Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - nzkiwi68

Pages 1 2 3
#41
20.1 Legacy Series / Postifx feature request: Add header checks to the GUI
June 25, 2020, 12:51:22 AM
I've got the need to do headers checks and re-write header items. Its really very similar to the Sender Canonical Rewriting.

Can we please add the ability to modify header checks?

Thanks.
#42
20.1 Legacy Series / Postfix Sender Canonical Rewriting appears broken
June 24, 2020, 12:26:05 AM
I get this logged;
Code Select
postfix/cleanup[25132]: warning: regexp map /usr/local/etc/postfix/sendercanonical, line 1: ignoring unrecognized request

I'm trying to use Sender Canonical Rewriting because a basic alarm panel that is sending email, set the FROM email address as the same as the sending TO email address and you can't change it.

So, I have a simple setting in Sender Canonical Rewriting.

123456789@sms.gateway.com          user@mydomain.com

It just doesn't seem to work.

Any ideas?
#43
Intrusion Detection and Prevention / How can add custom download rules from Spamhaus for IDS/IPS?
June 21, 2020, 01:48:42 AM
I've been a long time fan of Spamhaus and they offer a high quality Botnet block list in Snort format.

I've converted to OPNsense and I am loving it, very cool.

*** How can I add the Spamhaus Snort BCL list to OPNsense?

I can't see anyway to add my own custom rule set to be downloaded.

References;
https://www.spamhaus.org/bcl/
https://www.spamhaustech.com/

First 2 lines snip from the download URL;
Code Select
################################################################
# Spamhaus Botnet Controller List (BCL) (2006202330)           #
# Last updated: 2020-06-20T23:30:02Z                           #
#                                                              #
# For questions please refer to https://www.spamhaus.org/bcl/  #
################################################################
alert tcp $HOME_NET any -> 1.234.108.31 any (msg:"Spamhaus Botnet C&C List: njrat botnet controller [SBL487201]"; flow:established,to_server; threshold: type limit, track by_dst, seconds 60, count 1; reference:url,www.spamhaus.org/sbl/query/SBL487201; classtype:trojan-activity; sid:900487201; rev:1;)
alert tcp $HOME_NET any -> 2.56.8.117 any (msg:"Spamhaus Botnet C&C List: AZORult botnet controller [SBL480199]"; flow:established,to_server; threshold: type limit, track by_dst, seconds 60, count 1; reference:url,www.spamhaus.org/sbl/query/SBL480199; classtype:trojan-activity; sid:900480199; rev:1;)

Example of the download URL;
(with the actual account name and API key changed for privacy)
Code Select
https://pub-api.spamhaus.org/api/snort/?account=xxxxxxxxxx&key=yyyyyyyyyyyy
#44
20.1 Legacy Series / Feature request - IPSEC P2 gui default changes
June 16, 2020, 12:11:36 AM
Change the defaults:

Remote Network:
Subnet: /24
Encryption algorithms: AES auto
Hash algorithms: SHA256

or - even better, to what I actually always select.
(But I do understand if AES auto is preferred. It's just that aesgcm is considerably faster.)

Remote Network:
Subnet: /24
Encryption algorithms: aes128gcm16
Hash algorithms: none

Change the hint:
Hint: use AES or aesgcm. It's widely supported, considered secure and hardware accelerated if you have AES-NI CPU support.


#45
20.1 Legacy Series / 20.1.7 - IPSEC tunnels some P2 lost after 1 hour at rekey
June 12, 2020, 01:33:04 AM
I've recent converted from pfSense and am now running 20.1.7 connecting to a number of IPSEC traditional VPN tunnels.


  • The endpoints are a number of different pfSense firewalls, 2.4.4.p3, 2.4.5 and 2.4.5-p1.
  • If I restart IPSEC on OPNsense, all the tunnels P1/P2 connect and work.
  • After about 1 hour, some, consistently the same tunnels, lose their P2 in OPNsense.

What have a done?
* I have rebooted OPNsense
* Deleted the affected OPNsense tunnels and remade them on OPNsense again
* Minutely compared settings on OPNsense to tunnels that work and never drop and those that do (no * differences detected)

See some IPSEC log entries from OPNsense;
Code Select
2020-06-11T06:55:51 charon: 14[IKE] <con4|21> failed to establish CHILD_SA, keeping IKE_SA
2020-06-11T06:55:51 charon: 14[IKE] <con4|21> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built


Have a look at this whilst in failure mode:
See the last one (con6) - no P2



#46
General Discussion / Migrate or convert from pfSense to OPNsense
April 14, 2020, 03:28:16 AM
Hi,

Sorry if this has been asked and answered.

I'm a long time pfSense user but I'm quite keen looking at how far OPNsense has come to look at migrating across a number of large customers with signifiant networks. I really am impressed with OPNsense roadmap, speed of development and release cycle.

Is there any migration tools for pfSense to OPNsense?

Really, all I really need is a method to import / migrate;

  • address objects
  • firewall rules

I can easily export firewall rules and address objects from pfSense. If I could easily import address objects and firewall rules that could be built against interfaces that had the same name in OPNSense, that would massively reduce the migration effort.

I'm quite happy to manually rebuild packages like FRR and HAPROXY and manually create all the right VLANs and interfaces inside OPNsense, it's just the large number loss of the many firewall rules and address objects.
If that bit of heavy lifting can be done, then migration from pfSense to OPNsense becomes a very real possibility and not the mammoth project if would be without this bit of importing rules and address objects.


Pages 1 2 3