Messages

121

20.7 Legacy Series / Re: Geo IP Alias and Firewall block not working all the time

« on: December 03, 2020, 01:51:22 pm »

I've been staring at the rule I use for this and I'm at that point where I'm not understanding what I am doing - overthinking the whole thing and giving me a headache.


So to step back, what's the best rule to use to block all inbound external traffic that is not in my alias of allowed countries, and on which firewall interface is the rule located? I.e. a working example please 


As an alternative to blocking, something else I've been unable to achieve is a rule that instead redirects the traffic to a specific device in my DMZ.

122

Development and Code Review / Re: Maxmind GeoIP Alternative - IP2Location

« on: December 02, 2020, 03:29:47 pm »

The Lite version from IP2Location is what I was referring to, sorry, but the file is not the same format so I don't think it's a straight swap.

123

20.7 Legacy Series / Re: Geo IP Alias and Firewall block not working all the time

« on: November 28, 2020, 02:18:29 pm »

The way you explained it, it sounds like it's working as expected. That you have an Alias with only say USA IPs in it and then an inverse source rule that if the source is not a USA IP address it is blocked. That IP from say Mexico would not be in the list for the USA in the maxmind db or your rule set. You may have meant something else but that is what I understood.

No I think I wrote it correct, I have an alias list with the US plus some EU countries so "US, CA, UK, DE, BE, FR" and as you say the rule is inversed on the source, so when an IP from RU or CN comes in it should be blocked - but it doesn't always. My server continues to receive the occasional hit from RU and other countries not on the list and when I check the IPs they're not under their respective country, so to me it's like they get included regardless.

124

Development and Code Review / Re: Maxmind GeoIP Alternative - IP2Location

« on: November 26, 2020, 10:22:05 am »

+1 to be able to switch to IP2Location, as I too have confirmed that Maxmind's "Lite" database is missing some information eg. I block RU and I am seeing mail from there hitting my mail server. Checking the CSV files and the particular subnet is not being mapped to any location.

125

20.7 Legacy Series / Re: Geo IP Alias and Firewall block not working all the time

« on: November 26, 2020, 10:18:44 am »

I don't know if this is the exact same issue I am having, but I'm seeing mail traffic hitting my mail server which should be blocked by my GeoIP alias i.e. anything not in the alias should be blocked.

When I check the IP using a general IP Location website I confirm that it's from a "blocked" country but when I check the Maxmind GeoLite2 files the subnet is not present. Checking the full database at Maxmind confirms the same, that the GeoLite2 data is simply missing the subnet so it doesn't get blocked.


Has anyone been able to replace Maxmind with anything else? I can see that IP2Location has my example subnet listed so it would block it, but I have no idea if we can use their data instead.

126

General Discussion / Re: What's the correct way to set up local zone reverse lookup with Unbound?

« on: November 21, 2020, 04:05:03 pm »

I'm afraid it doesn't seem to work, I still only get the IP - I tried restarting the Unbound service and it still did the same.

I havent tested this but I believe you would go to overrides and then add a domain override.

The domain to add would be something like:
1.168.192.in-addr.arpa

(this would specify 192.168.1.x)

and in the IP section you would put the DNS server for unbound to query eg: 192.168.1.20 (assuming that is IP of DNS server).

I would say that if you do this you should take care to ensure the firewall does not answer DNS queries to anyone other than on the local LAN or it would be possible to fingerprint devices behind your network and perform a nat pinning attack. You can ensure this is the case by making sure only LAN is selected for unbound to run on and ensuring 53 is not open on your firewall.

127

General Discussion / Re: What's the correct way to set up local zone reverse lookup with Unbound?

« on: November 20, 2020, 07:35:14 pm »

Hi Taomyn,
did you resolved this iussue? I didn't found anything about it... Thank you in advance!

No, no-one else replied so still waiting on an answer

128

Intrusion Detection and Prevention / Re: DNS over HTTPS - any way to block?

« on: October 30, 2020, 05:00:43 pm »

Could you share the URL you're using as a source?

Sorry, sure it's https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt from https://discourse.pi-hole.net/t/doh-dns-over-https-ip-block-list-s/30393

129

Intrusion Detection and Prevention / Re: DNS over HTTPS - any way to block?

« on: October 30, 2020, 02:07:22 pm »

I'd forgotten about this thread, I've been using a firewall alias:

130

20.7 Legacy Series / Re: UPnP stops responding when connection cleared

« on: October 16, 2020, 08:57:11 am »

The location of the miniupnpd conf file is located at:

/var/etc/miniupnpd.conf

The file is autogenerated from the miniupnpd.inc file located at:

/usr/local/etc/inc/plugins.inc.d/miniupnpd.inc

While working with miniupnpd I discovered that after clearing the "all currently connected sessions" the status page would be cleared but miniupnpd was actually still responsive. For instance after restarting my Xbox, 2 entries would show up on the status page. Otherwise nothing would show. What's happening is that a device on a network that uses UPNP needs to make a port request and miniupnpd will add a port mapping for the UPNP device. If my Xbox already made the reqeuest I don't make another one until I've rebooted it. It make make another request if I play a different game. I haven't tested this. I've tested this with pfsense as well. Same results.

Thanks, but as also reported in the Github issue I logged, that isn't my experience - the connection is cleared and nothing after that can make a new UPnP again until I disable then enable the plug-in.

131

20.7 Legacy Series / Re: UPnP stops responding when connection cleared

« on: October 15, 2020, 08:05:50 pm »

Anyone?


Perhaps someone can tell me where the config is stored so that when I try a reinstall of the plug-in it I get a full clean setup and not still have my old settings.

132

20.7 Legacy Series / UPnP stops responding when connection cleared

« on: October 05, 2020, 11:09:30 am »

Is anyone else having issues with the UPnP service? I reported it here https://github.com/opnsense/plugins/issues/1988 but basically:

When connections are cleared in the UPnP service, it then no longer responds to any new requests either for new connections or even a status. To clear the condition I am forced each time to disable UPnP and then re-enable it - even a restart of the service fails.

133

General Discussion / NAT rules vs Firewall rules, order of precedence

« on: October 02, 2020, 08:32:55 am »

I'm trying to wrap my head around how the different rules get interpreted and prioritised but I get nowhere. I want to set up various rules that redirect specific traffic based on host and network aliases, but also on a GeoIP one. Basically this:

if inbound host in host_block_alias redirect to machine_x
if inbound host in network_block_alias redirect to machine_x
if inbound host not in allowed_geoip_alias redirect to machine_x

So I have created 3 new inbound NAT rules for the WAN interface, and rules it generated are similar to

allow inbound SMTP to machine_y
allow inbound http/https to machine_y
allow inbound ssh to machine_z
allow inbound host_block_alias to machine_x
allow inbound network_block_alias to machine_x
allow inbound not allowed_geoip_alias to machine_x

The NAT rules look something like

NAT port SMTP to machine_y
NAT port http/https to machine_y
NAT port ssh to machine_z
NAT all ports for host_block_alias to machine_x
NAT all ports for network_block_alias to machine_x
NAT all ports not for allowed_geoip_alias to machine_x

But the next part is what then confuses me - I need to allow SMTP from anywhere except the host and network i.e. it needs to be excluded from the GeoIP rule, and no matter what I do the GeoIP rule still blocks SMTP traffic from IPs in its list.

I've tried different combinations of ordering either or both the NAT and firewall rules and nothing helps. The following to me seems logical but it doesn't worK:

allow inbound SMTP to machine_y
allow inbound host_block_alias to machine_x
allow inbound network_block_alias to machine_x
allow inbound not allowed_geoip_alias to machine_x
allow inbound http/https to machine_y
allow inbound ssh to machine_z

NAT port SMTP to machine_y
NAT all ports for host_block_alias to machine_x
NAT all ports for network_block_alias to machine_x
NAT all ports not for allowed_geoip_alias to machine_x
NAT port http/https to machine_y
NAT port ssh to machine_z

What am I misunderstanding about the rules and their precedence?

134

20.7 Legacy Series / Re: Is TLS 1.3 possible now?

« on: September 26, 2020, 12:56:46 pm »

So I finally bit the bullet this week and switched to the OpenSSL build, and low-and-behold I have TLS1.3 available

135

20.7 Legacy Series / Re: HAProxy failing to redirect some sites

« on: September 24, 2020, 09:00:15 pm »

I finally got around to switching from LibreSSL to OpenSSL then rebooted for good measure, and can report that from internal all the sites that were failing to work are now all fine again.


I did first try upgrading to 20.7.3 but that itself made no difference.