Messages

1

20.1 Legacy Series / Force Internal IP over specific gateway

« on: May 25, 2020, 02:31:22 pm »

I need a server behind the firewall to use a specific gateway but no longer seem able to.

Just rebuilt the firewall on new hardware but now I can't add a rule to force a specific internal IP to leave by a specific gateway - firewall says outgoing connections cannot use policy based routing - what kind of ridiculous nonsense is this ??

Is there any solution or is it time to put my Cisco 1900 back in service ?

2

20.1 Legacy Series / Load Balancing & Priorities

« on: March 01, 2020, 06:47:28 pm »

I have two WAN connections, I have tried numerous times to get load balancing working 'reliably' but although I can get it to function performance is far from satisfactory, DNS becomes unreliable and unacceptably slow.

I can configure load balancing but I run my own DNS server, I don't see why I should need to configure ANY DNS rule in the firewall to get load balancing to function, but if you don't then no outgoing connections are possible at all. I neither need nor desire any of the DNS facilities offered by OPNSense or FreeBSD, I can't even fathom why load balancing would require a DNS rule unless the implementation of load balancing is flawed.

I decided therefore that I'd do some manual balancing by changing gateway priorities - i.e. 255, 254, 253 ... where the lowest number is supposed to be the highest priority and therefore used, even after a reboot and clearing states the system flat refuses to use the lowest number unless I disable the other connection (with a priority of 255) entirely and seems to take the default to be the lowest / first defined 'physical' WAN NIC.

Although I have a different priority set for each WAN and the 'Allow default gateway switching' is enabled the system ignores the priorities and sticks to the gateway with the highest number i.e. 255.

This is starting to get a tad frustrating - this load balancing hasn't worked reliably since V19.

3

19.1 Legacy Series / NAT and Floating rules

« on: May 22, 2019, 02:52:27 pm »

Can somebody have a look at priorities for blocking traffic vs port forwarding / NAT

I've just spotted this in my email server logs

lost connection after CONNECT from house.census.shodan.io[89.248.172.16]\nMay

but house.census.shodan.io is in a block list - (Alias configured as URL (IPs) and allocated to a floating block rule applied to all interfaces). The fact that this log entry exists tells me that something isn't working - shodan should have been blocked.

I don't want to debate the value of blocking such people - I don't invite strangers into my house to look around - this kind of intrusive scanning is no different to me.

I've also seen some 'attacked blocked' notices to port 80 on a system from Kaspersky but considered Kaspersky at fault as there is no port 80 forwarding to that system - now I'm not so sure OPNsense is doing what I expect.

For now I've moved the block rules to the interfaces and put them before any NAT generated rules, I'll be a bit disappointed if I see entries that I shouldn't in event logs going forward.

4

19.1 Legacy Series / Re: Aliasing completely broken for me recently

« on: April 21, 2019, 05:01:10 pm »

For what it is worth I had so many annoying issues (this was one) that I decided this morning to wipe my box out and start from scratch. Not only was the aliasing broken but the event reports had the wrong names - almost like the rules and names were out of sync. DNS also stopped working, neither DNSMasq nor Unbound would resolve anything.

Seems to be working OK now but it's taken all darn day to put everything back in (I didn't restore from a backup to be sure I didn't re-introduce the issues).

I think this is something to do with the upgrading process - which I have done since I can remember - this is only the second time I've done a clean install. I haven't the time spare to go figuring out what was broken but clearly things were, finding out what is made more difficult by the lack of a command prompt and file functions via the GUI.

5

General Discussion / Re: Anyone configured an MTA

« on: July 04, 2018, 05:25:12 pm »

Good to know, and another confirmation that OPNSense is the best fit for my needs.

6

General Discussion / Re: OPNsense versus pfSense

« on: July 04, 2018, 05:11:28 pm »

The arrogance part for me is when they arbitrarily decide to go down a certain path then slag off anyone that dares to speak out or have a contrary opinion.

Sure you can't please all users at all times but not all users are dummies and to treat all users as low grade morons that somehow don't have a valid opinion is arrogance. Then to tell flagrant untruths to justify a position merely confirms the arrogance - when they dropped postfix from V2.3 is such a position - claiming that the plugin wasn't maintained, Marcelloc devoted hours to it, he even had a new version waiting to go. That isn't frustration, that's arrogance.

I don't want a hundred damn boxes when one will do - but that's the route PFSense have gone.

So to some extent I do agree frustration can play a role, but there are ways to handle user needs, open honesty and not treating them like fools goes a long way.

7

General Discussion / Re: Anyone configured an MTA

« on: July 04, 2018, 03:30:35 pm »

So the os-postfix is just postfix under the hood then ? not a reduced feature set ?

I may be able to make that work if it is just a GUI omission not feature.

8

General Discussion / Re: OPNsense versus pfSense

« on: July 04, 2018, 03:22:10 pm »

For me PFSense started down a road I wasn't interested in following, they decided that PFSense was no longer going to be an all encompassing barrier and excluded a number of useful add ons, the devs also developed an arrogance that I have no time for - 'we do not care what you think or want - we are right you are wrong' - well fine, I'm outa here. I moved to OPNSense and retain the last decent version of PFsense to use as an MTA - although that may soon be retired now that OPNSense has gained Postfix.

Firefox / Mozilla has gone the same way, if you dare to challenge they're almost abusive - I'm afraid that arrogance in software departments I live with day to day as part of the day job - I have no time whatsoever for it.

So now I'm OPNSense and Waterfox, I like where the two are going, they fit MY needs not the developers so I'm happy to tag along.

9

General Discussion / Re: Anyone configured an MTA

« on: July 04, 2018, 02:50:28 pm »

I don't do any filtering on valid recipients and have my reasons for doing so.

I'm looking in particular though for a way to identify backscatter that may have come from my boxes - or backscatter that is nothing to do with me. The presence of backscatter is a good way to identify if a user box or even server has been compromised. I know what my server signatures look like so I use this to tell the difference between forged vs genuine - as per the postfix link. Basically if forged backscatter comes in I reject it, if genuine comes in I want to know.

I am looking ultimately to find a way to send no response whatsoever for invalid recipients - I'm quite OK tying up the spammers systems re-trying over and over and wasting time doing so, I don't want to disclose when users do not exist. I'm trying to figure out some sort of catch all - i.e. any address that doesn't exist goes to a black hole queue / inbox, this is fine and my mail server dumps anything to non existent users in a junk box. Problem is that I then want to blacklist the real message source of anything that ends up in the black hole, never quite figured how to get that to work in any MTA though.

10

General Discussion / Anyone configured an MTA

« on: July 04, 2018, 12:00:14 pm »

Has anyone here configured an MTA using OPNSense and packages OS-POSTFIX and OS-RSPAMD ?

How did you deal with the potential for back scatter ?

http://www.postfix.org/BACKSCATTER_README.html

I currently run an old version of PFSense with Postfix internally as an incoming relay for all incoming port 25 traffic, I do not use it for sending and never will. I use header and body checks to detect forged headers where those headers actually contain my domains as the sender (such mails will NEVER come from 'outside').

There are a few things that I'm not seeing in the OPNSense implementation, the principle one being no way to detect forged domain headers (check out the postfix 'backscatter' link).

I still don't see the opportunity anywhere (in what I use now or in the OPNSense implementations) to decline any response whatsoever - basically I don't want my mailserver to respond with any 2xx/4xx/5xx messages if the sender is not legit - I just want an option to drop the message into a black hole so scenarios such as when no valid recipient exists that the system does not respond with a friendly 'unknown user' - in such cases I don't want a response of any kind - this and rate limiting would go a long way to prevent brute force type harvesting since spammers can no longer blanket a server with random names and check the responses (harvesting).

That said my biggest concern is stopping backscatter - any tips on how to achieve this with the OPNSense implementations ?

11

18.1 Legacy Series / Re: What does this 'really' mean ...

« on: April 12, 2018, 06:15:18 pm »

Got it - just checking, nothing worse than spending 4 hours rebuilding after not paying heed to such things.

Appreciate the speed of response.

12

18.1 Legacy Series / What does this 'really' mean ...

« on: April 12, 2018, 05:49:52 pm »

In the latest 'update' notice I see this phrase

"Three mentionable changes are included: We are switching back to single-source NAT on the primary IP instead of using all additional VIPs on the interface. "

This means what to me exactly - since I DO use VIP's (well Alias's) - I have an allocation of IP's and I use 4 of them for NAT onto internal servers - I don't use the 'primary' IP for any of this which I am taking to mean the root IP of the allocation.

If I read this correctly it is 'cannot use VIP for NAT any more' - which is a show stopper for me.

13

18.1 Legacy Series / Re: Option missing ?

« on: March 12, 2018, 12:53:47 pm »

Quote from: BenKenobi on March 11, 2018, 01:17:27 pm

    I'm not interested in lectures why saving login details is a bad idea.

That's a rather patronising statement, it's never a 'lecture' to tell people about good security practice and something about which they may never have previously been told.

Actually it isn't, by definition patronising is

treat condescendingly, treat with condescension, condescend to, look down on, talk down to, put down, humiliate, treat like a child, treat as inferior, treat with disdain, treat scornfully/contemptuously, be snobbish to, look down one's nose at

Whereas I made it clear I don't need lectures on the topic to avoid those who would use such lectures as a way to justify not having the option or to try and sound clever.

I asked a question re an option that seems to have disappeared, I did not invite a debate on the merits or demerits of its use.

14

18.1 Legacy Series / Option missing ?

« on: March 11, 2018, 01:17:27 pm »

Has the option to permit users to save login details in the browser GUI been removed ?

If not where is it - why does 18.1 now force me to log in all the time - I can't find the option in any settings window to allow this ( I know it used to be a setting - been using a form of pFSense or OPNSense for years ).

I'm not interested in lectures why saving login details is a bad idea.

15

General Discussion / Re: IDS / IPS and Mail Traffic

« on: April 15, 2017, 02:32:50 pm »

Many thanks, I'll take a look at the links suggested, just don't expect anything by tomorrow