Topics

1

General Discussion / Just tried out Geoblocking using MaxMind....

« on: March 01, 2022, 07:36:37 pm »

Turns out that 2! addresses are responsible for 2/3 of the last 5k connections....

A Belarus IPv4 and a Chinese IPv6 (until 2-3 days ago the Belarus IPv4 wasn't there and the Chinese were sitting at about 50% of the connections - seemingly randomly scanning my IPv6-space.....)

45.143.200.114      2192 connections
240e:f7:4f01:c::3   1129 connections

2

21.7 Legacy Series / End-of-life?

« on: July 07, 2021, 08:31:21 pm »

My server reports:

Code: [Select]

Versions OPNsense 21.7.r_9-amd64
FreeBSD 12.1-RELEASE-p18-HBSD
OpenSSL 1.1.1k 25 Mar 2021->Click to view pending updates tells me

OPNsense 21.7 "Not Yet" has reached its end of life. As such it will not receive any more updates, but the upgrade to the new 22.1 series is seamless and can be performed right here from the GUI by unlocking it below....

After that I can select an upgrade

Code: [Select]

Package name Current version New version Required action Repository
packages 21.7.r_9 21.7.r1 upgrade OPNsenseie. from version 21.7.r_9 to 21.7.r1 - which I have tried twice... doing that I end up with 21.7.r_9 though....

Following the console I notice this:

Code: [Select]

swapon: adding /dev/gpt/swapfs as swap device
.ELF ldconfig path: /lib /usr/lib /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg /usr/local/lib/ipsec /usr/local/lib/perl5/5.32/mach/CORE
32-bit compatibility ldconfig path:
done.
>>> Invoking early script 'upgrade'
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Installing packages-21.7.r1-OpenSSL-amd64.tar...
bash-5.1.8: already unlocked
beep-1.0_1: already unlocked
ca_root_nss-3.63: already unlocked
choparp-20150613: already unlocked
chrony-4.1: already unlocked
....
Updating OPNsense repository catalogue...
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
Fetching meta.conf: . done
Fetching packagesite.txz: .......... done
Processing entries: .......... done
OPNsense repository update completed. 760 packages processed.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (232 candidates): .......... done
Processing candidates (232 candidates): .......... done
Checking integrity... done (0 conflicting)
The following 232 package(s) will be affected (of 0 checked):
...
        opnsense-devel-21.7.r_9
        opnsense-installer-0.10
        opnsense-lang-21.1.7
        opnsense-update-21.7.r1
...
Keep version OPNsense\Chrony\General (0.0.1)
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/Chrony: OK
[232/232] Reinstalling opnsense-devel-21.7.r_9...
[232/232] Extracting opnsense-devel-21.7.r_9: .......... done
Stopping configd...done
Resetting root shellNo update is done - keeps me on 21.7.r_9

3

21.1 Legacy Series / Upgrade from 21.1 to 20.7.8???

« on: May 09, 2021, 10:19:36 pm »

Didn't update my firewall for some time.

Code: [Select]

Versions OPNsense 21.1.b_140-amd64
FreeBSD 12.1-RELEASE-p12-HBSD
OpenSSL 1.1.1i 8 Dec 2020
Then it told me

Code: [Select]

This software release has reached its designated end of life. The next major release is: 21.1
After doing that it tells me

Code: [Select]

There are 2 updates available, total download size is 199.9MiB. This update requires a reboot.

This software release has reached its designated end of life. The next major release is: 21.1

Package Name Current Version New Version Required Action
base          21.1        20.7.8        upgrade
kernel          21.1        20.7.8        upgrade
What am I supposed to do, to keep a somewhat current system?

4

20.1 Legacy Series / Adding request options to dhcp6c

« on: June 05, 2020, 05:16:38 pm »

I've switched ISP which should me allow to go native IPv6 instead of via a HEnet-tunnel (which has otherwise worked great).

But - it seems that the dhcp-client is requesting all the needed options for it to work with the provider;

I can get it to request:
Requested Option code: SIP Servers IPv6 Address List (22)
Requested Option code: DNS recursive name server (23)
Requested Option code: Domain Search List (24)
Requested Option code: Simple Network Time Protocol Server (31)

But I also need:
SIP Server Doman Name List (21)  (I tried adding sip-domain-name, but that give a syntax error in the log on restarting the interface)
NTP Server (56)
Dual-Stack Lite AFTR Name (64)


I might need more options - waiting for a complete packetdump from my ISP.


Is this something that wouldd be able to achieve at all?

I'm trying to redo this: https://www.22decembre.eu/en/2018/05/28/dhcpv6-kviknet/ which is preciesly the same ISP - and appearently a OpenBSD-setup - using dhcpcd.

5

General Discussion / Shodan Blocklist

« on: June 11, 2019, 05:47:49 pm »

Didn't find a recent list of Shodan IPs, so I decided to make my own from my logs....

I use it as an alias (URL Table IPs) and an IPv4 block rule on my wan.

Free for any that want to use it: https://www.vlh.dk/shodan.txt

Last update was einstein.census.shodan.io which started connecting this morning.

If you have any other Shodan IPs, feel free to reply - and I'll add those to the list

6

15.1 Legacy Series / Moving from m0n0wall to Opnsense

« on: February 16, 2015, 07:11:38 pm »

Hi,

The m0n0wall-project has come to an end and Opnsense was mentioned as an alternative.
I'm in the process of installing Opnsense on a spare PCEngines APU1D4 (1GHz dual-core amd64, 4GB RAM) but I think I might need some help transitioning my m0n0wall-configuration to Opnsense.

Is there any how-to for bridging interfaces?
ie. I'm trying to get re0 and re1 (and later wlan0) bridged - have a 10.0.0.0/23 network running on them and they should respond to 10.0.1.254.

Also, any how-to to setup a he.net IPv6-tunnel?

Alternatively a script to simply convert an exported m0n0wall-config


The installation went smoothly with the OPNsense-15.1.5-memstick-serial-amd64, transfered to an USB installed to mSata - thumbs up