Topics

1

Hardware and Performance / How to troubleshoot hardware

« on: July 24, 2022, 03:46:02 pm »

Afternoon,
well... i reinstalled OPNsense but it seems to drop a crash report every now and then.

Can you give me some tips on how to troubleshoot hardware on BSD?

fsck show me this
71464 files, 683570 used, 115473836 free (4716 frags, 14433640 blocks, 0.0% fragmentation)
** /dev/gpt/efifs (NO WRITE)
** Phase 1 - Read FAT and checking connectivity
** Phase 2 - Checking Directories
** Phase 3 - Checking for Lost Files
6 files, 254 MiB free (520804 clusters)
MARK FILE SYSTEM CLEAN? no

***** FILE SYSTEM IS LEFT MARKED AS DIRTY *****

Any way to check this deeper?
Memory to check?

thank you!
armin

2

22.1 Legacy Series / 22.1 start up error on GUI - A non-numeric value encountered

« on: January 28, 2022, 09:35:22 pm »

A non-numeric value encountered in /usr/local/sbin/carp_service_status on line 51

Hi all
the above error keeps poping up on the GUI.
Not sure how to handle it.

Any recommendations?

thanks
cheers A

OPNsense 22.1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1m 14 Dec 2021

3

General Discussion / Recommendation .- Prevent SSH Tunnel through Port 443/80

« on: January 26, 2022, 03:12:49 pm »

Hello,
i would like to ask for recommendations on blocking SSH to the outside tunneled through port 443 or 80.
As these ports are common and usually open.

Info:
Edit '/etc/ssh/sshd_config' file
Use following configuration for port:
Port 22
Port 443
Restart ssh using 'service sshd restart'

Now i would be able to connect to the outside world using a Web port.

Is there a way to prevent that on the firewall?
- IDS
- Proxy

Thank you for your input!
best wishes Armin

4

21.7 Legacy Series / NAT - i am clueless

« on: November 09, 2021, 09:11:57 pm »

Evening,
i am struggeling with one of my severs.
Scenario:

DMZ - Server 192.168.10.102 / Port TCP 502
LAN - Server 192.168.1.100 / *
Alias Host - 192.168.10.103

The DMZ Server only accepts connections from the DMZ subnet.
The LAN Server should poll some details from the DMZ Server.
NAT is needed to translate the LAN Server IP to an IP on the DMZ subnet so it will be accepted.

LAN                                          DMZ
192.168.1.100------|------------OPNSense---------|--------------192.168.10.102
                     GW LAN                               GW DMZ
                    192.168.1.1                             192.168.10.1   
          
Traffic
192.168.1.100  ---> translated to 192.168.10.103------------> 192.168.10.103

i tried outbound NAT but was not able to set it up (yet). Really buggers me....

LAN has Access to DMZ on the Firewall Ruleset
DMZ to DMZ has also access.
I can see it on the lig log as well.

Would you please enlighten me so i can get rid of this burden?
thank you
armin

5

21.1 Legacy Series / 21.1.7 - DNSCrypt stopped logging

« on: June 17, 2021, 08:06:09 am »

Morning,
after upgrading to 21.1.7 DNS Crypt server stopped logging.
dnscrypt-proxy2   2.0.45
Log / Queries
Log / NX
both logs are emtpy.

Restart
Log flushing
Service restart
No success..

Would you have me any recommendations?

thanks a lot!
cheers armin

6

German - Deutsch / IPS - Rule für bestimmte IPs erlauben für andere blockieren?

« on: April 01, 2021, 01:43:47 pm »

Hallo,
ich grübele wie ich das dem IPS beibringen könnte.

Derzeit wird diese Rule geblockt.
Alert   ET SCAN Potential SSH Scan
Alert sid   2001219

Kann ich diese Rule für bestimmte LAN IPs wieder freigeben?
Wir haben qualysys scanner und monitoring probes wo den port per ssh scanner "sollten".

Hab bisher nichts gefunden. Entweder oder gibt es. Aber für alle wollte ich das eben nicht erlauben müssen.

Danke!
gruss armin

7

Intrusion Detection and Prevention / Allow a Block Rule to a set of IPs

« on: March 16, 2021, 10:56:29 am »

Hello,
my plan is to block
Alert   ET SCAN Potential SSH Scan
Alert sid   2001219
Rule but allow it for a specific set of IPs.
We do run internal quality scanner and monitoring probes.

Is this somehow possible as the rule can "just" be set to allow (alert) or block?

thank you very much!
cheers A

8

Zenarmor (Sensei) / (solved) Firmware - Plugins -> shows misconfigured / orphaned

« on: March 10, 2021, 04:55:08 pm »

Hello,
just updated the firmware for OPNSense to OPNsense 21.1.3-amd64.
Took a look on the plugins later and saw the attached screenshot.

Anything i did wrong? Anything how to fix it?

os-sensei (misconfigured)   1.7.1   81.6MiB   
os-sensei-db (orphaned)   1.7.20210208135119   64.7MiB   unknown-repository
os-sensei-updater (misconfigured)   1.7   4.45KiB   SunnyValley   OPNsense Sensei Plugin Updater   
os-sunnyvalley (installed)

I do not use the cloud thing from Sensei. So local usage only. Free Edition

thanks
armin

9

German - Deutsch / Amazon AWS als URL List Alias?

« on: January 13, 2021, 06:55:39 pm »

Hallo Zusammen,

kann die OPNSense was mit JSON dateien anfangen wenn es um URL Alias geht?

https://ip-ranges.amazonaws.com/ip-ranges.json
Da wären alle Instanzen immer aktuell drinne.
DIe hätte ich gerne als URL Table.

Klappt das?

Danke
armin

10

German - Deutsch / (Solved) Signal Messenger - Firewall Rule

« on: January 12, 2021, 10:46:13 pm »

Hallo Zusammen,

laut Signal Messenger sollte man folgendes bewerkstelligen:
Allow *.whispersystems.org, *.signal.org, TCP port 443, and UDP traffic.  Signal uses a non-standard TCP port to catch filtering issues at the signaling step and also utilizes a random UDP port. All UDP ports will need to be opened.

Also Destination *.whispersystems.org, *.signal.org auf Port TCP 443 und UDP "All"
Bei den Ports hab ich keine Denkschwierigkeiten aber bei den Domains.

Würde es hier reichen einen Alias in den Firewall Settings anzulegen welcher auf whispersstems.org und signal.org hört? DIe * Domains gehen leider nicht?

Danke
armin

11

Zenarmor (Sensei) / (SOLVED)Why does Google Search use Nord VPN?

« on: December 08, 2020, 09:56:46 pm »

My google search gets blocked and tagged as Nord VPN.

Solution was to enable Nord VPN on the Apps tab or set google.com to the Auto Whitelist.

Any explanation on this? Very curious...

thanks
armin

12

Zenarmor (Sensei) / (SOLVED) lbry.tv - falls into Block Potentially Dangerous Sites

« on: December 02, 2020, 09:10:28 am »

Aloha,

just stumbled over a block which i think should not happen.

lbry.tv used a cdn network cdn.lbryplayer.xyz which gets blocked as Potentially Dangerous Sites in the security options. As soon as i disable this option in -> Sensei - Security -Potentially Dangerous Sites = Off the page and stream starts.

To keep this option on would i be able to add it into the Auto Whitelist to allow this cdn network?
thanks!
armin

13

Zenarmor (Sensei) / (IDEA) Apps & DB Updates -> GUI feature -> highlight new apps

« on: November 25, 2020, 08:32:35 pm »

Hello,
just a side mark. Maybe this can somehow be taken into consideration.

When new Apps & DB Versions are installed then there are new apps installed activated.
Would be nice if the GUI could be redesign to reflect the changes.
Otherwise you always have to click through all your partial block and refresh your blockings.

If you could see and take action on the new installed apps with a click or a filter this would help a lot.

Just a thought!
thanks
armin

PS: can the auto update be activated somehow on the systems cron tab?

14

Zenarmor (Sensei) / (SOLVED) Google is frustrating: Google YES / Google ADS NO

« on: November 24, 2020, 04:25:00 pm »

Hei,
i have to bother you again but this drives me mad.
We do use most of the google offered services.

Mail, meet, hangout, photos, translate, maps, youtube.. etc...

BUT we do not want analytics or ads from them.
So i configured Sensei as follow:

App Control -> allow all needed Google services BUT block Ads and Analytics
Web Control -> whitelist google.com, youtube and all of the known subdomains.

But still Sensei does block me translate.google.com and you see it in the report blocked as Ads.

As soon i allow Google ADS the translate.google.com page does load.
If not allowed ads the page is blocked even when entered in the Web Control Whitelist.

Anything i do wrong?

I also had to add e1000e.net domain to the whitelist to get deeper into googles jungle and be able to load pictured or files.

Btw. the domain google.com does not seem to be sufficient on the Web control whitelist so i had to add all subs as well.

Anything i miss? do i really have to allow ads to be able to access all sites and services from google?

thanks
armin

15

Zenarmor (Sensei) / (SOLVED) Web Control - add wildcard domain in whilte/allow list

« on: November 16, 2020, 03:06:17 pm »

Hello again,

is it possible to add a wildcard domain to the white/allow list?
I would need all the google services.
- files.google.com
- drive.google.com
- mail.google.com

etc...

So i thought i could add *.google.com but this does not work.
Would it be enough to add google.com and it would take all domains within?

thank you very much!
armin