Messages

I removed/stopped serving the blocklist, haven't seen changes/additions for quite sometime, and are now using a host-alias instead; with the following hosts:

Code Select Expand

188.138.1.119
208.180.20.97
198.20.69.74
198.20.69.98
198.20.70.114
198.20.99.130
93.120.27.62
66.240.236.119
71.6.135.131
66.240.192.138
71.6.167.142
82.221.105.6
82.221.105.7
71.6.165.200
188.138.9.50
85.25.103.50
85.25.43.94
71.6.146.185
71.6.158.166
198.20.87.98
66.240.219.146
209.126.110.38
104.236.198.48
104.131.0.69
162.159.244.38
93.174.95.106
94.102.49.193
80.82.77.139
94.102.49.190
185.163.109.66
89.248.172.16
71.6.146.186
89.248.167.131
159.203.176.62
185.181.102.18
80.82.77.33
216.117.2.180
71.6.199.23
185.142.236.34
185.165.190.34
185.142.236.35
71.6.146.130
71.6.147.254
185.165.190.17
195.144.21.56
2604:a880:2:d0::978:7001

I have setup a number of countries that I should just drop

This means you've created an alias with selected countries?
Then you can add firewallrule(s) using that/those alias(es) to block traffick.

Turns out that 2! addresses are responsible for 2/3 of the last 5k connections....

A Belarus IPv4 and a Chinese IPv6 (until 2-3 days ago the Belarus IPv4 wasn't there and the Chinese were sitting at about 50% of the connections - seemingly randomly scanning my IPv6-space.....)

45.143.200.114      2192 connections
240e:f7:4f01:c::3   1129 connections

I just noticed my first IPv6-shodan host....

Aug 30 08:01:51 mail.vlh.dk postfix/smtps/smtpd warning: hostname editor.census.shodan.io does not resolve to address 2604:a880:2:d0::978:7001: No address associated with hostname

Was wondering how I would add that to the list?
Simply change to IPv4+IPv6 for the rule and add 2604:a880:2:d0::978:7001:?
Or do I need to format it in some specific way? (and can I mix IPv4 and IPv6 in one list?)

Thanks

My server reports:

Code Select Expand

Versions OPNsense 21.7.r_9-amd64
FreeBSD 12.1-RELEASE-p18-HBSD
OpenSSL 1.1.1k 25 Mar 2021->Click to view pending updates tells me

OPNsense 21.7 "Not Yet" has reached its end of life. As such it will not receive any more updates, but the upgrade to the new 22.1 series is seamless and can be performed right here from the GUI by unlocking it below....

After that I can select an upgrade

Code Select Expand

Package name Current version New version Required action Repository
packages 21.7.r_9 21.7.r1 upgrade OPNsenseie. from version 21.7.r_9 to 21.7.r1 - which I have tried twice... doing that I end up with 21.7.r_9 though....

Following the console I notice this:

Code Select Expand

swapon: adding /dev/gpt/swapfs as swap device
.ELF ldconfig path: /lib /usr/lib /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg /usr/local/lib/ipsec /usr/local/lib/perl5/5.32/mach/CORE
32-bit compatibility ldconfig path:
done.
>>> Invoking early script 'upgrade'
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Installing packages-21.7.r1-OpenSSL-amd64.tar...
bash-5.1.8: already unlocked
beep-1.0_1: already unlocked
ca_root_nss-3.63: already unlocked
choparp-20150613: already unlocked
chrony-4.1: already unlocked
....
Updating OPNsense repository catalogue...
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
Fetching meta.conf: . done
Fetching packagesite.txz: .......... done
Processing entries: .......... done
OPNsense repository update completed. 760 packages processed.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (232 candidates): .......... done
Processing candidates (232 candidates): .......... done
Checking integrity... done (0 conflicting)
The following 232 package(s) will be affected (of 0 checked):
...
        opnsense-devel-21.7.r_9
        opnsense-installer-0.10
        opnsense-lang-21.1.7
        opnsense-update-21.7.r1
...
Keep version OPNsense\Chrony\General (0.0.1)
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/Chrony: OK
[232/232] Reinstalling opnsense-devel-21.7.r_9...
[232/232] Extracting opnsense-devel-21.7.r_9: .......... done
Stopping configd...done
Resetting root shellNo update is done - keeps me on 21.7.r_9

Didn't update my firewall for some time.

Code Select Expand

Versions OPNsense 21.1.b_140-amd64
FreeBSD 12.1-RELEASE-p12-HBSD
OpenSSL 1.1.1i 8 Dec 2020

Then it told me

Code Select Expand

This software release has reached its designated end of life. The next major release is: 21.1

After doing that it tells me

Code Select Expand

There are 2 updates available, total download size is 199.9MiB. This update requires a reboot.

This software release has reached its designated end of life. The next major release is: 21.1

Package Name Current Version New Version Required Action
base          21.1        20.7.8        upgrade
kernel          21.1        20.7.8        upgrade

What am I supposed to do, to keep a somewhat current system?

I've switched ISP which should me allow to go native IPv6 instead of via a HEnet-tunnel (which has otherwise worked great).

But - it seems that the dhcp-client is requesting all the needed options for it to work with the provider;

I can get it to request:
Requested Option code: SIP Servers IPv6 Address List (22)
Requested Option code: DNS recursive name server (23)
Requested Option code: Domain Search List (24)
Requested Option code: Simple Network Time Protocol Server (31)

But I also need:
SIP Server Doman Name List (21)  (I tried adding sip-domain-name, but that give a syntax error in the log on restarting the interface)
NTP Server (56)
Dual-Stack Lite AFTR Name (64)


I might need more options - waiting for a complete packetdump from my ISP.


Is this something that wouldd be able to achieve at all?

I'm trying to redo this: https://www.22decembre.eu/en/2018/05/28/dhcpv6-kviknet/ which is preciesly the same ISP - and appearently a OpenBSD-setup - using dhcpcd.

Didn't find a recent list of Shodan IPs, so I decided to make my own from my logs....

I use it as an alias (URL Table IPs) and an IPv4 block rule on my wan.

Free for any that want to use it: https://www.vlh.dk/shodan.txt

Last update was einstein.census.shodan.io which started connecting this morning.

If you have any other Shodan IPs, feel free to reply - and I'll add those to the list :)

Selecting System -> Setup Wizard, Services -> UPnP & NAT-PMP or Status -> Traffic Graph the menu collapses - doesn't do that for any of the other entries... (dunno if that's intentional).

I feel the menu-entries should/could be a bit smaller - I don't like having to scroll through the menues, at least not when scrolling and hitting the bottom of the menu causes the main-page to scroll.

Otherwise I think I'm quite close to shutdown my m0n0wall and replace it with OPNsense - good work :)

I installed OPNsense-201502140847-memstick-serial-amd64.img on my spare PCEngines APU1D4.
Installed fine and no problems with the initial setup - now I'm starting to configure it to replace my m0n0wall-installation.

I created some aliases and started creating Port Forward NAT-rules (Firewall->NAT) using said aliases. In the rules-list the alias gets prefixed with Array (ie. when I created a Port Forward NAT for my mailhost I see 'Arraymailports' as Dest. ports, 'Arraymailhost' as NAT IP, 'Arraymailports' as NAT Ports).

The rules auto-created in Firewall->Rules are not prefixed with Array.


Back to figuring out to migrate the rest of my m0n0wall-config :)

Hi,

The m0n0wall-project has come to an end and Opnsense was mentioned as an alternative.
I'm in the process of installing Opnsense on a spare PCEngines APU1D4 (1GHz dual-core amd64, 4GB RAM) but I think I might need some help transitioning my m0n0wall-configuration to Opnsense.

Is there any how-to for bridging interfaces?
ie. I'm trying to get re0 and re1 (and later wlan0) bridged - have a 10.0.0.0/23 network running on them and they should respond to 10.0.1.254.

Also, any how-to to setup a he.net IPv6-tunnel?

Alternatively a script to simply convert an exported m0n0wall-config ;)


The installation went smoothly with the OPNsense-15.1.5-memstick-serial-amd64, transfered to an USB installed to mSata - thumbs up :D