"
Ha!
That worked. I learned some more. Success.
Thank you, Franco, appreciated.
Regards!
That worked. I learned some more. Success.
Thank you, Franco, appreciated.
Regards!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#32
19.1 Legacy Series / Re: Portsnap not present in 19.1.9
June 21, 2019, 02:12:54 PM
documenting for any future searchers.
*found the hardened BSD repository on github... https://github.com/HardenedBSD
*found the portsnap source folder on github.... https://github.com/HardenedBSD/hardenedBSD/tree/hardened/current/master/usr.sbin/portsnap
*read the makefile, reviewed portsnap.sh
I don't know how to use makefile or install with make (doh!). I started to try to figure that out, got lost. The software is on github. I locally installed the git package, tried to pull the portsnap directory down, failed. Logged onto github, read instructions, got lost trying to 'clone' the repository which would supposedly give me access to the portsnap source code. Gave up when it seemed I would have to download the source for the entire OS instead of just 'portsnap'.
However, portsnap.sh is script instead of a compiled application, so I thought I could install manually. I used wget to download everything from the portsnap directory on github. I copied the config file to /etc, but then I looked at the dependency file (Makefile.depend). Stalled, not sure if I can, or should try to manually install those dependencies. I'd have to learn how to search the local system to see if they're there, 1st.
Current status: stalled. I can either figure out how to use github to allow git to retrieve the software, learn how to use git to do whatever git does locally, and then to learn how to use 'make' to install this stuff... OR I can manually install the dependencies, copy portsnap to where ever system scripts go ( /usr/sbin/ ???), ensure it has correct permissions, and pray.
*found the hardened BSD repository on github... https://github.com/HardenedBSD
*found the portsnap source folder on github.... https://github.com/HardenedBSD/hardenedBSD/tree/hardened/current/master/usr.sbin/portsnap
*read the makefile, reviewed portsnap.sh
I don't know how to use makefile or install with make (doh!). I started to try to figure that out, got lost. The software is on github. I locally installed the git package, tried to pull the portsnap directory down, failed. Logged onto github, read instructions, got lost trying to 'clone' the repository which would supposedly give me access to the portsnap source code. Gave up when it seemed I would have to download the source for the entire OS instead of just 'portsnap'.
However, portsnap.sh is script instead of a compiled application, so I thought I could install manually. I used wget to download everything from the portsnap directory on github. I copied the config file to /etc, but then I looked at the dependency file (Makefile.depend). Stalled, not sure if I can, or should try to manually install those dependencies. I'd have to learn how to search the local system to see if they're there, 1st.
Current status: stalled. I can either figure out how to use github to allow git to retrieve the software, learn how to use git to do whatever git does locally, and then to learn how to use 'make' to install this stuff... OR I can manually install the dependencies, copy portsnap to where ever system scripts go ( /usr/sbin/ ???), ensure it has correct permissions, and pray.
#33
19.1 Legacy Series / Re: Firewall Rules Assistance to Allow 1 IP to talk to Another
June 18, 2019, 10:13:32 PM
I'll take a swing, but I'd bet a lot of money there are better ways to do it...
For the DNS issue:
On the Retro VLAN firewall rules: Create an allow rule, source is the NT server ip, destination is ip of DNS server, port = 53, direction = both. Move this rule above the default deny rule on your Retro VLAN.
On the DNS Vlan firewall rules: Create an allow rule, source is the NT server ip, destination is ip of DNS server, port = 53, direction = both. Move this rule above the default deny rule on your DNS VLAN.
For the File Transfer issue:
On the Retro VLAN firewall rules: Create an allow rule, source is the NT server ip, destination is ip of DNS server, port = 53, direction = both. Move this rule above the default deny rule on your Retro VLAN. It can be above or below the DNS rule, it just has to be above the Deny rules.
On the File Transfer VLAN firewall rules: Create an allow rule, source is the NT server ip, destination is ip of DNS server, port = 53, direction = both. Move this rule above the default deny rule on your File Transfer VLAN.
Discussion point: I'm not certain about the directions. I'm suspicious that the 'state' of a connection overrides the need of the "direction = both". Meaning, if the NT server requests dns services on a 'direction = outbound', then the fact that there was an allowed connected will tell the firewall to allow the return message. If that's true, it would be more secure. If the DNS server is compromised... 'direction: both' means the DNS can attack. 'direction: outbound' equals the firewall stopping a DNS service based attack. And please let me know if I was wrong/right.
Also, if the file transfer will ever initiate from the File server, you might have to build a 'send' and 'receive' rule on both VLANs to allow that, with the File server set as source and the NT server set as destination. And now that I've offended the real security experts with my ignorance, I'll shut up. Good luck!
Regards!
For the DNS issue:
On the Retro VLAN firewall rules: Create an allow rule, source is the NT server ip, destination is ip of DNS server, port = 53, direction = both. Move this rule above the default deny rule on your Retro VLAN.
On the DNS Vlan firewall rules: Create an allow rule, source is the NT server ip, destination is ip of DNS server, port = 53, direction = both. Move this rule above the default deny rule on your DNS VLAN.
For the File Transfer issue:
On the Retro VLAN firewall rules: Create an allow rule, source is the NT server ip, destination is ip of DNS server, port = 53, direction = both. Move this rule above the default deny rule on your Retro VLAN. It can be above or below the DNS rule, it just has to be above the Deny rules.
On the File Transfer VLAN firewall rules: Create an allow rule, source is the NT server ip, destination is ip of DNS server, port = 53, direction = both. Move this rule above the default deny rule on your File Transfer VLAN.
Discussion point: I'm not certain about the directions. I'm suspicious that the 'state' of a connection overrides the need of the "direction = both". Meaning, if the NT server requests dns services on a 'direction = outbound', then the fact that there was an allowed connected will tell the firewall to allow the return message. If that's true, it would be more secure. If the DNS server is compromised... 'direction: both' means the DNS can attack. 'direction: outbound' equals the firewall stopping a DNS service based attack. And please let me know if I was wrong/right.
Also, if the file transfer will ever initiate from the File server, you might have to build a 'send' and 'receive' rule on both VLANs to allow that, with the File server set as source and the NT server set as destination. And now that I've offended the real security experts with my ignorance, I'll shut up. Good luck!
Regards!
#34
19.1 Legacy Series / Re: UPnP and Call of Duty
June 17, 2019, 03:14:54 PM
It looks like udp port 34133 is falling all the way through your 'Allow' and hitting the 'Deny'. To me, that means you don't have an explicit 'Allow: UDP 34133 outbound on WAN', destination = (your choice... either inverse from your wans/lans, or 'all', or your preference). When you write the rule, remember to move it up the list so that it is above the default deny.
#35
19.1 Legacy Series / [SOLVED] Ports and Portsnap not present in 19.1.9
June 17, 2019, 02:09:21 PM
Greetings,
How do I enable access to opnsense ports on 19.1.9? Portsnap is not present by default in the command line. Neither are ports (applications) available in the file system despite ports being listed in github. I didn't find anything in the manual, pkg search portsnap = no return.
Thank you.
How do I enable access to opnsense ports on 19.1.9? Portsnap is not present by default in the command line. Neither are ports (applications) available in the file system despite ports being listed in github. I didn't find anything in the manual, pkg search portsnap = no return.
Thank you.
#36
19.1 Legacy Series / Re: What is the recommended method to backup the router?
June 16, 2019, 06:05:47 PM
Hi Jonny,
That's a good method for the opnsense config file (especially if it's encrypted). Unfortunately, the idiocy I executed created a partition level error on the hard drive, and it wouldn't boot. I need to make the system 'me proof'. I suspect that self control is part of that, but until that personal growth happens I'd like to back up the entire drive instead of just the opnsense configuration.
Regardless, thank you for offering a suggestion.
That's a good method for the opnsense config file (especially if it's encrypted). Unfortunately, the idiocy I executed created a partition level error on the hard drive, and it wouldn't boot. I need to make the system 'me proof'. I suspect that self control is part of that, but until that personal growth happens I'd like to back up the entire drive instead of just the opnsense configuration.
Regardless, thank you for offering a suggestion.
#37
19.1 Legacy Series / What is the recommended method to backup the router?
June 16, 2019, 03:32:17 PM
disclaimer: amateur with freebsd/opnsense/firewalls.
Would you please recommend a method and scheme to implement automated backups?
Background: I tried to gpart and resize the freebsd-ufs partition without os backups, and while online/operational. I recognize how stupid that was, now, especially as I type this. I recovered opensense using a new image and a backup of the opnsense config. Time consuming, manual, and not graceful. I decided to implement a full hard drive backup and an incremental synced backup workflow. I would like it to be automated. I searched for installed ports: none. /usr/local/ports is missing. I searched installed pkgs for anything like rsync, not found. I searched the forum for related issues: nothing relevant found.
I can implement a hacked solution, but I'm concerned that it will be consistent with my skillset and not be as secure as the philosophical and functional model of opnsense. Accordingly, I'm hoping to ask for the advice of the more experienced for an appropriate solution.
Thanks in advance,
LouieLouie
Would you please recommend a method and scheme to implement automated backups?
Background: I tried to gpart and resize the freebsd-ufs partition without os backups, and while online/operational. I recognize how stupid that was, now, especially as I type this. I recovered opensense using a new image and a backup of the opnsense config. Time consuming, manual, and not graceful. I decided to implement a full hard drive backup and an incremental synced backup workflow. I would like it to be automated. I searched for installed ports: none. /usr/local/ports is missing. I searched installed pkgs for anything like rsync, not found. I searched the forum for related issues: nothing relevant found.
I can implement a hacked solution, but I'm concerned that it will be consistent with my skillset and not be as secure as the philosophical and functional model of opnsense. Accordingly, I'm hoping to ask for the advice of the more experienced for an appropriate solution.
Thanks in advance,
LouieLouie
#38
19.1 Legacy Series / Re: [SOLVED] How to start/stop/restart sshd with Monit in GUI
May 23, 2019, 06:51:07 PM
Franco,
May I ask if you could explain the use of 'pluginctl -c' or '-s' (configure mode vs service mode)?
Aside from that I tried it at the command line using -s and it worked. Adding it to the monit config for unbound and openssh now.
May I ask if you could explain the use of 'pluginctl -c' or '-s' (configure mode vs service mode)?
Aside from that I tried it at the command line using -s and it worked. Adding it to the monit config for unbound and openssh now.
#39
19.1 Legacy Series / Re: [SOLVED] How to start/stop/restart sshd with Monit in GUI
May 23, 2019, 02:21:42 PM
That worked. I cat'd pluginctl, hoping that I understand correctly ??? . Testing today. Thanks!
#40
19.1 Legacy Series / Re: [SOLVED] How to start/stop/restart sshd with Monit in GUI
May 21, 2019, 11:09:19 PM
Franco, got a 'hunks failed' message when I attempted the patch:
sudo opnsense-patch 255e9b76
Password:
Fetched 255e9b76 via https://github.com/opnsense/core
1 out of 1 hunks failed while patching sbin/pluginctl
OPNsense 19.1.8-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
LibreSSL 2.8.3
sudo opnsense-patch 255e9b76
Password:
Fetched 255e9b76 via https://github.com/opnsense/core
1 out of 1 hunks failed while patching sbin/pluginctl
OPNsense 19.1.8-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
LibreSSL 2.8.3
#41
19.1 Legacy Series / Re: How to start/stop/restart sshd with Monit in GUI
May 20, 2019, 01:10:11 PM
hbc: Thank you!
This
I've never heard of configctl, that helped immensely. Thanks for you time!
This
Code Select
# /usr/local/sbin/configctl sshd restart didn't work because the default configd script is named openssh instead of sshd. But, by changing 'sshd' to 'openssh' , it worked.I've never heard of configctl, that helped immensely. Thanks for you time!
#42
19.1 Legacy Series / [SOLVED] How to start/stop/restart sshd with Monit in GUI
May 19, 2019, 07:54:42 PM
Running opnsense 19.1.8, I am trying to add sshd to Monit service monitoring. In the gui, the start and stop commands are required with the full path to the command. I've searched freebsd forums and tutorials, the /etc/rc.d commands don't work (can't even find rc.config), the 'service sshd start' commands aren't accepted.
May I ask for help, please? Thanks in advance!
May I ask for help, please? Thanks in advance!
#43
19.1 Legacy Series / Re: [CALL FOR TESTING] Microarchitectural Data Sampling (MDS) patch
May 17, 2019, 04:23:23 PM
Opnsense GUI is up and all diagnostic metrics on it look correct and consistent. I have full internet access. SSH was slow to come up.
uname -a: FreeBSD host.domain 11.2-RELEASE-p10-HBSD FreeBSD 11.2-RELEASE-p10-HBSD 5e5adf26fc3(stable/19.1) amd64
Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz (4 cores)
uname -a: FreeBSD host.domain 11.2-RELEASE-p10-HBSD FreeBSD 11.2-RELEASE-p10-HBSD 5e5adf26fc3(stable/19.1) amd64
Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz (4 cores)
