Messages

Hey Franco,

I decided to spin up a duplicate instance to use for testing upgrades which I have just switched over to development from Prod but when I ran an update it only grabbed a 21.1.a_296-amd64 package? Is that right or am I jumping the gun a bit.

Don't mind me :P Just read the pinned post haha.

Yes, I am coming to the conclusion that this cannot be done using HAProxy after additional searching.  The main issue is that Minecraft is not an HTTP protocol, and you cannot authenticate using a TCP proxy.  This seems strange to me as I would think you can authenticate via HTTP, then remember the IP address that authenticated, and then allow only that IP address to go through the TCP proxy.  It seems like this would be a desired function as not everything is HTTP.

Well in theory you could utilize port knocking to open up port 25565 when someone makes a connection to port 80... You might be able to do something like this https://gist.github.com/cryptolok/326b6afc98bf4bb489a206d62ad12580. So use HAProxy to proxy connections to the Minecraft server, then use something similar to the above accordingly to knock port 80 to open 25565 for the user's IP... You may need to do some funky stuff to ensure the Source IP is correctly being passed through

Better remove the self audit like with every other vendor where everyone just feels save, even after months of not updating? :)

It would stop a lot of these posts ;)

Too risky for hotfix as well so we will probably have to pick this up next week.

Oh yeah, just inconvenient timing for announcing the CVE.

Always the way just after you push a new version...

So, First thing's first.

You won't be able to do this with HAProxy.

Really the only way you can achieve what you want is to sit the MC server behind a VPN.

So, you'll need to set up a VPN server, OpenVPN, WireGuard, etc.
Shift your MC server to sit in a DMZ, if you haven't already and then point all VPN connections to the DMZ.

If you want, you can also configure unbound to allow the users connecting to the VPN to use hostnames instead of IP addresses.

I'm sure someone else would have asked it but can you provide more details on your setup, hardware, logs, etc.

Worst case scenario are you able to take a backup, flatten it, install 20.7 fresh and restore from backup?

Legend.. Exactly what I was after...

Not that confident to screw with the target overlays yet but added what I needed to /usr/local/opnsense/service/templates/OPNsense/Auth/motd and it's looking good.

Hey guys,

This should be a fairly simple one where I'm just missing something or maybe something to add as a feature request for a future release if it's not already doable...

What I am wanting to do is add my own content to a SSHD banner.
Because sshd_config is currently automatically generated, is there a way to add or append my legal content to the SSH banner in OpnSense?

So... I decided to add the following to rc.conf so that it should run FSCK on the next reboot

Code Select Expand

background_fsck="NO"
fsck_y_enable="YES"
fsck_y_flags="-f"
Rebooted the machine and sure enough in the dmesg logs I have "FILE SYSTEM CLEAN; SKIPPING CHECKS"

Unless there's something else going on with 20.1.9_1 that is then causing issues with the upgrade.

Here's the dmesg log from boot on 20.1.9_1 https://pastebin.com/RyVvMDdw

Hey all,

I have a lovely predicament at the moment with upgrading my FW running 20.1.9 in AWS Lightsail.

I tried an upgrade and when the FW was unresponsive for an hour I was starting to get a bit worried...

Exported a backup to EC2 so that I could do some further testing and access the system log and as the subject mentions... I get a whole lot of "cylinder checksum failed" errors.
cylinder checksum failed.
https://pastebin.com/xUfnZqZN

Did some quick googling and came across https://bugs.freebsd.org/225110 I'm not that great with BSD but is there something I can do before attempting the upgrade to resolve this issue?

Solved: Gave up trying to fix the issue so I spooled up a new FreeBSD 12 instance and ran the bootstrapper. Once I got the FW up... Matter of seconds to cut it over... Nice fresh setup with the old config.

Also tried upgrading a couple times... I'm not running Sensei but I am running Suricata... Disabled suricata prior to the upgrade and it doesn't seem to have made any difference... The kicker for me is I'm running the FW in AWS Lightsail so I'm not able to get to the console if it fails to boot... :(

From the 20.1.9 Releas notes:

20.7-RC1 is already available and the final release of 20.7 is scheduled for July 30. A hotfix release for 20.1.9 will enable the upgrade path some hours after the initial 20.7 announcement is out

So just wait for the Hotfix... then you can upgrade...

Do we know when the Hotfix will be released?

Thanks.

I'm going to channel my inner developer here... When it's ready... Also how long is a piece of string.

First off, this would probably better off here https://forum.opnsense.org/index.php?board=28.0
Secondly could you post your haproxy config so we can get a better idea on what's going on?

So... Directly with HAProxy... Not really... However you could use something like this https://github.com/authelia/authelia in conjunction with HAProxy.

Here's a guide on how to use it with HAProxy
https://www.authelia.com/docs/deployment/supported-proxies/haproxy.html

Don't use a FQDN for the bind address. Either a specific interface IP or 0.0.0.0

Then that should work fine.