Topics

1

24.7 Production Series / Extended Discussion: The Role of Packet Filter and IPFW in Firewall Filtering

« on: August 27, 2024, 12:21:03 pm »

I would like to continue the discussion I had in this forum thread.

In that discussion, I learned that Packet Filter cannot filter Layer 2 packets, so I conducted further testing. I found that if the ARP table lacks corresponding IP and MAC entries, the firewall will block those packets. However, if the ARP table already has these records, the firewall filters the packets according to the rules.

It was also mentioned that using IPFW for Layer 2 filtering is easier to achieve, which I also tested. I modified /boot/loader.conf to ensure that Packet Filter loads after IPFW (although I initially intended to disable Packet Filter, it still started for some reason). In practice, filtering using IPFW was successful.

However, I’m curious why not use IPFW directly for all firewall rule filtering? Is there any information that explains why PF is considered more suitable for this task than IPFW?

These questions come from my limited experience, so if there are any mistakes, I welcome corrections. Thank you!

2

24.7 Production Series / Testing MITM Attack and Firewall Blocking: Discussion

« on: August 19, 2024, 08:15:52 am »

Hi everyone, as mentioned in the title, I have been testing whether OPNsense can block MITM attacks. Below are the environment and settings I used during the test. If there are any mistakes, please feel free to correct me.

Target_1 PC (setting):

    IP: 192.168.1.111
    MAC: 00:0c:29:19:98:4a

Set static ARP for Target_2:

Code: [Select]

C:\Windows\system32>arp -a
Interface: 192.168.1.111 --- 0x3
  Internet Address       Physical Address       Type
  192.168.1.12           a0-02-4a-51-1c-0c      Static
Target_2 Device (setting):

    IP: 192.168.1.12
    MAC: a0:02:4a:51:1c:0c

Note: Target_2 cannot set a static ARP for Target_1, so a filter is needed to block traffic.

Firewall (settings):

Interfaces:

    igb1 (linked to Target_1) 00:07:32:a2:76:6d
    igb2 (linked to Target_2) 00:07:32:9c:ca

Interfaces: Other Types: Bridge

    bridge0: target_1, target_2 - bridge Off

Interfaces: Neighbors

    Manual: 00:0C:29:19:98:4A 192.168.1.111 target_1
    Manual: A0:02:4A:51:1C:0C 192.168.1.12 target_2

Firewall: Aliases

    target_1: MAC address - target_1_mac 00:0c:29:19:98:4a 1 2024-08-19 02:18:22
    target_2: MAC address - target_2_mac a0:02:4a:51:1c:0c 1 2024-08-19 02:20:00

Firewall: Rules: Floating

    PASS_Rule: IPv4 * target_1_mac * target_2_mac * * * 1 target1_target2_PASS
    BLOCK_Rule: IPv4 * * * target_2_mac * * * 1 target2_BLOCK

The idea behind these settings is that the first rule allows target_1 and target_2 to communicate normally. The second rule blocks all other traffic to target_2.


These are my settings, and then I used a testing tool (Ettercap) to test the setup.

When I tried an ARP poisoning attack, I could see in the firewall logs that the attacker's computer was using the IP of target_1 to ICMP target_2.

Code: [Select]

bridge 2024-08-19T05:57:08 192.168.1.111 192.168.1.12 icmp target1_target2_PASS
bridge 2024-08-19T05:57:08 192.168.1.111 192.168.1.12 icmp target1_target2_PASS
bridge 2024-08-19T05:57:08 192.168.1.111 192.168.1.12 icmp target1_target2_PASS
bridge 2024-08-19T05:57:08 192.168.1.111 192.168.1.12 icmp target1_target2_PASS
bridge 2024-08-19T05:57:08 192.168.1.111 192.168.1.12 icmp target1_target2_PASS
bridge 2024-08-19T05:57:08 192.168.1.111 192.168.1.12 icmp target1_target2_PASS
When I performed a MITM attack using Ettercap, I could see the connection between Target_1 and Target_2, and I was able to manipulate the connection to cause them to disconnect.

Does this mean my filter only checks up to layer 3 and does not filter at layer 2?

I would appreciate any advice from those with experience in this area.

3

General Discussion / Question about Checking RSTP Status

« on: July 10, 2024, 04:27:39 am »

Hello, Community,

I have a question about checking the status of RSTP. Currently, I found that I can check it through the CLI using the ifconfig bridge0 command. I would like to know if there are other ways to check the status. Is there an interface on the web that can be used to check the status as well?

I hope those who are knowledgeable in this area can provide me with some suggestions and references. Thank you.

4

General Discussion / How to Create a Helloworld Plugin and Use OPNsense Tools

« on: July 05, 2024, 05:28:57 am »

Hi, Community

I am having some difficulties understanding the steps for version updates and creating plugins, specifically how to create the Helloworld plugin. Additionally, I am not quite sure how the make command in OPNsense tools works. I have read the README and tried to follow the instructions, but I always encounter errors. Therefore, I would like to ask if anyone can kindly provide some advice.

Currently, I am unable to resolve this issue:

Code: [Select]

Installed pkg version '1.21' does not match required version '1.19'
*** Error code 1

Stop.
make: stopped in /usr/tools
root@freebsd:/usr/tools # pkg -v
1.21.3
root@freebsd:/usr/tools # uname -r
13.2-RELEASE
I have tried to downgrade pkg to version 1.19, but it seems unsuccessful.

5

General Discussion / Issues with Sending Logs to Elastic Using Filebeat on OPNsense

« on: June 19, 2024, 07:48:24 am »

Hello, Community,

I would like to ask if anyone here has experience using Logging to send log data to Elastic. I'm currently encountering some issues with the configuration and would appreciate any help.

Here's the situation: I followed the Kali Purple SOC-IAB setup for the Elastic Agent without any major issues. However, when I wanted to set up IDS/IPS logs, I realized that a different configuration might be required. So, I referred to the Beats method, but encountered a problem when running the filebeat modules list command.

Code: [Select]

root@OPNsense:/usr/local/etc/beats # filebeat modules list
Error initializing beat: failed to get host information: unimplemented
I did some searching in the Elastic community and found that others have encountered the same issue, but it doesn't seem to be resolved yet. Therefore, I'm reaching out here for assistance. Any help would be greatly appreciated. Thank you.

6

Tutorials and FAQs / Deep Packet Inspection (DPI)

« on: April 17, 2024, 05:36:28 am »

Hello community,

I previously asked about Deep Packet Inspection (DPI) on the Intrusion Detection and Prevention forum (https://forum.opnsense.org/index.php?topic=39944.msg195936#msg195936). I've learned that Zenarmor may offer similar functionality (though I haven't tested it yet). However, I found out that Zenarmor is not open source. Therefore, I'm inquiring here if there are any other tools that can also achieve DPI, or any directions I should explore?

I found a concept in a document on page 35 "BPF + IPFW + TAG = L7 Filter RTFM ng_tag(4)" (https://www.netbsd.org/gallery/presentations/ast/2012_AsiaBSDCon/Tutorial_NETGRAPH.pdf). Are there any individuals with similar experience or interest who would like to discuss this?

7

Intrusion Detection and Prevention / Seeking Guidance on Deep Packet Inspection Research

« on: April 12, 2024, 04:38:32 am »

Hello Forum community,

I have a question regarding Deep Packet Inspection (DPI) that I hope to discuss here. I came across a discussion about nDPI in the forum (https://forum.opnsense.org/index.php?topic=15820.0) and was wondering if there are any plans to continue research in this area? I am quite interested in this field but currently lack sufficient resources and would appreciate any guidance from experts familiar with this topic.

I'm unsure if this is the right section to post this message since the IDS/IPS documentation mentions DPI (https://docs.opnsense.org/manual/ips.html) but doesn't seem to delve deeply into the subject. I have also searched for relevant information in FreeBSD and Suricata documentation without success. However, I found some DPI-related material in the AsiaBSDCon conference presentations (https://www.netbsd.org/gallery/presentations/ast/2012_AsiaBSDCon/Tutorial_NETGRAPH.pdf) (page 35), which I suspect may be related to the packages used by Suricata. Therefore, I am curious if others are also exploring this area and could share some insights.

I hope to find some assistance here. Thank you!

8

General Discussion / Queries on Bridge RSTP Configuration

« on: March 22, 2024, 10:19:46 am »

Hi all, I was wondering if anyone is familiar with configuring the Spanning Tree Protocol (RSTP/STP)? I've encountered some issues while attempting to configure the bridge interface, mainly involving the settings for Hello time (seconds) and Priority.

I tried modifying the settings using both the WebGUI and CLI methods, but neither yielded the expected results. Initially curious about the default value of Hello time (2 seconds), I wanted to reduce it to its minimum limit (1 second) for testing. However, when attempting to make this modification using the CLI command ifconfig bridge0 hellotime 1, I was met with the error message ifconfig: BRDGSHT 1: Operation not permitted, indicating that the operation was not allowed, hence I was unable to successfully change the Hello time to 1 second.

Furthermore, regarding the Priority setting, I noticed that the bridge's Priority is adjustable, but when I expected to change it to 10000, it turned out to be 8192 instead. I am curious if there is a fixed rule for this. In addition, the changes I made to the Priority Interface did not show any updates. The same goes for the Path cost.

I hope to receive help and guidance from everyone regarding the issues mentioned above with bridge RSTP settings. Thank you all!

9

General Discussion / Bridge Setup Question : Rules and Lockout Query

« on: March 15, 2024, 07:50:07 am »

Hi everyone,

I have some questions about Transparent Filtering Bridge that I hope someone can help me with. I was reading the documentation on Transparent Filtering Bridge (https://docs.opnsense.org/manual/how-tos/transparent_bridge.html#disable-outbound-nat-rule-generation), and I have two main questions:

    In the section about "7. Add Allow rules," I conducted two tests. In the first test, I used Floating Rules and selected only the interfaces that were added to the Bridge group. During this test, machines within the group were unable to ICMP Ping their target. However, in the second test, when I only allowed the Bridge group's Interface in the Floating Rules, the machines within the same group could ICMP Ping normally. Does this mean that the Bridge Interface takes control over the interfaces in the group? And hence, is it sufficient to just allow the Bridge Interface in the Rules?

    Regarding the section on "Disable Default Anti Lockout Rule," I cannot discern the difference between having this option checked or unchecked, as I didn't notice any changes in the Automatically generated rules. I'm wondering if it's necessary to check this option?

Thank you for reading and for your assistance.

10

Development and Code Review / Understanding Autoloading and Namespaces in PHP

« on: February 23, 2024, 08:29:43 am »

Hi everyone,

I have a question regarding namespaces. I understand that using namespace Vendor\Model; and use Vendor\Model; with autoloading can greatly simplify the code. However, I want to comprehend how this entire process works. I previously saw files like Autoload/Loader.php, Di/Di.php in the /usr/local/opnsense/mvc/app/library/OPNsense/Phalcon/ directory, but they have been removed. Additionally, in the /usr/local/opnsense/mvc/app/config directory, I can still see the use of use Phalcon\MVC, use Phalcon\Di. Could anyone provide some advice or references regarding these issues? Thank you.

11

24.1 Legacy Series / Seeking Assistance for System Gateway Configuration Issue in Version 24.1

« on: February 01, 2024, 07:15:43 am »

Hello everyone, I encountered a special situation in the new version 24.1. Regarding the System: Gateways: Configuration section, I noticed that once I assign a gateway, it essentially gets stuck there. If I try to delete it, the system won't allow me to perform any actions. After going into edit mode, if I attempt to disable it, I find that it cannot be saved. It wasn't until I activated advanced mode, which required filling in the Weight, that I was able to save. This temporarily resolves the issue of disabling, but as for deleting the gateway, has anyone else encountered the same issue as me?

Thank you.

12

Intrusion Detection and Prevention / Intrusion Detection: Alert Pagination Issue

« on: January 18, 2024, 06:33:25 am »

Hello everyone, I have a question about the "Alerts" feature in "Intrusion Detection System Management."
I've noticed that when there is a large volume of log data, the pagination at the bottom of the page doesn't initially display five page options. (For example, in the "Rules" tab, when there is a large amount of data, the system shows five pages, and you can navigate through the pages using the "Next" and "Last" buttons.)
Additionally, when I use the "Next" and "Last" buttons in the "Alerts" tab, these buttons seem to have little difference in function, yet they work normally in other tabs like "Rules." I wonder if anyone has encountered a similar issue or has any suggestions?

Moreover, I have also noticed this issue in similar log viewing pages like "Services: Intrusion Detection: Log Files" and "Firewall: Log Files: General."

13

Intrusion Detection and Prevention / Issue with Disabled Intrusion Detection Rules Remaining in Policy

« on: January 11, 2024, 07:30:48 am »

Hi, I have a question regarding Intrusion Detection functionality. I downloaded two rule sets, ET open/emerging-scada and OPNsense-App-detect/test, from a webpage. I noticed that after disabling selected rules from the Download tab, they disappear from the Rules section under Administration. However, these rules still appear in the Rule adjustments page under Policy. Has anyone encountered this same issue? Is there a way to resolve this? Thank you.

14

Intrusion Detection and Prevention / Suricata Issue: OPNsense 23.7.7_3-amd64 Not Blocking Eicar Test

« on: November 01, 2023, 07:28:33 am »

Hi everyone,
I tried testing the "suricata opnsense.test.rules" from the video (https://www.youtube.com/watch?v=_yIq3GM4gjA&t=905s) at the 15:05 mark. I tested it once before and it worked as expected. However, now with OPNsense 23.7.7_3-amd64, I've noticed that it seems to not block the eicar virus test. I'm wondering if anyone else has encountered the same issue?
Below is the log content:

Code: [Select]

root@OPNsense:/var/log/suricata # tail -f suricata_20231101.log
<173>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="2"] [100106] <Notice> -- This is Suricata version 6.0.15 RELEASE running in SYSTEM mode
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="3"] [100106] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="4"] [100106] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="5"] [100106] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="6"] [100106] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="7"] [100106] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68727 - [meta sequenceId="8"] [100106] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68748 - [meta sequenceId="9"] [100123] <Warning> -- [ERRCODE: SC_WARN_DEPRECATED(203)] - Found deprecated eve-log.alert app-layer flag "http", enabling metadata.app-layer
<172>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68748 - [meta sequenceId="10"] [100123] <Warning> -- [ERRCODE: SC_WARN_DEPRECATED(203)] - Found deprecated eve-log.alert app-layer flag "tls", enabling metadata.app-layer
<173>1 2023-11-01T05:42:58+00:00 OPNsense.localdomain suricata 68748 - [meta sequenceId="11"] [100123] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Thank you all.

15

General Discussion / Seeking an Invitation Code for the Bluesky

« on: October 31, 2023, 03:17:14 am »

Hello everyone,

I'd like to ask if anyone in the community could share a Bluesky invitation code with me? After the recent 23.7.7 version update announcement, I became aware of this social media platform. I would be very grateful if someone could share an invite code.

Thank you all!