"
Thanks a lot. It all starts to make sense now :)
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#31
20.7 Legacy Series / Re: unexpected "rdr rules" in the firewall log
August 29, 2020, 11:13:33 AM #32
20.7 Legacy Series / Re: unexpected "rdr rules" in the firewall log
August 28, 2020, 10:05:46 AM
Hmmm, you got me twice in a day :-[
Logging was activated on the port forward rule. That was it.
It has possibly crept back in when I de-associated the firewall rule.
But why does the rdr rule not show in the logs when a non associated firewall rule has logging activated? ???
Thanks for your help :)
Logging was activated on the port forward rule. That was it.
It has possibly crept back in when I de-associated the firewall rule.
But why does the rdr rule not show in the logs when a non associated firewall rule has logging activated? ???
Thanks for your help :)
#33
20.7 Legacy Series / Re: Unable to edit NAT rules
August 28, 2020, 09:47:28 AM
:-[
Thanks. Was only checking if anybody actually reads posts here :P
Working too late, I guess.
Thanks for opening my eyes ;D
Thanks. Was only checking if anybody actually reads posts here :P
Working too late, I guess.
Thanks for opening my eyes ;D
#34
20.7 Legacy Series / Unable to edit NAT rules
August 28, 2020, 08:11:53 AM
OPNsense 20.7.1-amd64
FreeBSD 12.1-RELEASE-p8-HBSD
OpenSSL 1.1.1g 21 Apr 2020
When I click the arrow icon next to a NAT-port forward rule, the message
"The NAT configuration has been changed. You must apply the changes in order for them to take effect."
pops up at the top of the page.
I click "Apply changes" but this does not solve it.
In short I cannot edit any NAT rules any more.
Help?
FreeBSD 12.1-RELEASE-p8-HBSD
OpenSSL 1.1.1g 21 Apr 2020
When I click the arrow icon next to a NAT-port forward rule, the message
"The NAT configuration has been changed. You must apply the changes in order for them to take effect."
pops up at the top of the page.
I click "Apply changes" but this does not solve it.
In short I cannot edit any NAT rules any more.
Help?
#35
20.7 Legacy Series / Re: unexpected "rdr rules" in the firewall log
August 28, 2020, 07:45:13 AM
No one? No ideas? Not a hint? Is this a completely unknown subject? Or can nobody be bothered?
If this is unknown I am starting to worry...
If this is unknown I am starting to worry...
#36
20.7 Legacy Series / unexpected "rdr rules" in the firewall log
August 27, 2020, 02:31:47 PM
OPNsense 20.7.1-amd64
FreeBSD 12.1-RELEASE-p8-HBSD
OpenSSL 1.1.1g 21 Apr 2020
Hi.
I have NAT forwarding for port 25 to my email server on the DMZ.
On the WAN interface I have a few rules that forbid connections from certain countries and after that a rule that allows connections from everywhere to my email server.
Now this strange thing happens:
When I activate logging for the blocking rules then they show as expected in the firewall as blocking access.
But when I deactivate logging they show with a label "rdr rule" in the firewall log.
Interface Time Source Destination Proto Label
wan Aug 27 14:22:25 193.169.254.107:56236 192.168.0.10:25 tcp rdr rule
The blocking works but these rules show up in the firewall log although I do not want to see them there.
Any ideas why those rules might show up as "rdr rules" in the FW log and how to not see those rules in the log?
Thanks.
FreeBSD 12.1-RELEASE-p8-HBSD
OpenSSL 1.1.1g 21 Apr 2020
Hi.
I have NAT forwarding for port 25 to my email server on the DMZ.
On the WAN interface I have a few rules that forbid connections from certain countries and after that a rule that allows connections from everywhere to my email server.
Now this strange thing happens:
When I activate logging for the blocking rules then they show as expected in the firewall as blocking access.
But when I deactivate logging they show with a label "rdr rule" in the firewall log.
Interface Time Source Destination Proto Label
wan Aug 27 14:22:25 193.169.254.107:56236 192.168.0.10:25 tcp rdr rule
The blocking works but these rules show up in the firewall log although I do not want to see them there.
Any ideas why those rules might show up as "rdr rules" in the FW log and how to not see those rules in the log?
Thanks.
#37
20.1 Legacy Series / RDR action where incoming connection should be blocked or passed
May 09, 2020, 10:00:44 AM
OPNsense 20.1.4-amd64
FreeBSD 11.2-RELEASE-p18-HBSD
OpenSSL 1.1.1f 31 Mar 2020
Hi guys.
I am facing some strange issue with Firewall rules and I wish someone could help me understand.
1) On my WAN interface I have rules (at the top of the list) that forbid incoming connections from unsafe countries, incoming to unsafe countries and out to unsafe countries. (unsafe countries being a GeoIP alias).
2) On the WAN interface I also have a rule that allows incoming connections to my email server (further down on the rules list)
3) Now occasionally I get RDR entries in the firewall log like this:
__timestamp__ May 8 16:17:10
ack
action [rdr]
anchorname
datalen 0
dir [in]
dst 192.168.1.43
dstport 25
ecn
id 24082
interface igb0
ipflags none
length 40
offset 0
proto 6
protoname tcp
reason match
ridentifier 0
rulenr 15
seq 1031579698
src 195.54.166.3
srcport 43265
subrulenr
tcpflags S
tcpopts
tos 0x0
ttl 245
urp 1024
version 4
4) Now there are 2 issues:
a) The incoming IP is from an unsafe country (Russia) and shouldn't be let through in the first place
b) Even if for some reason the IP's location would not be identified as from some unsafe country, why do I get an [rdr] action instead of a [pass] action?
5) I am not as tech savvy as it may seem so I would appreciate it if someone could explain
a) What does this [rdr] action mean in this case? Was the connection allowed? (and if yes, why?)
b) How can I identify this rule (ridentifier 0, rulenr 15, right?) in the GUI where no rule identifier or number can be seen?
Any help with this would be greatly appreciated.
FreeBSD 11.2-RELEASE-p18-HBSD
OpenSSL 1.1.1f 31 Mar 2020
Hi guys.
I am facing some strange issue with Firewall rules and I wish someone could help me understand.
1) On my WAN interface I have rules (at the top of the list) that forbid incoming connections from unsafe countries, incoming to unsafe countries and out to unsafe countries. (unsafe countries being a GeoIP alias).
2) On the WAN interface I also have a rule that allows incoming connections to my email server (further down on the rules list)
3) Now occasionally I get RDR entries in the firewall log like this:
__timestamp__ May 8 16:17:10
ack
action [rdr]
anchorname
datalen 0
dir [in]
dst 192.168.1.43
dstport 25
ecn
id 24082
interface igb0
ipflags none
length 40
offset 0
proto 6
protoname tcp
reason match
ridentifier 0
rulenr 15
seq 1031579698
src 195.54.166.3
srcport 43265
subrulenr
tcpflags S
tcpopts
tos 0x0
ttl 245
urp 1024
version 4
4) Now there are 2 issues:
a) The incoming IP is from an unsafe country (Russia) and shouldn't be let through in the first place
b) Even if for some reason the IP's location would not be identified as from some unsafe country, why do I get an [rdr] action instead of a [pass] action?
5) I am not as tech savvy as it may seem so I would appreciate it if someone could explain
a) What does this [rdr] action mean in this case? Was the connection allowed? (and if yes, why?)
b) How can I identify this rule (ridentifier 0, rulenr 15, right?) in the GUI where no rule identifier or number can be seen?
Any help with this would be greatly appreciated.
#38
Intrusion Detection and Prevention / Re: GEOip
January 29, 2020, 08:46:41 PM
Hi.
As you asked if I were still getting the warning I checked ... and the GeoIP settings were updated !!!
So this does not happen right after we enter the URL and click Apply? Not even during the following hours?
Is OPNsense purposefully waiting until I give up and no longer look to download the zip? ;D
Is there a scheduler running this?
Anyway, thanks for your help and patience.
As you asked if I were still getting the warning I checked ... and the GeoIP settings were updated !!!
So this does not happen right after we enter the URL and click Apply? Not even during the following hours?
Is OPNsense purposefully waiting until I give up and no longer look to download the zip? ;D
Is there a scheduler running this?
Anyway, thanks for your help and patience.
#39
Intrusion Detection and Prevention / Re: GEOip
January 29, 2020, 07:25:09 PM
ok, ran curl. Was easier than I thought:
root@OPNsense:/usr/bin # curl "https://download.maxmind.com/app/geoip_download?editi
on_id=GeoLite2-Country-CSV&license_key=MyKey&suffix=zip" --output /tm
p/test.zip -v
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0*
Trying 104.16.38.47:443...
* TCP_NODELAY set
* Connected to download.maxmind.com (104.16.38.47) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0*
TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [100 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4824 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; postalCode=02451; ST=MA; L=Waltham; street=14 Spring Street, 3
rd Floor; O=MaxMind Inc.; OU=PremiumSSL Wildcard; CN=*.maxmind.com
* start date: Oct 15 00:00:00 2018 GMT
* expire date: Nov 6 23:59:59 2020 GMT
* subjectAltName: host "download.maxmind.com" matched cert's "*.maxmind.com"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMOD
O RSA Organization Validation Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x46728ea5800)
} [5 bytes data]
> GET /app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=MyKey&suffix=zip HTTP/2
> Host: download.maxmind.com
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
} [5 bytes data]
< HTTP/2 200
< date: Wed, 29 Jan 2020 18:17:40 GMT
< content-type: application/zip
< content-length: 2031709
< set-cookie: __cfduid=de3cc5371e9ecbec8bca95d4438c4a6a81580321860; expires=Fri,
28-Feb-20 18:17:40 GMT; path=/; domain=.maxmind.com; HttpOnly; SameSite=Lax
< accept-ranges: bytes
< content-disposition: attachment; filename=GeoLite2-Country-CSV_20200128.zip
< last-modified: Tue, 28 Jan 2020 16:39:16 GMT
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-c
gi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 55cd344a4d6fcdcb-CDG
<
{ [1005 bytes data]
100 1984k 100 1984k 0 0 5636k 0 --:--:-- --:--:-- --:--:-- 5620k
* Connection #0 to host download.maxmind.com left intact
So on the OPNsense box curl was happy, not moaning, just downloading.
So could it be someting in/with the zip that OPNsense does not like and therefore does not load the GeoIP data?
Is the downloaded zip different between "Will this key be used for GeoIP Update?" Yes and No?
Note that the key I used was created with "for GeoIP Update? No"
root@OPNsense:/usr/bin # curl "https://download.maxmind.com/app/geoip_download?editi
on_id=GeoLite2-Country-CSV&license_key=MyKey&suffix=zip" --output /tm
p/test.zip -v
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0*
Trying 104.16.38.47:443...
* TCP_NODELAY set
* Connected to download.maxmind.com (104.16.38.47) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0*
TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [100 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4824 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; postalCode=02451; ST=MA; L=Waltham; street=14 Spring Street, 3
rd Floor; O=MaxMind Inc.; OU=PremiumSSL Wildcard; CN=*.maxmind.com
* start date: Oct 15 00:00:00 2018 GMT
* expire date: Nov 6 23:59:59 2020 GMT
* subjectAltName: host "download.maxmind.com" matched cert's "*.maxmind.com"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMOD
O RSA Organization Validation Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x46728ea5800)
} [5 bytes data]
> GET /app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=MyKey&suffix=zip HTTP/2
> Host: download.maxmind.com
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
} [5 bytes data]
< HTTP/2 200
< date: Wed, 29 Jan 2020 18:17:40 GMT
< content-type: application/zip
< content-length: 2031709
< set-cookie: __cfduid=de3cc5371e9ecbec8bca95d4438c4a6a81580321860; expires=Fri,
28-Feb-20 18:17:40 GMT; path=/; domain=.maxmind.com; HttpOnly; SameSite=Lax
< accept-ranges: bytes
< content-disposition: attachment; filename=GeoLite2-Country-CSV_20200128.zip
< last-modified: Tue, 28 Jan 2020 16:39:16 GMT
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-c
gi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 55cd344a4d6fcdcb-CDG
<
{ [1005 bytes data]
100 1984k 100 1984k 0 0 5636k 0 --:--:-- --:--:-- --:--:-- 5620k
* Connection #0 to host download.maxmind.com left intact
So on the OPNsense box curl was happy, not moaning, just downloading.
So could it be someting in/with the zip that OPNsense does not like and therefore does not load the GeoIP data?
Is the downloaded zip different between "Will this key be used for GeoIP Update?" Yes and No?
Note that the key I used was created with "for GeoIP Update? No"
#40
Intrusion Detection and Prevention / Re: GEOip
January 29, 2020, 05:21:01 PM
I ran this on my OPNsense box. Btw I ran the curl command from my Windows PC, not knowing how to to run it on the OPNsense box
root@OPNsense:/usr/bin # openssl s_client -servername download.maxmind.com -connect
download.maxmind.com:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTru
st External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = US, postalCode = 02451, ST = MA, L = Waltham, street = "14 Spring St
reet, 3rd Floor", O = MaxMind Inc., OU = PremiumSSL Wildcard, CN = *.maxmind.com
verify return:1
---
Certificate chain
0 s:/C=US/postalCode=02451/ST=MA/L=Waltham/street=14 Spring Street, 3rd Floor/O
=MaxMind Inc./OU=PremiumSSL Wildcard/CN=*.maxmind.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Org
anization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Org
anization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Cer
tification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Cer
tification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External C
A Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHOjCCBiKgAwIBAgIRAJ5jJD2GDb3mI4b4qgp1HYUwDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT
ZXJ2ZXIgQ0EwHhcNMTgxMDE1MDAwMDAwWhcNMjAxMTA2MjM1OTU5WjCBrzELMAkG
A1UEBhMCVVMxDjAMBgNVBBETBTAyNDUxMQswCQYDVQQIEwJNQTEQMA4GA1UEBxMH
V2FsdGhhbTEkMCIGA1UECRMbMTQgU3ByaW5nIFN0cmVldCwgM3JkIEZsb29yMRUw
EwYDVQQKEwxNYXhNaW5kIEluYy4xHDAaBgNVBAsTE1ByZW1pdW1TU0wgV2lsZGNh
cmQxFjAUBgNVBAMMDSoubWF4bWluZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCqPNNcIK5N5kOHqtcUH/yh431Ldk+t/XiOoXlmqwot2TcfnSLl
jjk4h2CZfmpfkuWnJugaUd8cB4CFtG0UImgBpq7HHqx9lL+KarKKCGogXuXXvFmv
16abf/lW5CSBzN3A3kzLyWpn8GXnsXryn238tbOK7OU6c91DABWwrGk7hrmF7ZpJ
onPfA+1fm9fNN8GjBHPpS2keEJzwOQ+nU0DTOWzVdpwlaGwUooSe/fD92xFmmP6N
FilwT+w56WNk0SdiZLZ2uGRBs0Q4aDtqEU0YlmnHEj8GxA1fM7yfdc7Wc5bv8CYM
CEESyjjwThFUeS+HkiNPUK0QMWpUrjkzh1V/AgMBAAGjggNmMIIDYjAfBgNVHSME
GDAWgBSa8yvaz61Pti+7KkhIKhK3G0LBJDAdBgNVHQ4EFgQU7VEtw4oNtgdhk+uS
KBQjot3MtJcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMFAGA1UdIARJMEcwOwYMKwYBBAGyMQECAQME
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgG
BmeBDAECAjBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0Eu
Y3JsMIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKGSWh0dHA6Ly9jcnQuY29t
b2RvY2EuY29tL0NPTU9ET1JTQU9yZ2FuaXphdGlvblZhbGlkYXRpb25TZWN1cmVT
ZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv
bTAlBgNVHREEHjAcgg0qLm1heG1pbmQuY29tggttYXhtaW5kLmNvbTCCAX4GCisG
AQQB1nkCBAIEggFuBIIBagFoAHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7
iXqo/csAAAFmegz00wAABAMARzBFAiEA4u4V9EYdaY6BSjD5FZ2GOnGGTR57/ip3
HvxNpUVF9QcCIBP7dcXVJlCZwYnb8qinI9Tq2nDIzOMEyoT8tmSkikeAAHYAXqdz
+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFmegz1IAAABAMARzBFAiEA
1z/e7SEm182ePhrsAJaKcdexDIibFXRRGxHos2PsrcgCIH6Jch9v0Muo88HeTbrE
ieoLvgdPP/ZG/3/3iQEiP8jXAHYAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6Oq
HQcT0wwAAAFmegz0+AAABAMARzBFAiATZQNqHQet2/xIWnwIdCh4jyNrafJG0NqJ
CJJ7qH+qFgIhAIW/YF2O2yqxTRTz1zGsoCTX4PFgrwvpltdOzepPWH0vMA0GCSqG
SIb3DQEBCwUAA4IBAQAw+ZMSf/U/cGvj7G47WZgarJhIcmpu+3A0RUc/XWOUCsGr
qS5UdrdQZvi23Gh7Wv8tx+dn+p2MpV5SHs6Bay0Vm9WERJEaad0zQwpCUQyq/2FA
+3sobhXZg/U6hjdND25M0RLVp9lizrdDn6STB0VOGLew72Osx0LupeoushKDINSd
s1Yc6vm3Cnz6jMOdZ3dOqSwiZVkWMtELn7f6ldQjTdl/TQhfP1IHQSN2K8EwZ7N3
+9NDhMkW6HrZ0seyiyvp6t7C4Ir1ZGD+InfiSdNBADAKekRpcR1bioT461VWmYq+
gO8hTaIimX+P6Pujx9+5IaKV1wbtmxtBojvR/NJ6
-----END CERTIFICATE-----
subject=/C=US/postalCode=02451/ST=MA/L=Waltham/street=14 Spring Street, 3rd Floo
r/O=MaxMind Inc./OU=PremiumSSL Wildcard/CN=*.maxmind.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA O
rganization Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5486 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: A78C099CC1D54D091EFEA4ED4998AE8E45DEF5F5521A195A46B21A8B048A338E
Session-ID-ctx:
Master-Key: 676EFEE532159A728376DD782D0A1AD0655C52F6DC3EF53D633F75980A3F8769
7619BACE1FF0CD5F7D864B5B3D9665D5
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - a3 62 c2 c9 02 30 30 16-73 b1 ca 15 4a 77 bf 8a .b...00.s...Jw..
0010 - 07 1f 2f 9c cf a8 5d 8a-ec 30 c4 ee 20 b3 0b 08 ../...]..0.. ...
0020 - c0 41 a7 c3 73 34 d0 1d-1c 6c b0 d5 af 64 6d 13 .A..s4...l...dm.
0030 - 9b 10 35 44 d7 69 e3 df-d7 78 cf cf e3 cc ed 44 ..5D.i...x.....D
0040 - e9 c8 85 5e e5 d8 8b 25-6f f6 bf 69 69 f3 83 32 ...^...%o..ii..2
0050 - d4 3f 44 88 2c 0c 05 d6-fb 2c 4a d3 1c 43 6b 90 .?D.,....,J..Ck.
0060 - 58 fa 04 af 55 d6 01 a9-d3 a8 4b 43 bf a5 73 d8 X...U.....KC..s.
0070 - 58 2b e6 61 b1 e7 64 ce-96 6e 3b 4a 52 db bf 8b X+.a..d..n;JR...
0080 - 51 2b a7 46 03 81 9e 55-09 84 3e 49 92 40 42 64 Q+.F...U..>I.@Bd
0090 - 0e a6 de b2 23 6a 86 2f-a4 03 98 51 71 52 b3 7e ....#j./...QqR.~
00a0 - 3a ea 59 fc dc fe 83 23-15 af b1 aa da 6f d0 09 :.Y....#.....o..
Start Time: 1580314528
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
root@OPNsense:/usr/bin # openssl s_client -servername download.maxmind.com -connect
download.maxmind.com:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTru
st External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = US, postalCode = 02451, ST = MA, L = Waltham, street = "14 Spring St
reet, 3rd Floor", O = MaxMind Inc., OU = PremiumSSL Wildcard, CN = *.maxmind.com
verify return:1
---
Certificate chain
0 s:/C=US/postalCode=02451/ST=MA/L=Waltham/street=14 Spring Street, 3rd Floor/O
=MaxMind Inc./OU=PremiumSSL Wildcard/CN=*.maxmind.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Org
anization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Org
anization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Cer
tification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Cer
tification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External C
A Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHOjCCBiKgAwIBAgIRAJ5jJD2GDb3mI4b4qgp1HYUwDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT
ZXJ2ZXIgQ0EwHhcNMTgxMDE1MDAwMDAwWhcNMjAxMTA2MjM1OTU5WjCBrzELMAkG
A1UEBhMCVVMxDjAMBgNVBBETBTAyNDUxMQswCQYDVQQIEwJNQTEQMA4GA1UEBxMH
V2FsdGhhbTEkMCIGA1UECRMbMTQgU3ByaW5nIFN0cmVldCwgM3JkIEZsb29yMRUw
EwYDVQQKEwxNYXhNaW5kIEluYy4xHDAaBgNVBAsTE1ByZW1pdW1TU0wgV2lsZGNh
cmQxFjAUBgNVBAMMDSoubWF4bWluZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCqPNNcIK5N5kOHqtcUH/yh431Ldk+t/XiOoXlmqwot2TcfnSLl
jjk4h2CZfmpfkuWnJugaUd8cB4CFtG0UImgBpq7HHqx9lL+KarKKCGogXuXXvFmv
16abf/lW5CSBzN3A3kzLyWpn8GXnsXryn238tbOK7OU6c91DABWwrGk7hrmF7ZpJ
onPfA+1fm9fNN8GjBHPpS2keEJzwOQ+nU0DTOWzVdpwlaGwUooSe/fD92xFmmP6N
FilwT+w56WNk0SdiZLZ2uGRBs0Q4aDtqEU0YlmnHEj8GxA1fM7yfdc7Wc5bv8CYM
CEESyjjwThFUeS+HkiNPUK0QMWpUrjkzh1V/AgMBAAGjggNmMIIDYjAfBgNVHSME
GDAWgBSa8yvaz61Pti+7KkhIKhK3G0LBJDAdBgNVHQ4EFgQU7VEtw4oNtgdhk+uS
KBQjot3MtJcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMFAGA1UdIARJMEcwOwYMKwYBBAGyMQECAQME
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgG
BmeBDAECAjBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0Eu
Y3JsMIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKGSWh0dHA6Ly9jcnQuY29t
b2RvY2EuY29tL0NPTU9ET1JTQU9yZ2FuaXphdGlvblZhbGlkYXRpb25TZWN1cmVT
ZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv
bTAlBgNVHREEHjAcgg0qLm1heG1pbmQuY29tggttYXhtaW5kLmNvbTCCAX4GCisG
AQQB1nkCBAIEggFuBIIBagFoAHYA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7
iXqo/csAAAFmegz00wAABAMARzBFAiEA4u4V9EYdaY6BSjD5FZ2GOnGGTR57/ip3
HvxNpUVF9QcCIBP7dcXVJlCZwYnb8qinI9Tq2nDIzOMEyoT8tmSkikeAAHYAXqdz
+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFmegz1IAAABAMARzBFAiEA
1z/e7SEm182ePhrsAJaKcdexDIibFXRRGxHos2PsrcgCIH6Jch9v0Muo88HeTbrE
ieoLvgdPP/ZG/3/3iQEiP8jXAHYAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6Oq
HQcT0wwAAAFmegz0+AAABAMARzBFAiATZQNqHQet2/xIWnwIdCh4jyNrafJG0NqJ
CJJ7qH+qFgIhAIW/YF2O2yqxTRTz1zGsoCTX4PFgrwvpltdOzepPWH0vMA0GCSqG
SIb3DQEBCwUAA4IBAQAw+ZMSf/U/cGvj7G47WZgarJhIcmpu+3A0RUc/XWOUCsGr
qS5UdrdQZvi23Gh7Wv8tx+dn+p2MpV5SHs6Bay0Vm9WERJEaad0zQwpCUQyq/2FA
+3sobhXZg/U6hjdND25M0RLVp9lizrdDn6STB0VOGLew72Osx0LupeoushKDINSd
s1Yc6vm3Cnz6jMOdZ3dOqSwiZVkWMtELn7f6ldQjTdl/TQhfP1IHQSN2K8EwZ7N3
+9NDhMkW6HrZ0seyiyvp6t7C4Ir1ZGD+InfiSdNBADAKekRpcR1bioT461VWmYq+
gO8hTaIimX+P6Pujx9+5IaKV1wbtmxtBojvR/NJ6
-----END CERTIFICATE-----
subject=/C=US/postalCode=02451/ST=MA/L=Waltham/street=14 Spring Street, 3rd Floo
r/O=MaxMind Inc./OU=PremiumSSL Wildcard/CN=*.maxmind.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA O
rganization Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5486 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: A78C099CC1D54D091EFEA4ED4998AE8E45DEF5F5521A195A46B21A8B048A338E
Session-ID-ctx:
Master-Key: 676EFEE532159A728376DD782D0A1AD0655C52F6DC3EF53D633F75980A3F8769
7619BACE1FF0CD5F7D864B5B3D9665D5
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - a3 62 c2 c9 02 30 30 16-73 b1 ca 15 4a 77 bf 8a .b...00.s...Jw..
0010 - 07 1f 2f 9c cf a8 5d 8a-ec 30 c4 ee 20 b3 0b 08 ../...]..0.. ...
0020 - c0 41 a7 c3 73 34 d0 1d-1c 6c b0 d5 af 64 6d 13 .A..s4...l...dm.
0030 - 9b 10 35 44 d7 69 e3 df-d7 78 cf cf e3 cc ed 44 ..5D.i...x.....D
0040 - e9 c8 85 5e e5 d8 8b 25-6f f6 bf 69 69 f3 83 32 ...^...%o..ii..2
0050 - d4 3f 44 88 2c 0c 05 d6-fb 2c 4a d3 1c 43 6b 90 .?D.,....,J..Ck.
0060 - 58 fa 04 af 55 d6 01 a9-d3 a8 4b 43 bf a5 73 d8 X...U.....KC..s.
0070 - 58 2b e6 61 b1 e7 64 ce-96 6e 3b 4a 52 db bf 8b X+.a..d..n;JR...
0080 - 51 2b a7 46 03 81 9e 55-09 84 3e 49 92 40 42 64 Q+.F...U..>I.@Bd
0090 - 0e a6 de b2 23 6a 86 2f-a4 03 98 51 71 52 b3 7e ....#j./...QqR.~
00a0 - 3a ea 59 fc dc fe 83 23-15 af b1 aa da 6f d0 09 :.Y....#.....o..
Start Time: 1580314528
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
#41
Intrusion Detection and Prevention / Re: GEOip
January 29, 2020, 01:05:39 PM
I am not obtuse to testing. Only if two other pieces of other software manage fine where OPNsense does not, I think I have quite a good idea of where the problem is.
I tried your curl test and first it complained about the certificate
curl "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=myKey&suffix=zip" --output d:\temp\test.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (60) SSL certificate problem: unable to get local issuer certificate
When I used option --insecure it downloaded the zip fine.
In my humble opinion we have established that my URL is good.
So why does my URL not work in OPNsense?
I tried your curl test and first it complained about the certificate
curl "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=myKey&suffix=zip" --output d:\temp\test.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (60) SSL certificate problem: unable to get local issuer certificate
When I used option --insecure it downloaded the zip fine.
In my humble opinion we have established that my URL is good.
So why does my URL not work in OPNsense?
#42
Intrusion Detection and Prevention / Re: GEOip
January 29, 2020, 10:48:59 AM
Check to see what's happening. look at message #62 here:
>>> Why would I need to try some Python command if any old browser downloads the zip fine with the URL I provide to OPNsense?
Even when I put the file on my own web server and enter a URL to my own server (in the form of http://192.168.0.10/geolite2.zip) it does not work.
If there were any problem with the URL, shouldn't that show in some log?
Just tried it here on a new instance of OPNsense and it worked first time.
>>> Good. However shouldn't it work for existing installations?
The content of the zip file is a folder named 'GeoLite2-Country-CSV_**DATE**
>>> Yep, the zip downloaded using my web browser (or postman for that matter) contains what you say (folder GeoLite2-Country-CSV_20200128 with a bunch of CSV files). But again, it should work with OPNsense or, if any problems, show some meaningful error.
In that folder are a bunch of csv files.
>>> Why would I need to try some Python command if any old browser downloads the zip fine with the URL I provide to OPNsense?
Even when I put the file on my own web server and enter a URL to my own server (in the form of http://192.168.0.10/geolite2.zip) it does not work.
If there were any problem with the URL, shouldn't that show in some log?
Just tried it here on a new instance of OPNsense and it worked first time.
>>> Good. However shouldn't it work for existing installations?
The content of the zip file is a folder named 'GeoLite2-Country-CSV_**DATE**
>>> Yep, the zip downloaded using my web browser (or postman for that matter) contains what you say (folder GeoLite2-Country-CSV_20200128 with a bunch of CSV files). But again, it should work with OPNsense or, if any problems, show some meaningful error.
In that folder are a bunch of csv files.
#43
Intrusion Detection and Prevention / Re: GEOip
January 29, 2020, 01:58:20 AM
Well I am sorry, but I think there may be some bug here.
For "Will this key be used for GeoIP Update?" I selected "No".
I have then set the URL as explained in the help and nothing happens - the last updated timestamp remains empty and I still get the same reminder ("In order to use GeoIP, you need to configure a source in the GeoIP settings tab").
When I enter the URL in a browser I get the zip file alright.
Even when I put the file on my own web server and enter a URL to my own server (in the form of http://192.168.0.10/geolite2.zip) it does not work.
I have version 19.7.10
Please advise.
PS. What is the expected file format? What should be in the zip? What should the format of the CSV file(s) (name, content) be? Can we use other providers? If yes, how?
For "Will this key be used for GeoIP Update?" I selected "No".
I have then set the URL as explained in the help and nothing happens - the last updated timestamp remains empty and I still get the same reminder ("In order to use GeoIP, you need to configure a source in the GeoIP settings tab").
When I enter the URL in a browser I get the zip file alright.
Even when I put the file on my own web server and enter a URL to my own server (in the form of http://192.168.0.10/geolite2.zip) it does not work.
I have version 19.7.10
Please advise.
PS. What is the expected file format? What should be in the zip? What should the format of the CSV file(s) (name, content) be? Can we use other providers? If yes, how?
#44
General Discussion / Re: NordVPN Tutorials/Instructions?
February 01, 2019, 11:08:05 PM
Thanks.
It wasn't there a few days ago.
Maybe NordVPN thought it was worth putting it up when I insisted with one of their support guys :-)
It wasn't there a few days ago.
Maybe NordVPN thought it was worth putting it up when I insisted with one of their support guys :-)
#45
General Discussion / Re: NordVPN Tutorials/Instructions?
January 29, 2019, 08:22:16 PM
Could someone post a Tutorial for OPNsense?
i tried the pfsense tutorial and I do not see all the parameters in OPNsense and when I just set the parameters that I do see for the VPN client creation and activate the client no more connections to the internet work.
Please help.
i tried the pfsense tutorial and I do not see all the parameters in OPNsense and when I just set the parameters that I do see for the VPN client creation and activate the client no more connections to the internet work.
Please help.
