Messages

16

Intrusion Detection and Prevention / How to check if Firewall blocking rule is working?

« on: December 07, 2019, 11:03:39 pm »

Hi,

I have kinda smart FW rule, made of collected IP addresses from numerous web sites (Joomla and Wordpress) on many of our servers, which have some sort of security plugin installed. Every few minutes I pull all blocked/attacker/hacker IP addresses from thosee website plugins (mysql) and inject them via TXT table into firewall ALIAS table.
If anyone interested, here's the list: http://secureit.si/lockouts/list.php

Now, I want to check if firewall is really blocking these IPs.
Where can I see LOGS, if this rule is doing the job? "Logging" is enabled inside this rule, but where can I see those logs?

17

19.7 Legacy Series / Re: Not able to update and stuck at 19.7

« on: December 05, 2019, 10:24:08 pm »

Anybody else with same problems? Or me alone, meaning, I will need to manually re-type the whole config to fresh install...

18

19.7 Legacy Series / Re: Not able to update and stuck at 19.7

« on: November 14, 2019, 09:29:04 pm »

Hi Franco,

I've faced strange behavior upon upgrading from 19.1.10 to 19.7.x version. Seems like some of my configuration was misinterpreted, as simple PING to public internet did not work anymore. It was the same if I did upgrade of working system, or fresh install 19.7, update to latest, then import old config - in both cases ping to public internet fails, some NAT rules also stopped working...did not have time to investigate further.

Here's my BUG report if it maters anyhow: https://github.com/opnsense/core/issues/3809

BTW: You say that this command can install fresh over what you have, and preserve existing config? Is this in any way different than normal upgrade?

Code: [Select]

# opnsense-bootstrap

19

19.7 Legacy Series / Re: Large IP Blacklists...performance impact?

« on: May 12, 2019, 11:36:55 pm »

Actually...how can I check if IP addresses were properly retreived and accepted by OPNSense?
I have them in format:
1.2.3.4
1.2.3.4
1.2.3.4
And filename is list.php, because it is dynamic and it generates fresh list each time file is displayed.
Is this proper format? How to verify?

*** EDIT ***
Solved! Found out myself!
there were 2 glitches:

1.) The called web site with public list is behind NAT and needs to have SplitDNS configured to be reachable from inside. In OPNSense it is under Services --> Unbound DNS --> Overrides --> Host Overrides

2.) There are actually TWO TYPES of ALIAS lists, URL and URL Table. First one is one-time static, and only second one is dynamic with expiration time.
If you select Type of Alias "URL (IPs)", then it seems to load only once, and requested format is unknown to me.
But if you select Alias Type as "URL Table (IPs)", then format is as above and you can set Expiration time, like 1 hour and it will reload once per hour. Tested & working!

If anyone is interested into sharing the list, here's the link:
http://secureit.si/lockouts/list.php
I might keep it alive for quite some time.

20

19.7 Legacy Series / Re: Large IP Blacklists...performance impact?

« on: May 11, 2019, 01:42:25 pm »

Mine was reloaded yesterday, right after I created the list Alias.

I tried to add CRON job to test and check every 5 minutes for "Update and reload firewall aliases"...but after half an hour the directory of aliases tables still shows yesterday's date. So there must be some other settings, which control frequency of Alias Table list refresh and reload.

21

19.7 Legacy Series / Re: Large IP Blacklists...performance impact?

« on: May 11, 2019, 01:21:12 am »

Great news.
Anyone knows how often do these aliases reload from external source? And more important...how can I check, if they are loaded?

22

19.7 Legacy Series / Large IP Blacklists...performance impact?

« on: April 22, 2019, 01:27:31 pm »

Hi,

I am thinking about to aggregate all IP blacklists from various web sites (WP, Joomla, custom builds...), which write logs of attacking (brute-force, dictionary attacks...) IP hosts/addresses into database. I have a script in PHP to extract IP's from database for past 7 or 14 days.
Then I have plan to try/test retreive these into BLocked ALIASES list of OPNSense.

Now, since this list will contain hundreds or even thousands of IP addresses, I am wondering how a 1000's of BLOCK ALIASES LIST would affect firewall performance?

23

18.7 Legacy Series / Each update hiccups upon reboot

« on: January 19, 2019, 05:52:29 pm »

Hi,

with last 2 versions 18.x upon update I had problems when rebooting. Firewall stuck on some disk mapping/mounting (or something disk-related...I do not know where to find those info) and was able to boot properly after some 3-4 soft-resets. Console showed it stuck on intializing or mounting some device, do not remember which one exactly, but it was always DIFFERENT stuck point.

Once it booted, then it worked fine, fast, no problems, and consequent reboots did NOT cause further problems.

I am running on ESX 6.5 with Virtual SCSI disk controller.
VMWare tools are (probably?) installed, but still for past 2 years I see constant warning in ESX GUI: "The configured guest OS (FreeBSD (64-bit)) for this virtual machine does not match the guest that is currently running (FreeBSD 11.1-RELEASE-p18). You should specify the correct guest OS to allow for guest-specific optimizations."

Is there something slightly wrong with my config, or has OpnSense kernel changed in past version?

24

18.7 Legacy Series / Create DNS override TXT records for ACME-02 LE challenge

« on: January 17, 2019, 12:03:49 am »

Hi,

is it somehow possible to create Unibound DNS override for TXT record? I only see A (AAAA) or MX records override.
Adding custom TXT records locally would be super useful for DNS ACME-02 challenge to generate wildcard LE certificates locally.

25

19.1 Legacy Series / Get back the Apply changes warning stripe on top

« on: December 23, 2018, 05:05:32 pm »

Hi,
just my 5 cents - the "Apply changes" warning stripe on top of previous versions was annoying, but now I see VERY HANDY and USEFUL! Now I am on 18.7 version and I really miss this annoying warning, as I am never 100% sure, whether I applied/saved the settings or not.
So my suggestion is to come back with some similar functionality in further releases.

26

18.7 Legacy Series / suricata.log: Operation not supported by device

« on: September 09, 2018, 06:16:20 pm »

Hi,

I think after updating to 18.7 I see on terminal screen:
syslogd: /var/log/suricata.log: Operation not supported by device

Did this came from update?
Is this critical?

27

18.7 Legacy Series / Re: Outbound NAT on LAN interface fails after upgrade to 18.7

« on: September 08, 2018, 11:08:27 pm »

Maybe this was a fix?

18.7.2, Sept. 6
o firewall: return alias types to repair its outbound NAT rule edit
o firewall: alias API is now live on the development version and will migrate your aliases to the new format

28

18.7 Legacy Series / Re: Terminal upgrade from 18.1 to 18.7 fails

« on: September 08, 2018, 10:51:41 pm »

I did not read forums up front, and I tried to upgrade 18.1.10 to 18.7 via web interface. Upgrade seemd to finish and rebooted...
...but new booting image stuck at terminal [dB]> prompt. Even Ctrl-Alt-Del did not have any effect. Had to roll-back to working snapshot.

Sorry for lack of logs...had to solve the problem ASAP, so I did not have time to examine the problem.

29

Intrusion Detection and Prevention / Re: Integration with Mail, Joomla, Wordpress security

« on: May 05, 2018, 11:11:45 pm »

Maybe one way would be that OPNSense plugin (or a rule) could read plaintext (or database) cache of blocked IPs, which security plugins of Wordpress or Joomla create localy. OPNSesne would then add those into, for example, "Abuse IPs" aliases list, which are by some rule blocked.

For example:
WordFence security plugin for WP stores banned IPs into database.
IT would be easy to create cronjob to pull those out and export them in plaintext, making them available via (internal) http site.
There OPNSense could pull them and add to "Abuse IPs" alias list. This part is totaly unknown to me - how could this be done? Via a plugin? Batch job?

30

18.1 Legacy Series / Re: Prevent external access of webgui

« on: April 02, 2018, 03:23:38 pm »

I like to keep WAN access to my router opened, but:
- to modified HTTPS public port, for example to 23782
- only from my home and work public IP addresses