Messages

106

17.7 Legacy Series / OS-Detection in Firewall-Rules

« on: November 09, 2017, 12:06:46 pm »

Hi,

I want to use the OS-Detection feature in certain firewall-rules. Does anyone know what I need to choose for Android and iOS devices ?
And waht about Linux ? There is just "Linux" and variants like "Linux 3.0" and so on. Am I right to interprete, that just "linux" will match with all kernel versions, while for example "linux 3.0" only matches to kernel version 3 OS ?

I need to restrict acces from mobile devices and therefore search for any matching criteria to build a rule upon.

Kind regards,
Wayne

107

17.1 Legacy Series / Re: sysctl net.pf.share_forward=0 breaks captive portal redirection

« on: October 19, 2017, 11:13:06 am »

Hi,
so if I understand it correctly, the redirect to captive portal is broken, if I run OPNsense in a HA-Cluster with Virtual IPs ?
Or is there any workaround till now ?
Best regards,
Wayne

108

General Discussion / Re: Captive portal page not found

« on: October 19, 2017, 10:46:00 am »

Any news on this ?
If i connect to the guest network with firefox 56.0.1 on OPNsense 17.7.5-amd64 I'm not redirected to the captive portal login page if I enter something in the address-bar. Bart mentioned this could be because of https. Is there any way to make the Captive Portal use https ?

And I also have another question:

Is it possible to make the captive portal run on my virtual CARP IP and not on the interface itself ?

Thanks a lot,
Wayne

109

16.7 Legacy Series / Re: Captive portal redirect page

« on: October 19, 2017, 10:38:56 am »

Hi,
i found the part in index.html. But I don't really understand what to modify to be redirected for example to https://site.tld.
Any idea ?
Cheers,
Wayne

110

16.1 Legacy Series / Re: Captive Portal not Redirecting

« on: October 19, 2017, 10:32:35 am »

Hi,
any news on this topic ?
How did you solve the issue to make the redirect working ?
Best regards,
Wayne

111

17.7 Legacy Series / Re: Insight / Netflow wrong interface order

« on: October 13, 2017, 09:26:17 am »

Hi Franco,
I just rebootet the Master-FW and no the interface order is correct. Maybe this could also have been achieved by restarting the network on the CLI, but I was afraid that this would lead to flapping Interfaces in my FW-cluster.
I'll mark the post as "SOLVED" now.
Thanks a lot.

112

17.7 Legacy Series / Re: Insight / Netflow wrong interface order

« on: October 11, 2017, 09:44:03 am »

Ok. So you think after rebotting the box, the issue is gone ?
That would match my theory, because a few days ago I rebooted the failover-node and since then netflow is working correctly.
I'll try this tommorow morning and post what happened. I don't think I'm the only one experiencing this behaviour.
Thank's a lot.
Best regards,
Wanye

113

17.7 Legacy Series / Re: TLSv1.2 only

« on: October 11, 2017, 09:38:11 am »

Right, I did the scanning from the internal network. And besides that: I think there's nothing wrong with posting in english in an "english forums" section ;-)

Best regards,
Wayne

114

17.7 Legacy Series / Re: Insight / Netflow wrong interface order

« on: October 09, 2017, 10:35:33 am »

Any Ideas on this ?

115

17.7 Legacy Series / TLSv1.2 only

« on: October 09, 2017, 10:16:32 am »

Hi,
is there any possibility to enable TLSv1.2 only on OPNsense ?
If i scan my Box with default crypto-settings it shows :

BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2

 LUCKY13 (CVE-2013-0169)                   VULNERABLE, uses cipher block chaining (CBC) ciphers

By simply disabling any CBC-cipher, It would be possible to prevent LUCKY13-attacks, but where can I disable TLSv1.0 and TLSv1.1  completely ?

Thanks in advance.

116

17.7 Legacy Series / [SOLVED] Insight / Netflow wrong interface order

« on: October 05, 2017, 02:20:53 pm »

Hi,
I'm experiencing a very strange behaviour: If I tell Netflow to listen on WAN, SYNC, VLAN1, VLAN2 and VLAN3, the presentation of insight is wrong. For example: If I select the interface VLAN1 it displayes the Sources of VLAN3.
Is there any way to fix this issue ?
I have 11 Interfaces in total, but opt1 (AMT) is not configured and 8 of 10 interfaces are vlans on a lagg-interface.
Any idea ?
Best regards,
Chris

117

17.7 Legacy Series / SOLVED: Re: Grou Applications / Protocols ?

« on: October 05, 2017, 02:12:31 pm »

Ok,
thank you Franco.
Best regards,
Chris

118

17.1 Legacy Series / Re: User activity Logs

« on: October 05, 2017, 02:11:28 pm »

Really ?
That's really sad... I think if Orwell was living nowadays he'd be completely shocked.

119

German - Deutsch / Transparenter Proxy ohne TLS-Interception

« on: August 10, 2017, 01:18:48 am »

Hi,
was ich in der Wiki nicht ganz verstehe: Muss ich wirklich zwangsweise TLS kaputt machen um den Webproxy auch auf 443 zu nutzen ? Funktionieren die Blacklists nicht mit TLS ? Zuerst muss doch einmal der TLS-Handshake gemacht werden und wenn da die Filterliste greift, kann ich den Zugriff doch verbieten. Oder habe ich da einen Denkfehler ?
MFG
Wayne

120

17.7 Legacy Series / Grou Applications / Protocols ?

« on: August 10, 2017, 01:13:42 am »

Hi,
some time ago I used Palo Altos PANOS and they had a very nice feature: One could define an application list that contains all permitted apps of the zone. After that, only this list got referenced in a firewall rule. with this aproach it was very easy to reduce large rulesets to a few rules, that made it easier to read. Is there something similar on OPNsense ?
Best regards,
Wayne.