Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Manxmann

Pages: 1 [2]

16.1 Legacy Series / Re: I must be going nuts - Port Forwarding not working

« on: July 31, 2016, 09:08:03 pm »

Ok still no luck with 16.1/7, apologies for what I'm about to say

I've installed PFSense 2.3.2 and that works like a charm as well so I'm lost.

16.1 Legacy Series / I must be going nuts - Port Forwarding not working

« on: July 30, 2016, 11:43:05 pm »

Hey Folks,

I'm just setting up a small VM server for a gaming convention, nothing I haven't already done but for the life of me I can't seem to get this simple thing working.

So system is as follows.

XenServer 7.0 HP DL380 G5 Xeon L5420
2 nics (1 dedicated to management, 1 VM trunk) + 1 'Internal' Network hosted within the Xenserver

2 VM's :
1/ Debian Jessie running SSH server 1 nic connected to 'internal' network.
2/ OPNSense 16.1 (also tried 16.7) 2 nics (1 x trunk, 1 x 'internal')

TOE disabled on ALL virtual and physical Nic's on the XenServer and also within the OPNSense VM itself.

network plan:
<Client> ----- <trunk net 172.16.10.0/24> ----- < Nic1 Firewall VM Nic2> ------- <Internal Net 192.168.111.0/24> ----- <Debian server>

Default install of OPNSense no mods to rules / nat etc.

So all I want to do is setup a simple port forward from the external Nic1 of the FW port 22 to the same port on the internal Debian Server but it simply doesn't work.

The WAN (nic 1) on the FW has block private networks turned OFF.
1 Port Forward rule, auto FW rule.
I've tried adding a 2nd Virtual IP to the WAN

Looking at the FW logs the traffic is 'passed' by the FW, running TCP dump on the Debian server i can see the incoming request and the reply.

The state table of the firewall shows two entries :

ALL TCP 192.168.111.100 (172.16.10.90) <- 172.16.10.112:58457 SYN_SENT:ESTABLISHED
ALL TCP 172.16.10.112:58457 -> 192.168.111.100:22 ESTABLISHED:SYN_SENT

The state entries stay like this until purged from the table i.e. the 3 way handshake never completes.

I already have pretty much exactly this configuration, WAN is public IP subnet but other than that the same, up an running on my main home VM Platform with no issues so know it can work.

So thinking there must be a VM Host platform issue, switch issue this is a new server for just this job after all I checked everything a dozen times over and couldn't find a problem. Out of desperation I built a new VM this time installing a Linux based UTM/Firewall platform (Sophos/Astaro UTM). Using this software with the exact same VM guest configuration for nics/disks/IP's etc everything works first time and a I can access the servers SSH instance from the client.

I've tried 16.7 with no luck, totally flummoxed, suggestions?

About to try an alternate VM Platform but as I say it works perfectly on my home server.

16.7 Legacy Series / Re: Suricata crashes following upgrade to 16.7

« on: July 29, 2016, 12:30:37 pm »

Ok, I've regressed Suricata back to 3.0.2 as per the 16.1.x release stream as suggested and also re-enabled IPS mode.

I'm just over an hour in and so far everything seems to be working fine.

root@XEN-FW:~ # suricata --build-info
This is Suricata version 3.0.2 RELEASE
Features: IPFW PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 NETMAP HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_LIBJANSSON TLS
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.2.1 Compatible FreeBSD Clang 3.4.1 (tags/RELEASE_34/dot1-final 208032), C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.20, linked against LibHTP v0.5.20

Suricata Configuration:
AF_PACKET support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: yes
Netmap support: yes
DAG enabled: no
Napatech enabled: no

Unix socket enabled: yes
Detection enabled: yes

libnss support: no
libnspr support: no
libjansson support: yes
hiredis support: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: yes
Non-bundled htp: yes
Old barnyard2 support: no
CUDA enabled: no
Hyperscan support: no

Suricatasc install: no

Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: no

Generic build parameters:
Installation prefix: /usr/local
Configuration directory: /usr/local/etc/suricata/
Log directory: /var/log/suricata/

--prefix /usr/local
--sysconfdir /usr/local/etc
--localstatedir /var

Host: amd64-portbld-freebsd10.2
Compiler: cc (exec name) / clang (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -O2 -pipe -fstack-protector -fno-strict-aliasing -DOS_FREEBSD
PCAP_CFLAGS
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

16.7 Legacy Series / Re: Upgrading to 16.7, known issues and workarounds

« on: July 28, 2016, 02:37:52 pm »

Suricata still crashes for me when IPS mode is disabed.

16.7 Legacy Series / Re: Suricata crashes following upgrade to 16.7

« on: July 28, 2016, 02:08:00 pm »

Certainly would

16.7 Legacy Series / Suricata crashes following upgrade to 16.7

« on: July 28, 2016, 01:17:55 pm »

Hi Folks,

My first post

Firstly many thanks to the devs for a fantastic firewall platform!

Ok my problem, I've been running 16.1.x for some time now under XenServer 6.5 and latterly 7.0 and its been working like a charm.

This morning I upgraded from 16.1.20 to 16.7, everything appeared to go well and the dashboard now reports:

OPNsense 16.7-amd64
FreeBSD 10.3-RELEASE-p5
OpenSSL 1.0.2h 3 May 2016

However I have a problem in that Suricata now no longer runs, crashing shortly after starting.

My config is as follows:

IDS is 'enabled' and IPS mode turned on.

I have one monitor interface defined 'WAN' which is a standard ethernet port with a static IP address.

Pattern matcher is AHO

As far as rules go I have the following rules enabled.

%YAML 1.1
---
rule-files:
- compromised.rules
- emerging-exploit.rules
- modbus-events.rules
- smtp-events.rules
- dns-events.rules
- emerging-malware.rules
- app-layer-events.rules
- OPNsense.rules
- emerging-pop3.rules
- emerging-scan.rules
- emerging-trojan.rules
- emerging-web_client.rules
- emerging-web_server.rules
- abuse.ch.sslblacklist.rules
- abuse.ch.sslipblacklist.rules
- abuse.ch.dyre_sslipblacklist.rules
- abuse.ch.feodotracker.rules
~

If I manually start suricata from the cmd line I get the following:

root@XEN-FW: # /usr/local/bin/suricata --netmap --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml
28/7/2016 -- 11:37:09 - <Info> - Including configuration file installed_rules.yaml.
Illegal instruction (core dumped)

I have tried disabling all the user selectible rules with no success.

root@XEN-FW:/var/log # cat suricata.log
28/7/2016 -- 11:37:09 - <Notice> - This is Suricata version 3.1.1 RELEASE
28/7/2016 -- 11:37:16 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.

DMESG :

pid 80601 (suricata), uid 0: exited on signal 4 (core dumped)
125.869766 [ 798] generic_netmap_dtor Restored native NA 0
236.646486 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
236.659997 [ 274] generic_find_num_queues called, in txq 0 rxq 0
236.673112 [ 798] generic_netmap_dtor Restored native NA 0
236.688968 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
236.702597 [ 274] generic_find_num_queues called, in txq 0 rxq 0
236.716042 [ 798] generic_netmap_dtor Restored native NA 0
236.729174 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
236.742635 [ 274] generic_find_num_queues called, in txq 0 rxq 0

Any help greatly appreciated

Pages: 1 [2]