.

LAN                                          DMZ
192.168.1.100------|------------OPNSense---------|--------------192.168.10.102
                     GW LAN                               GW DMZ
                    192.168.1.1                             192.168.10.1   
          
Traffic
192.168.1.100  ---> translated to 192.168.10.103------------> 192.168.10.103

i tried outbound NAT but was not able to set it up (yet). Really buggers me....

LAN has Access to DMZ on the Firewall Ruleset
DMZ to DMZ has also access.
I can see it on the lig log as well.

Would you please enlighten me so i can get rid of this burden?
thank you
armin

Morning,
after upgrading to 21.1.7 DNS Crypt server stopped logging.
dnscrypt-proxy2   2.0.45
Log / Queries
Log / NX
both logs are emtpy.

Restart
Log flushing
Service restart
No success..

Would you have me any recommendations?

thanks a lot!
cheers armin

Hallo,
ich grübele wie ich das dem IPS beibringen könnte.

Derzeit wird diese Rule geblockt.
Alert   ET SCAN Potential SSH Scan
Alert sid   2001219

Kann ich diese Rule für bestimmte LAN IPs wieder freigeben?
Wir haben qualysys scanner und monitoring probes wo den port per ssh scanner "sollten".

Hab bisher nichts gefunden. Entweder oder gibt es. Aber für alle wollte ich das eben nicht erlauben müssen.

Danke!
gruss armin

Hello,
my plan is to block
Alert   ET SCAN Potential SSH Scan
Alert sid   2001219
Rule but allow it for a specific set of IPs.
We do run internal quality scanner and monitoring probes.

Is this somehow possible as the rule can "just" be set to allow (alert) or block?

thank you very much!
cheers A

[misconfigured]

Hello,
just updated the firmware for OPNSense to OPNsense 21.1.3-amd64.
Took a look on the plugins later and saw the attached screenshot.

Anything i did wrong? Anything how to fix it?

os-sensei (misconfigured)   1.7.1   81.6MiB   
os-sensei-db (orphaned)   1.7.20210208135119   64.7MiB   unknown-repository
os-sensei-updater (misconfigured)   1.7   4.45KiB   SunnyValley   OPNsense Sensei Plugin Updater   
os-sunnyvalley (installed)

I do not use the cloud thing from Sensei. So local usage only. Free Edition

thanks
armin

Hallo Zusammen,

kann die OPNSense was mit JSON dateien anfangen wenn es um URL Alias geht?

https://ip-ranges.amazonaws.com/ip-ranges.json
Da wären alle Instanzen immer aktuell drinne.
DIe hätte ich gerne als URL Table.

Klappt das?

Danke
armin

Hallo Zusammen,

laut Signal Messenger sollte man folgendes bewerkstelligen:
Allow *.whispersystems.org, *.signal.org, TCP port 443, and UDP traffic.  Signal uses a non-standard TCP port to catch filtering issues at the signaling step and also utilizes a random UDP port. All UDP ports will need to be opened.

Also Destination *.whispersystems.org, *.signal.org auf Port TCP 443 und UDP "All"
Bei den Ports hab ich keine Denkschwierigkeiten aber bei den Domains.

Würde es hier reichen einen Alias in den Firewall Settings anzulegen welcher auf whispersstems.org und signal.org hört? DIe * Domains gehen leider nicht?

Danke
armin

My google search gets blocked and tagged as Nord VPN.

Solution was to enable Nord VPN on the Apps tab or set google.com to the Auto Whitelist.

Any explanation on this? Very curious...

thanks
armin

Aloha,

just stumbled over a block which i think should not happen.

lbry.tv used a cdn network cdn.lbryplayer.xyz which gets blocked as Potentially Dangerous Sites in the security options. As soon as i disable this option in -> Sensei - Security -Potentially Dangerous Sites = Off the page and stream starts.

To keep this option on would i be able to add it into the Auto Whitelist to allow this cdn network?
thanks!
armin

Hello,
just a side mark. Maybe this can somehow be taken into consideration.

When new Apps & DB Versions are installed then there are new apps installed activated.
Would be nice if the GUI could be redesign to reflect the changes.
Otherwise you always have to click through all your partial block and refresh your blockings.

If you could see and take action on the new installed apps with a click or a filter this would help a lot.

Just a thought!
thanks
armin

PS: can the auto update be activated somehow on the systems cron tab?

Hei,
i have to bother you again but this drives me mad.
We do use most of the google offered services.

Mail, meet, hangout, photos, translate, maps, youtube.. etc...

BUT we do not want analytics or ads from them.
So i configured Sensei as follow:

App Control -> allow all needed Google services BUT block Ads and Analytics
Web Control -> whitelist google.com, youtube and all of the known subdomains.

But still Sensei does block me translate.google.com and you see it in the report blocked as Ads.

As soon i allow Google ADS the translate.google.com page does load.
If not allowed ads the page is blocked even when entered in the Web Control Whitelist.

Anything i do wrong?

I also had to add e1000e.net domain to the whitelist to get deeper into googles jungle and be able to load pictured or files.

Btw. the domain google.com does not seem to be sufficient on the Web control whitelist so i had to add all subs as well.

Anything i miss? do i really have to allow ads to be able to access all sites and services from google?

thanks
armin

Hello again,

is it possible to add a wildcard domain to the white/allow list?
I would need all the google services.
- files.google.com
- drive.google.com
- mail.google.com

etc...

So i thought i could add *.google.com but this does not work.
Would it be enough to add google.com and it would take all domains within?

thank you very much!
armin

Hi,
just wanted to add a custom application and use IP ranges instead of single Ips.

Name: Google Video Redirector
Category: Ads
Protocol: TCP
Hostnames: redirector.googlevideo.com
IP addresses:
172.217.0.0/16
74.125.24.0/24

But Sensei does not seem to pick the ranges up. Single Ips would work but for googlevideo there is a broad range of Ips reserved.

Screenshot1 - blocking report with included IP from Range.
Screenshot2 - Setup of custom app


Any tip for me?

Thank you very much!

Workaround would be to allow Google Ads in the Application Tab. But i think this would include/open much more.

Salve,

könnt Ihr mich Bitter erleuchten? Kann man bei Unbound in den Overrides mehrere DNS Server angeben?
Ich hab einige interne Domains umgeleitet bin aber derzeit auf einen DNS begrenzt. Da hätten wir mehr am Start und die würd ich gern nehmen.

Vielleicht Komma oder ähnliches?
Screenshot anbei.

In der Hilfe steht nichts zum Thema mehrere.

Vielen Dank
gruss A

Hallo Zusammen,
das beschäftigt mich jetzt schon mehrere Nächte und nun wollt ich Euch mal um Eure Meinung bitten.

Folgendes Szenario:
Internet --> Firewall WAN NIC

Die default Regel ist "drop all" also kein Traffic eingehend erlaubt.
Auf der NIC WAN ist kein Port, Protokoll oder sonstiges geöffnet. Also alles zu von der Internetseite.
Kein Webserver, kein VPN nichts.

Demnach zieht ja die Default Regel Drop All.
Macht es da Sinn ein IPS auf der Karte zu aktivieren?
Wenn kein Port oder Protokoll auf listen stehen wird ja alles per Default geblockt.

IDS/IPS auf dieser Karte hätte ja theoretisch nichts zu tun.

Auf der LAN/DMZ Seite wo Dienste ins Internet greifen ist das ja praktisch. Da läuft bei mir Sensei.
Das IDS/IPS hab ich auf die WAN Nic gelegt.
Aber macht das wirklich Sinn?

Danke fürs erleuchten!

gruss A

PS: OK die NIC hat ja ein- und ausgehende Verbindungen. Demnach würde das IPS ja auch auf ausgehende hören.
Stimmt das?

Ich hab irgendwo nen Knoten im Hirn....

Hey there,
since a few days i cannot get this out of my mind. Maybe i miss something. But i would like to read your opinions.
Very curious to your answers.

So here is the question:
When a firewall (internet to WAN Nic) is set to default block all does it make sense to activate IDS/IPS on that interface? I mean there is absolutely nothing exposed through this NIC which would be reachable from the internet.

So my assumption is that all is blocked. Anything. Any port any protocol any action from internet to this dedicated interfae. How could an attack happen then? Would IDS/IPS then be needed?

I am not talking about connections from LAN/DMZ to the internet through WAN.  All connections there are made internally to the outside and stateful keeps the channel as long the communication takes open.

What do you think?

thanks
A

Hey, just watching the webcast about the IDS/IPS.

What do you think. Would it make sense to reduce the rules of suricate by outsourcing rules to the firewall?
eDrop, UrlHaus, Feodo etc. These services which offer an IP list to import as floating rule?

https://feodotracker.abuse.ch/blocklist/
https://sslbl.abuse.ch/blacklist/
Firehol and other blocklist makers?

This should reduce the ruleset and smoothen the perfomance.
The firewall will block the IPs and the attacks (if) would be blocked at IP level.

Curious to your answers.
thanks A