Messages

This works for me: https://forum.opnsense.org/index.php?topic=7423.0

I see your point, but keeping in mind that I use OPNsense for home/hobby purpose, I was hoping to be able to solve this in system configuration, not by adding new hardware ;)

On several occasions, I noticed flowd not starting after a power failure. This seems to originate from database corruption, which can't be repaired by a 'repair Netflow data' in the GUI. If I reset the Netflow data and restart flowd, all is well.
Is there something I can do to make Netflow more resilient to power outages? Can switching to ZFS - if possible - help with this?

Checking all packages:
acme.sh-2.8.3: missing file /var/db/acme/.acme.sh/account.conf.sample
acme.sh-2.8.3: missing file /var/db/acme/.acme.sh/deploy
acme.sh-2.8.3: missing file /var/db/acme/.acme.sh/dnsapi
acme.sh-2.8.3: missing file /var/db/acme/.acme.sh/notify

This probably happens because I have /var as a memory file system, so these files get removed on reboot, but then I guess the firmware audit should not check for these files?

I'm seeing these errors lateley:

Oct 18 00:01:57 haanjdj suricata[20436]: [100108] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/gmi97ucro9sv7to01wm6gb|/"; http_uri; depth:36; isdataat:!1,relative; content:"artopinvest.ro"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_10_11; reference:url, urlhaus.abuse.ch/url/243894/; classtype:trojan-activity;sid:81106994; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 1783

They always involve the abuse.ch.urlhaus.rules file. I have compared the faulty entries, and I believe the problem to be the pipe symbol ('|') in for example the entry 'content:"/wp-content/gmi97ucro9sv7to01wm6gb|/"'; it shouldn't be there.

Is this an upstream problem that should be reported there, or is this something that should be dealt with within Opnsense?

I'm not familiar with GitHub so I hope I didn't make any mistakes, but here it is:

https://github.com/opnsense/plugins/issues/1532

Thanks in advance for taking a look at it!

To run named in IPV4-only mode, I changed

named_flags=${named_flags:-""}
to
named_flags=${named_flags:-"-4"}

in /usr/local/etc/rc.d/named

This works, however it wil probably be overwritten during upgrades. It also gets flagged by the security audit.
Is there a proper way to make this permanent?

I'd love to be able to enable IPV6 but my ISP doesn't offer it, unfortunately

I'm using the bind plugin for DNSBL purposes, and I'm seeing lots of log messages like these:

'lame-servers: info: host unreachable resolving '_.api.sc-gw.com/A/IN': 2600:9000:5305:a600::1#53'

This happens most probably because I don't have IPV6 connectivity. Would it be possible to disable IPV6 in named or system-wide to get rid of those?

After checking further, it seems that all log viewer screens have this issue...

After installing the 19.1.8 update, the layout of Intrusion Detection - Log File is broken, please see attachments.

I can't offer any details or analysis, but I have found this script to be quite unreliable, requiring several reruns before it worked. Unfortunately you'll be hitting rate-limits on the production environment real soon if you try too often.

In Intrusion Detection > Rules:

Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/IDS/Api/SettingsController.php:137 - count(): Parameter must be an array or an object that implements Countable (errno=2)

also submitted a bug report from the firewall itself.