Topics

1

Intrusion Detection and Prevention / [22.7] Suricata does not work anymore including VLANs

« on: August 04, 2022, 06:50:21 pm »

Hello,
I'm facing the following problem with Suricata with 22.7. Hardware offloading is off. I set VLAN Filtering to "Leave Default" prior the update.

Interfaces:
WAN = PPPoE on igb0
MODEMACCESS = igb0
LAN = igb1
VLAN1, VLAN2 = Child of igb1

Suricata is configured in Promiscous and IPS Mode to LAN and MODEMACCESS as those are the physical interfaces. LAN because I want to see which machines maybe compromised and communicating to the internet. However it worked flawless with 22.1.

After the update. VLANs are not reachable when Suricata is running. No settings changed.

Code: [Select]

Stats for 'igb0':  pkts: 78997, drop: 0 (0.00%), invalid chksum: 0
Stats for 'igb0^':  pkts: 84275, drop: 0 (0.00%), invalid chksum: 0
Stats for 'igb1':  pkts: 102971, drop: 0 (0.00%), invalid chksum: 0
Stats for 'igb1^':  pkts: 107821, drop: 0 (0.00%), invalid chksum: 0

Switching to MODEMACCESS only. Seems to work but it doesnt. emergering_user_agents ruleset is enabled and added to the Policy. But # curl -A "BlackSun" www.google.com results in nothing although it should be blocked. It does work when adding LAN again BUT VLANs stop working. In general I question the use of IPS on WAN interface?!

Code: [Select]

Stats for 'igb0':  pkts: 3342, drop: 0 (0.00%), invalid chksum: 0
Stats for 'igb0^':  pkts: 4858, drop: 0 (0.00%), invalid chksum: 0
Any advices? I can life with not IPS on LAN, but it does not work on WAN physical interface. This renders IPS pretty useless for me.

I downgraded to 6.0.5 as well without improvement.

Is this related to the merge of EM and IGB Driver in 13.1?

https://www.freebsd.org/cgi/man.cgi?query=em&apropos=0&sektion=4&manpath=FreeBSD+13.1-RELEASE+and+Ports&arch=default&format=html
https://www.freebsd.org/cgi/man.cgi?query=netmap

2

22.1 Legacy Series / Firewall Rules | InterVLAN Traffic

« on: May 25, 2022, 08:48:10 pm »

Hello,
obviously I'm to stupid to get traffic from one VLAN to another one.

I do get traffic from LAN to VLAN2. But I can't reach VLAN2 to LAN (only ICMP works).

Can someone help me with that? I tried rules in every direction on every interface (LAN, VLAN2). I'm able to reach LAN -> VLAN2 but not in the other direction. What am I doing wrong?

As ICMP works, I would rule out any routing problem.

Is this related to the webproxy? (transparent mode, but rules deleted on VLAN2)

Cheers and thx for help.

3

21.7 Legacy Series / Certificate renewal

« on: September 25, 2021, 03:24:50 pm »

Hello,
is there any way to renew certificates that have been issued?

I use this as "light" CA, as other systems are to comlicated.

Cheers

4

21.7 Legacy Series / SSL Certificates signing | Error 500

« on: August 19, 2021, 03:08:28 pm »

Hello,
currently running latest OPNSense 21.7.

I'm not able to sign certificates anymore (Internal Certificate Signing). Trying to sign a certificate results in "500 Internal Server Error"

Code: [Select]

2021-08-19T15:00:47 lighttpd[38924] (gw_backend.c.2275) response not received, request sent: 2438 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, closing connection
2021-08-19T15:00:47 lighttpd[38924] (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 49810 socket: unix:/tmp/php-fastcgi.socket-1
2021-08-19T14:59:29 lighttpd[38924] (gw_backend.c.2275) response not received, request sent: 2396 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, closing connection
2021-08-19T14:59:29 lighttpd[38924] (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 49810 socket: unix:/tmp/php-fastcgi.socket-1
Anyone able to verify if this is a general problem or just mine?

Cheers

5

21.7 Legacy Series / OPNSense Upgrade 21.7

« on: July 28, 2021, 06:06:56 pm »

Hello,
my setup seems to be broke after the update.

Updated via console and it is leaving me with a 10 minute reboot. configd does not start as some pyhton library is missing. I'm not able to ssh or login on console via root or my user account. It say login incorrect or access denied.

I can login via web, but I'm not able to see logs or running the update again. The dashboard stays empty and the widgets throw an error.

Warning: Invalid argument supplied for foreach() in /usr/local/www/widgets/widgets/smart_status.widget.php on line 48

Is there any way to recover from it? The missing python library seems to be jinja2.

Report is sent via WebUI, maybe someone can see the full log, as I cant.

Any chances to modify the boot parameter to be logged in as root without pw prompt?

Cheers

6

21.1 Legacy Series / [Solved] Suricata 6.0 with 21.1.4 does not start | Hyperscan missing

« on: April 01, 2021, 07:35:01 pm »

Hello,
thanks for the update to 21.1.4 and Suricata 6.x on Devel.

Suricata does not want to start after the update.

The log shows:

Code: [Select]

2021-04-01T18:34:09 root[7389] /usr/local/etc/rc.d/suricata: WARNING: failed to start suricata
Manual start shows:

Code: [Select]

1/4/2021 -- 19:31:36 - <Info> - Including configuration file installed_rules.yaml.
1/4/2021 -- 19:31:36 - <Info> - Configuration node 'rule-files' redefined.
1/4/2021 -- 19:31:36 - <Info> - Including configuration file custom.yaml.
./suricata: WARNING: failed to start suricata

Code: [Select]

OPNsense 21.7.a_314-amd64
FreeBSD 12.1-RELEASE-p15-HBSD
LibreSSL 3.2.5
Trying to investigate further or does it simply require a reinstall?

EDIT: Looks like Hyperscan support is missing with this build.

Code: [Select]

Apr  1 17:33:38 OPNsense suricata[72140]: [100255] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:33:38 OPNsense suricata[72140]: [100255] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 17:37:16 OPNsense suricata[40561]: [100128] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:37:16 OPNsense suricata[40561]: [100128] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 17:44:59 OPNsense suricata[95863]: [100343] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 17:44:59 OPNsense suricata[95863]: [100343] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 18:34:09 OPNsense suricata[77466]: [100851] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 18:34:09 OPNsense suricata[77466]: [100851] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:31:36 OPNsense suricata[78420]: [100843] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:31:36 OPNsense suricata[78420]: [100843] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:37:02 OPNsense suricata[18973]: [100835] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:37:02 OPNsense suricata[18973]: [100835] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:37:54 OPNsense suricata[92966]: [100386] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:37:54 OPNsense suricata[92966]: [100386] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.
Apr  1 19:38:12 OPNsense suricata[10120]: [100298] <Notice> -- This is Suricata version 6.0.2 RELEASE running in SYSTEM mode
Apr  1 19:38:12 OPNsense suricata[10120]: [100298] <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Hyperscan (hs) support for mpm-algo is not compiled into Suricata.

Recompiling /usr/ports/opnsense/suricata-devel

7

20.7 Legacy Series / Safe to delete?

« on: October 23, 2020, 12:26:19 am »

Hey,
with recent update from 20.7.3 to 20.7.4 it shows the following messages:

Code: [Select]

You may need to manually remove /usr/local/etc/php-fpm.d/www.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/openssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/suricata.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/sudoers if it is no longer needed.
You should remove /usr/local/etc/raddb if you don't need it any more.
You may need to manually remove /usr/local/etc/nginx/mime.types if it is no longer needed.
You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed.

Really safe to delete?

8

Web Proxy Filtering and Caching / Squid SSL Inspection and Windows Updates

« on: October 08, 2020, 07:37:06 pm »

Hello,
Microsoft is using Certificate Pinning for Windows Update. I can't get this working properly.

Can anyone help me to paste this to the correct section? I feel this is overwritten by the bump settings of OPNSense.

https://wiki.squid-cache.org/SquidFaq/WindowsUpdate

9

20.7 Legacy Series / Weird problem with NAT Reflection

« on: September 27, 2020, 01:09:43 am »

Hello,
so I noticed the following problem.

Before using NAT Reflection I used remapping specific domains to internal IP Adresses (my dyndns address) with Unbound and Pi-Hole. Worked perfectly, certificates valid.

I thought about using NAT-Reflection to get rid of these domain rewrites. So I enabled it and removed the DNS entries.

My Application is forwareded on Port 80 and 443.

When I enable NAT-Reflection + Create Rules and connect via Wireguard and enter for ex. x.x.x.1 to get access on OPNSense, I land on the application forwareded to 80 and 443 instead of OPNSense WebIF.

Any ideas or solution to this?

Cheers

10

20.7 Legacy Series / Firewall Rules Optimization

« on: September 03, 2020, 07:59:04 pm »

Hello @Firewall Advanced Settings, I can find "Firewall Rules Optimization". It allows None, Basic and Profile.

I searched for pfctl and found the exact same description. What is it exactly doing on "Profile"?

What is the best setting for maximum optimization if I've spare memory and processor time?

Cheers

11

Intrusion Detection and Prevention / Stats.log

« on: July 28, 2020, 09:36:34 pm »

Hello,
I found out, not sure if this is new with 20.7.r_13, that IDS only shows the stats.log under LogFile. This seems to be pretty useless and I'm sure that it was the sucricata.log once in a while.

Can anyone confirm this behavior?

Code: [Select]

OPNsense 20.7.r_13-amd64
FreeBSD 12.1-RELEASE-p7-HBSD
LibreSSL 3.0.2
suricata.log is placed /var/log/
all other logs are placed /ar/log/suricata/

12

General Discussion / GPS huge offset

« on: May 28, 2020, 12:27:17 am »

Hello,
I've setup a u-blox GPS Module. Using it via u-center and or checking console output via:

Code: [Select]

cat gpsinit | cu -s 9600 -l /dev/gps0
Shows me the correct timing:

Code: [Select]

$GNZDA,221311.00,27,05,2020,00,00*7A
Setting it up via the Interface and checking the status shows an offset of ~330 seconds and marks the GPS Module as falseticker.

What am I doing wrong? Using default settings.

13

Intrusion Detection and Prevention / Suricata locksup igb1

« on: May 20, 2020, 09:45:00 pm »

Hello,
I've a Qotom with 4 x Intel i211AT.

Pretty every reboot Suricata locksup igb1 (LAN). Suricata is listening on WAN (PPPoE - igb0) and LAN (igb1).

I'm only able to access OPNSense via Wireguard VPN of my Phone. After 4-5 restarts of suricata is working again.

What am I doing wrong? Can someone confirm this issue?

Cheers

14

20.7 Legacy Series / Aliases broken?

« on: May 14, 2020, 11:26:07 pm »

Hello,
I added an Alias named for ex. ABCD. I selected URLs (IPs) and added to Domains. Saving and pressed "Apply".

pfTable showing -> ABCD stay empty even with URLs Table.

Is this correct behavior?

Cheers

15

20.7 Legacy Series / Monit PAM Authentication

« on: May 13, 2020, 10:31:26 pm »

Hello,
is it intended that Monit offers PAM Authentication and its actually even displayed in the settings but does not work?

I can see a upstreamed root password in monitrc, but it obviously not mine.

The pam.d file seems to be missisng. Intented or Bug?