Messages

Because you have a console connect. Why screw around with a serial cable to your hypervisor (imagine having a bunch of nodes in a cluster)?

It's much easier to access a bunch of nodes via serial access (which is in fact virtual and not a physical one) than needing awkward tools like VNC to access the console of a VM... ;)


Anyway... I've skipped through the installer errors, and now the system obviously is a bit messed up. Anyone else had these error messages before? As already mentioned, it happens with KVM and also with VMware Workstation. So I'm wondering if I'm the only one having them....

Since you're using a Virtual Machine, don't use the Serial image.

Why not? Is there a technical reason for this?


I've tried the ISO previously, but with similar (un)success (see attachment).
The ISO seems to be consistent, at least the bz2 file matches the SHA256 hash.

Hi,
I'd like to install OPNsense into a VM, but the installer (OPNsense-15.7.18-OpenSSL-serial-amd64.img.bz2) runs into troubles:

Code Select Expand

Flow executing -> main/install/format_disk (Format Disk)           
,-<<< Executing `/usr/local/installer/cleargpt.sh vtbd0'           
| gpart: Device busy                                               
| gpart: Invalid value for 'i' argument: Invalid argument           
| gpart: Device busy                                               
`->>> Exit status: 0                                               
,-<<< Executing `/sbin/fdisk -I vtbd0'                             
| ******* Working on device /dev/vtbd0 *******                     
| fdisk: /boot/mbr: Device not configured                           
`->>> Exit status: 1                                               
[Fri Dec 18 13:25:06 2015]                                         
,-<<< Executing `/sbin/fdisk -I vtbd0'                             
| ******* Working on device /dev/vtbd0 *******                     
| fdisk: /boot/mbr: Device not configured                           
`->>> Exit status: 1                                               
[Fri Dec 18 13:25:09 2015]                                         
,-<<< Executing `/sbin/fdisk -I vtbd0'                             
| ******* Working on device /dev/vtbd0 *******                     
| fdisk: /boot/mbr: Device not configured                           
`->>> Exit status: 1                                               

I'm using KVM, but have a similar error on VMware Workstation.

That's really weird... I assume vr0 is your LAN interface? Then the rule

Code Select Expand

pass in quick on vr0 inet6 all flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
Should match and allow the traffic...

Are you positive that the shown log in the screenshot is actually the reason for the connection timing out? Maybe it was a previous error (date/time?) and the current problem lies somewhere else?

Did you apply the pending firewall rule changes?
Could you post the output of the command "pfctl -sr" if you have console/SSH access, please. If not easily possible, please post a screenshot of the floating rules.
I can see that you have two WAN interfaces. Does the firewall have the right interface as default gateway?

Thanks for your input, Ad!

Hi,

I'd like to show some status information of an MVC app within the GUI (e.g. interface IP, sent/received bytes, etc.). I am planning to accomplish that through a script, which gets called by configd and returns the status info (as a JSON string). The configd action is being triggered by the service controller and the view requests the status info through the service controller, and then populates the corresponding layout.
Does that sound reasonable, or is there a better way to display status information of a service?

A down-side of this construct is, that the script delivering the status information does not have any well-defined (e.g. XML defined) model. The information passed between the script and the view are "loose" JSON objects. Is there any intended concept in defining models for external (Python) scripts?


Thanks,
Manuel

Thanks for your responses, Ad, Franco.

I agree with your point of view on the topic, but would like to add something regarding

Managed services and manual services for the same service / binary cannot coexist (rather killall vs. kill by pid).

The reason why I prefer killing specific PIDs rather than a bunch of processes is not that managed and unmanaged services can coexist, but more that some services for instance use forking mechanisms (I recall Apache httpd right now, for instance) to distribute requests or implement a (weird) service architecture. When killing these processes starting maybe with a random child-process, the service will very sure not shutdown gracefully.

Regards,
Manuel

Hi,
what's the recommended way to stop services using configd? Keeping in mind, that rc script refuse to work if the corresponding service is not enabled, simply executing /usr/local/etc/rc.d/<service> stop is not sufficient.

In the Proxy plugin is was done by calling killall squid after trying to execute the rc.d/squid stop, but why did you actually use killall to "stop" squid instead of executing /usr/local/etc/rc.d/squid onestop? Is there a side-effect in using the "onestop" action? I'd say a completely clean mechanism should not kill all instances, but should only kill the instance stored in the service's pid-file...

Also for querying the service status, maybe using "onestatus" instead of "status" would allow recognizing e.g. a hanging or still running process, even the service has already been disabled. Right now if the service is not enabled, OPNsense always assumes that the process behind the service is not running, which is fact is not always the case.

Thanks,
Manuel

Hi Maarten,
pf (the firewall behind the OPNsense GUI) by default applies states on a floating interface basis:

Code (pf.conf(5)) Select Expand

     set state-policy
           The state-policy option sets the default behaviour for states:

           if-bound     States are bound to interface.
           floating     States can match packets on any interfaces (the
                        default).


So unless specifically defined something like set state-policy if-bound for a firewall rule, the states can float between interfaces and therefore the state is recorded for all interfaces.

Unfortunately I think it's not possible to set up this kind of rules in OPNsense. So I would say that the interface column of the state table is without any function at the moment...

Are there any coding guidelines for OPNsense? The forked pfsense code does not seem to have any guidelines (e.g. indents vary in tabs and spaces, single if statements used with and without curly braces, etc.)... Currently the code is a mix between different coding styles, it seems.

If one adds code to existing files, should the style of the file being adopted, or is there a OPNsense recommendation to apply? Shall existing files be adopted to a consistent style in future?

I like mf's suggestion (e.g. do not hide the implicit rules behind the scene). Of course this is probably easier said than done ;)

I've created a PR for that specific implicit rule: #503. Of cause there might be several additional implicit rules, but it's a beginning... ;)

I really like the new menu structure, which e.g. unifies the DHCP Relay and the DHCP Server. But is there a specific reason, why the different DNS services were not put together into one sub-menu? I guess the DNS Filter, DNS Forwarder, DNS Resolver, and maybe even the Dynamic DNS services might go into one DNS menu, which then has sub items for Filter, Forwarder, Resolver, and Dynamic DNS.

The IPsec tunnel settings (see attachment) has six columns for each P1 entry: IKE, Remote Gateway, Mode, P1 Protocol, P1 Transforms, and P1 Description. I don't understand the columns P1 Protocol and P1 Transforms:
The P1 Protocol column shows the P1 encryption algorithm, why the name P1 Protocol? The column P1 Transforms should show the P1 authenticity algorithm (but currently it does not show it, I guess due to a bug?), but typically I know the term proposal as a combination of all cryptographic algorithms and settings, so I personally would expect e.g. "AES (128 bits), SHA-256" in the P1 Proposal column.

Maybe the P1 Protocol column should show something regarding the chose key material, like PSK or RSA? But then, still a better name should be chosen... ;)

Thanks for you recommendation, Frank!

What kind of storage do you use in your boards?