Topics

Wow, BIND is great.

I want to stop using unbound, I just need a way (rather than chaining unbound and BIND together... which I could do..) to simply add host and domain overrides like in the Unbound DNS overrides section.

Please add a facility to allow us to add our own custom rules to be downloaded.

This older post for adding custom rules doesn't work anymore;
https://forum.opnsense.org/index.php?topic=7209.0

I have other high quality rules I'd like to add to Suircata.
https://forum.opnsense.org/index.php?topic=17764.0

I've got the need to do headers checks and re-write header items. Its really very similar to the Sender Canonical Rewriting.

Can we please add the ability to modify header checks?

Thanks.

[Sender Canonical Rewriting]

I get this logged;

Code Select Expand

postfix/cleanup[25132]: warning: regexp map /usr/local/etc/postfix/sendercanonical, line 1: ignoring unrecognized request

I'm trying to use Sender Canonical Rewriting because a basic alarm panel that is sending email, set the FROM email address as the same as the sending TO email address and you can't change it.

So, I have a simple setting in Sender Canonical Rewriting.

123456789@sms.gateway.com          user@mydomain.com

It just doesn't seem to work.

Any ideas?

[First 2 lines snip from the download URL;]

I've been a long time fan of Spamhaus and they offer a high quality Botnet block list in Snort format.

I've converted to OPNsense and I am loving it, very cool.

*** How can I add the Spamhaus Snort BCL list to OPNsense?

I can't see anyway to add my own custom rule set to be downloaded.

References;
https://www.spamhaus.org/bcl/
https://www.spamhaustech.com/

First 2 lines snip from the download URL;

Code Select Expand

################################################################
# Spamhaus Botnet Controller List (BCL) (2006202330)           #
# Last updated: 2020-06-20T23:30:02Z                           #
#                                                              #
# For questions please refer to https://www.spamhaus.org/bcl/  #
################################################################
alert tcp $HOME_NET any -> 1.234.108.31 any (msg:"Spamhaus Botnet C&C List: njrat botnet controller [SBL487201]"; flow:established,to_server; threshold: type limit, track by_dst, seconds 60, count 1; reference:url,www.spamhaus.org/sbl/query/SBL487201; classtype:trojan-activity; sid:900487201; rev:1;)
alert tcp $HOME_NET any -> 2.56.8.117 any (msg:"Spamhaus Botnet C&C List: AZORult botnet controller [SBL480199]"; flow:established,to_server; threshold: type limit, track by_dst, seconds 60, count 1; reference:url,www.spamhaus.org/sbl/query/SBL480199; classtype:trojan-activity; sid:900480199; rev:1;)

Example of the download URL;
(with the actual account name and API key changed for privacy)

Code Select Expand

https://pub-api.spamhaus.org/api/snort/?account=xxxxxxxxxx&key=yyyyyyyyyyyy

[/24]

Change the defaults:

Remote Network:
Subnet: /24
Encryption algorithms: AES auto
Hash algorithms: SHA256

or - even better, to what I actually always select.
(But I do understand if AES auto is preferred. It's just that aesgcm is considerably faster.)

Remote Network:
Subnet: /24
Encryption algorithms: aes128gcm16
Hash algorithms: none

Change the hint:
Hint: use AES or aesgcm. It's widely supported, considered secure and hardware accelerated if you have AES-NI CPU support.

[What have a done?]

I've recent converted from pfSense and am now running 20.1.7 connecting to a number of IPSEC traditional VPN tunnels.

• The endpoints are a number of different pfSense firewalls, 2.4.4.p3, 2.4.5 and 2.4.5-p1.
• If I restart IPSEC on OPNsense, all the tunnels P1/P2 connect and work.
• After about 1 hour, some, consistently the same tunnels, lose their P2 in OPNsense.

What have a done?
* I have rebooted OPNsense
* Deleted the affected OPNsense tunnels and remade them on OPNsense again
* Minutely compared settings on OPNsense to tunnels that work and never drop and those that do (no * differences detected)

See some IPSEC log entries from OPNsense;

Code Select Expand

2020-06-11T06:55:51 charon: 14[IKE] <con4|21> failed to establish CHILD_SA, keeping IKE_SA
2020-06-11T06:55:51 charon: 14[IKE] <con4|21> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built


Have a look at this whilst in failure mode:
See the last one (con6) - no P2

[Is there any migration tools for pfSense to OPNsense?]

Hi,

Sorry if this has been asked and answered.

I'm a long time pfSense user but I'm quite keen looking at how far OPNsense has come to look at migrating across a number of large customers with signifiant networks. I really am impressed with OPNsense roadmap, speed of development and release cycle.

Is there any migration tools for pfSense to OPNsense?

Really, all I really need is a method to import / migrate;

• address objects
• firewall rules

I can easily export firewall rules and address objects from pfSense. If I could easily import address objects and firewall rules that could be built against interfaces that had the same name in OPNSense, that would massively reduce the migration effort.

I'm quite happy to manually rebuild packages like FRR and HAPROXY and manually create all the right VLANs and interfaces inside OPNsense, it's just the large number loss of the many firewall rules and address objects.
If that bit of heavy lifting can be done, then migration from pfSense to OPNsense becomes a very real possibility and not the mammoth project if would be without this bit of importing rules and address objects.