Messages

1

Web Proxy Filtering and Caching / Re: SSL Proxy Config question

« on: October 26, 2018, 04:06:08 pm »

It is set up as a transparent proxy.  All caches cleared on the clients.

The issue appears to be with Squid and domains that exist on multiple IP addresses.  I don't know how to resolve the way squid is blocking these sites.

2

18.7 Legacy Series / Re: Challenge: Alert on Firewall block - is this possible currently?

« on: October 17, 2018, 02:30:43 pm »

Try either a reset to defaults or re-install everything from scratch.  Something isn't right on your system.

3

18.7 Legacy Series / Re: Challenge: Alert on Firewall block - is this possible currently?

« on: October 12, 2018, 03:55:35 pm »

Under Interfaces I have LAN only and ENABLE SYSLOG ALERTS
Under GeoIP/Direction I have SOURCE

PING rutube.ru (185.165.123.77): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

PING 185.165.123.1 (185.165.123.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

Is your Intrusion Detection service running? Check under dashboard

4

18.7 Legacy Series / IDS and SSL

« on: October 07, 2018, 03:55:38 pm »

Does opnsense IDS block connections made with SSL?

5

18.7 Legacy Series / SSL Proxy Config question

« on: October 06, 2018, 04:49:23 pm »

Sorry about the cross post but I'm unable to delete my first post.

I have SSL transparent proxy working for most sites except for a few odd cases and I'm not sere how to resolve the issue.

When I go to certain websites https://somewebsite.com my firewall is blocking it with the message

Access Denied: URL https://11.22.33.44/*

I added somewebsite.com to my proxy whitelist AND to the "SSL no bump sites" but I am still getting the error.

Can someone offer insight as to why the domain is getting resolved by the proxy URL as an IP and then getting blocked?  Are there any work arounds?

Usually "Access Denied" message shows the URL blocked, not the actual IP address.  Reading up on squid indicates this might be due to multiple DNS servers providing conflicting results and squid flagging the website.  The sites in question are certain government websites which are likely hosting one URL on multiple IP addresses.  I've tried adding the IP addresses to the "SSL no bump sites" as well but that doesn't work.

6

18.7 Legacy Series / Re: Challenge: Alert on Firewall block - is this possible currently?

« on: October 06, 2018, 04:35:50 pm »

IDS -> User Defined -> Add Rule

GeoIP/Country: your blacklist here
GeoIP/Direction: Source
Action: Drop

Then Apply

Works for me and events get logged under IDS -> alerts

I personally wouldn't want email alerts for this unless you want to watch a flood of emails choke your inbox

7

18.7 Legacy Series / Re: Monitoring internet traffic types

« on: October 04, 2018, 02:52:41 pm »

NTOPNG

8

Web Proxy Filtering and Caching / SSL Proxy Config question

« on: October 03, 2018, 02:38:01 pm »

I got the SSL proxy working yesterday for most sites except for a few cases and I'm not sere how to resolve the issue.

This morning when I go to https://somewebsite.com  on a PC it connects after warning me about a security SSL issue...no problem here.  When I access the same website using an ipad my firewall is now blocking it with the message

Access Denied: URL https://11.22.33.44/*

I added somewebsite.com to my proxy whitelist AND to the "SSL no bump sites" but I am still getting the error.

Can someone offer insight as to why the domain is getting resolved by the proxy URL as an IP and then getting blocked?

9

18.7 Legacy Series / Re: Looking for someone with working lightsquid and sarg running on their system

« on: September 13, 2018, 06:59:31 pm »

If your system is working can you post your line in /usr/local/etc/squid/squid.conf for "logformat opnsense"

Mine is defaulted to:
logformat opnsense      %>a %[ui %>eui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

10

18.7 Legacy Series / Looking for someone with working lightsquid and sarg running on their system

« on: September 13, 2018, 06:29:29 pm »

I'm trying to get lightsquid and sarg running on my system but am running into problems with the scripts expected date formats vs what my system is generating

my squid access.log generates lines in the format
XXX.XXX.XXX.XXX - XX:XX:XX:XX:XX:XX - [13/Sep/2018:00:00:20 -0400] "POST http://somewebsite HTTP/1.1" 403 4171 "-" "Mozilla/5.0 (Linux; )" TCP_DENIED:HIER_NONE

but when I run lightparser.pl I don't get any output and sarg -x gives me script date input errors like

SARG: Loop detected in getword_atoll after 0 bytes.
SARG: Line=" [13/Sep/2018"
SARG: Record=" [13/Sep/2018"
SARG: searching for 'x2f'
SARG: Invalid date in file "/var/log/squid/access.log"

Can somebody post a couple of lines from their access log so I can compare what's going on?

11

18.7 Legacy Series / Re: Trying to figuring out why website is getting blocked by web proxy...

« on: September 13, 2018, 06:21:25 pm »

yes I did

I'm not asking how to white list something I'm asking to see if anyone can offer some insight into the way opnsense blocking logs work

12

18.7 Legacy Series / Trying to figuring out why website is getting blocked by web proxy...

« on: September 13, 2018, 04:00:18 pm »

Is there an easier way to determine why a website gets blocked by web proxy?

"The following error was encountered while trying to retrieve the URL: http://www.bing.com/
Access Denied."

For some reason "bing.com" is now getting blocked and all I get in my log file is
TCP_DENIED:HIER_NONE

I am using remote blacklists so I am assuming one of them is flagging the website...why bing is suddenly blacklisted is beyond me...I'd like to figure out which one is causing the problems

13

Web Proxy Filtering and Caching / Re: default block all; allow whitelist

« on: September 13, 2018, 02:28:58 pm »

Why not just create a firewall rule allowing only LAN net to LAN net and LAN net to your desired WAN IP ranges?

14

18.7 Legacy Series / Re: Help with WIFi errors

« on: September 12, 2018, 11:06:12 pm »

I already have one external AP running I was hoping to use the USB WiFi for guest mode only to make keeping the wifi networks separate easier with less energy waste of running yet another AP and wall wart combo

15

18.7 Legacy Series / Re: Help with WIFi errors

« on: September 12, 2018, 08:18:11 pm »

Seems to me a config problem with pfsense GUI.