Messages

1

Hardware and Performance / Re: Disk 109% full, how to increase size

« on: February 24, 2022, 11:21:43 pm »

Excellent starting point, thank you!!!

I had problems SSH-ing, see port 22 is opene, listening on WAN interfaces, but simply cannot connect with Putty. Nevermind... did it via remote console and like you said, found disk hog, 92 GB in size, flowd.log:

Code: [Select]

  92664854896 Jan 14 20:02 flowd.log
     11566548 Jun  7  2021 flowd.log.000001
     11566328 Jun  7  2021 flowd.log.000002
     11666820 Jun  7  2021 flowd.log.000003
     11598933 Jun  7  2021 flowd.log.000004
     11587141 Jun  7  2021 flowd.log.000005

Looks like known issue: https://github.com/opnsense/core/issues/2296

2

Hardware and Performance / Disk 109% full, how to increase size

« on: February 24, 2022, 10:30:25 am »

Hi,

My OPNSense 19.1.10_1-amd64 is running FreeBSD 11.2-RELEASE-p10-HBSD as a VIRTUAL MACHINE on ESX 6.5 server. It says DISK USAGE: 109% (100G/100G)

I dunno how is this even possible, and it is still running, but I will obviously need to act NOW.

Please...I have only copy/paste Linux knowledge - any reliable instructions on how to resize disk?

3

22.1 Legacy Series / Should I migrate 19.1. to 22.1 performance wide?

« on: February 02, 2022, 07:33:14 pm »

Hi,

I have 19.1. on ESX 6.5 server and yes, it's working. A lot of rules, a lot of NAT translations, and a lot of blocklists (aliases, external lists). Cannot auto-upgrade to any newer version, dunno why, but it does not work.

I am thinking about manually rewriting all rules to 22.1 version.
What ya think - will there be any benefit performance-wise or security-wise?

4

21.7 Legacy Series / Re: Any performance gain from 19.1 to 21.7 version?

« on: September 20, 2021, 10:35:49 am »

Thank you.

Well, I have VMWare 6.7 u 1, so it's virtualized HW. With mentioned 4000 active handles it's scratching the floor, not spiking over 8% CPU, so I guess performance wise would be fine.

Regarding UPDATE....I guess breaking point is 19.1 --> 19.7, because 19.1 was the last possible auto upgrade. From there on traffic was stuck, I tried twice, spent whole day trying to upgrade 19.1 to different versions, even one step up, but at no avail.
So I am stuck with 19.1 and need to manually upgrade.

5

21.7 Legacy Series / Any performance gain from 19.1 to 21.7 version?

« on: September 14, 2021, 09:48:49 am »

Hi,

I have production on 19.1 version on this:
- Host is FUJITSU server on ESX 6.7.0 Update 2
- OPNSense is 19.1 with approx. 4000 active states on average
- it has some 40 NAT rules
- it also has quite large BLOCKLISTS on FW Aliases (loading external files of up to 4000 IP addresses to block
- WAN is 1 Gbps bandwidth in datacenter

What do you think - will I gain or loose performance wise if I upgrade to 21.7?
It is PITA, because I will "upgrade manually", meaninig I need to rewrite by hand all rules and settings. Auto upgrade is not possible.

6

Intrusion Detection and Prevention / Re: How often is ALIAS URL table refreshed, if ever?

« on: February 02, 2020, 10:44:48 pm »

Chemlud, I just wanted to reply to you, that this is what I first tried. And I have tried many combinations there, each minute, each hour...
...BUT I took a look at this Cron guide https://www.codementor.io/@akul08/the-ultimate-crontab-cheatsheet-5op0f7o4r and realized, that I *might* have entered numbers wrong!
For example, I entere 5 for minutes and 0 for hours and 0 for days....whixch would in best case mean every day at 0:05 hours, but as also day was 0, I am not sure what that meant to Cron job.

So today I put my glases on, saw those dots are not asterisks * but rather zeros 0....oh, geeez, my oh my... Then I read the above mentioned cheat sheet )

So, for the URL TABLE Alias to reload every 2 minutes, picked up the following Cron job:
   Update and reload firewall aliases

...and entered the following schedule:
   */2   *   *   *   *

Now it works like a charm!
Thank you for kicking me back to the track!

BTW...If anybody else wants to take advantage of this list, it get's updated instantly. You are all welcome to use it: http://secureit.si/lockouts/list.php

7

Intrusion Detection and Prevention / Re: How often is ALIAS URL table refreshed, if ever?

« on: February 02, 2020, 02:28:02 pm »

Any idea on this subject?
How can I set URL TABLE refresh?
Is there any LOG of URL TABLE alias refresh scron?

My webhosting servers are under constant attacks, hundreds of brute force login attempts every minute, across all web sites. Attacking script maybe tries from same URL a dozen of times, then it obviously switches over to another web site at some other webhosting services.
My trap sites detect attacks at their first attempt, as they are made of traps actually. And immediately they push attacker's IP to the BAN LIST. So I am very interested to reload this BAN LIST into OPNSense FW --> ALiases --> URL TABLE list as son as possible, say every 1 minute at least to prevent any further attacks from the same IP.
It's crucial for me this mechanism to work.

8

Intrusion Detection and Prevention / Re: How often is ALIAS URL table refreshed, if ever?

« on: January 10, 2020, 11:21:02 pm »

Thank you, Franco, I assumed the same, too.
There are 2 fields with predefined values:
- Days: 0
- Hours: 4.00
How can I set it to refresh every 2 or 5 minutes?
I tried with 0.05 or 0.02 in hours field, but it does not seem to work.

9

Intrusion Detection and Prevention / [SOLVED] How often is ALIAS URL table refreshed, if ever?

« on: January 09, 2020, 11:15:10 pm »

Hi,

related to this: https://forum.opnsense.org/index.php?topic=15226.0 I am wondering, if ALIAS URL table, pulled from external source, is ever refreshed?

I have it configured to pull bad IPs to block them from external URL, but if I manually inject one testing IP there, it does not get blocked not after 1 hour, not after 1 day.
So I guess, whether list does not get updated ever, or maybe CRON for this update is not configured.

Any idea where refresh rate (update) can be set?

10

Intrusion Detection and Prevention / Re: How to check if Firewall blocking rule is working?

« on: January 08, 2020, 07:10:33 am »

I am checking those ALIAS rules, but it seems like it is not pulling IP's from the list. I mean, source IP is not blocked, and source IP is not within IP ALIASES.

I have CRON set to check LIST ALIAS every 5 minutes.

Any idea what's wrong?
Any LOG I can check?

11

Intrusion Detection and Prevention / Re: How to check if Firewall blocking rule is working?

« on: December 31, 2019, 07:58:55 pm »

Ok, but LIVE VIEW I assume shows near realtime logs. I cannot check there, for example:
"Dear tech support, our team member is on vacation on Barbados and they cannot send mail."
Where can I check things like this, when I only suspect issue happened 3 days ago?

12

Intrusion Detection and Prevention / How to check if Firewall blocking rule is working?

« on: December 07, 2019, 11:03:39 pm »

Hi,

I have kinda smart FW rule, made of collected IP addresses from numerous web sites (Joomla and Wordpress) on many of our servers, which have some sort of security plugin installed. Every few minutes I pull all blocked/attacker/hacker IP addresses from thosee website plugins (mysql) and inject them via TXT table into firewall ALIAS table.
If anyone interested, here's the list: http://secureit.si/lockouts/list.php

Now, I want to check if firewall is really blocking these IPs.
Where can I see LOGS, if this rule is doing the job? "Logging" is enabled inside this rule, but where can I see those logs?

13

19.7 Legacy Series / Re: Not able to update and stuck at 19.7

« on: December 05, 2019, 10:24:08 pm »

Anybody else with same problems? Or me alone, meaning, I will need to manually re-type the whole config to fresh install...

14

19.7 Legacy Series / Re: Not able to update and stuck at 19.7

« on: November 14, 2019, 09:29:04 pm »

Hi Franco,

I've faced strange behavior upon upgrading from 19.1.10 to 19.7.x version. Seems like some of my configuration was misinterpreted, as simple PING to public internet did not work anymore. It was the same if I did upgrade of working system, or fresh install 19.7, update to latest, then import old config - in both cases ping to public internet fails, some NAT rules also stopped working...did not have time to investigate further.

Here's my BUG report if it maters anyhow: https://github.com/opnsense/core/issues/3809

BTW: You say that this command can install fresh over what you have, and preserve existing config? Is this in any way different than normal upgrade?

Code: [Select]

# opnsense-bootstrap

15

19.7 Legacy Series / Re: Large IP Blacklists...performance impact?

« on: May 12, 2019, 11:36:55 pm »

Actually...how can I check if IP addresses were properly retreived and accepted by OPNSense?
I have them in format:
1.2.3.4
1.2.3.4
1.2.3.4
And filename is list.php, because it is dynamic and it generates fresh list each time file is displayed.
Is this proper format? How to verify?

*** EDIT ***
Solved! Found out myself!
there were 2 glitches:

1.) The called web site with public list is behind NAT and needs to have SplitDNS configured to be reachable from inside. In OPNSense it is under Services --> Unbound DNS --> Overrides --> Host Overrides

2.) There are actually TWO TYPES of ALIAS lists, URL and URL Table. First one is one-time static, and only second one is dynamic with expiration time.
If you select Type of Alias "URL (IPs)", then it seems to load only once, and requested format is unknown to me.
But if you select Alias Type as "URL Table (IPs)", then format is as above and you can set Expiration time, like 1 hour and it will reload once per hour. Tested & working!

If anyone is interested into sharing the list, here's the link:
http://secureit.si/lockouts/list.php
I might keep it alive for quite some time.