Messages

1

22.1 Production Series / Re: Firewall Rules | InterVLAN Traffic

« on: May 27, 2022, 01:37:34 pm »

I found the "hidden" rules via /tmp/rules.debug.

rdr on igb1_vlan2 inet proto tcp from {(igb1_vlan2:network)} to {any} port {80} -> 127.0.0.1 port 3128 # redirect traffic to proxy
rdr on igb1_vlan2 inet proto tcp from {(igb1_vlan2:network)} to {any} port {443} -> 127.0.0.1 port 3129 # redirect secure traffic to proxy

a) Why they are "hidden" and not removed when switching off transparent mode?
b) how can I remove this?

@franco sry to summon, any ideas? is this a known issue?

2

22.1 Production Series / Re: Firewall Rules | InterVLAN Traffic

« on: May 26, 2022, 07:43:58 pm »

So Port 22 works. Seems to be proxy related. But even when I turned off the web proxy, no transparent mode, no interfaces selected, it does not work.

Are there any hidden rules?

3

22.1 Production Series / Re: Firewall Rules | InterVLAN Traffic

« on: May 26, 2022, 02:36:42 pm »

Hello,
LAN contains ESXi Hosts and vCenter.
VLAN2 contains Active Directory and Horizon Connection Server.

I try to access vCenter (LAN) or any "internal" webservice via TCP 80 or 443. 80,443 or 3389 from LAN -> VLAN2 works fine.

Machines from VLAN2 can access the internet via Web Proxy (if needed, but currently not configured on any machine in VLAN2) (had it transparent before, but removed that).

OPNSense is the only physical gateway for both subnets.

Are there any hidden rules from the web proxy?

4

22.1 Production Series / Firewall Rules | InterVLAN Traffic

« on: May 25, 2022, 08:48:10 pm »

Hello,
obviously I'm to stupid to get traffic from one VLAN to another one.

I do get traffic from LAN to VLAN2. But I can't reach VLAN2 to LAN (only ICMP works).

Can someone help me with that? I tried rules in every direction on every interface (LAN, VLAN2). I'm able to reach LAN -> VLAN2 but not in the other direction. What am I doing wrong?

As ICMP works, I would rule out any routing problem.

Is this related to the webproxy? (transparent mode, but rules deleted on VLAN2)

Cheers and thx for help.

5

22.1 Production Series / Re: vlan issues - in combination with IPS (IDS works)

« on: January 31, 2022, 11:56:55 pm »

IDS IPS is active on the physical interfaces or vlans as well?

Activate IPS only on physical interfaces.

6

22.1 Production Series / Re: Can't write image to USB key

« on: January 28, 2022, 06:26:21 pm »

You uncompressed it? bz2 is not the raw image. Use 7zip.

7

Intrusion Detection and Prevention / Re: log4j vulnerability detection

« on: December 17, 2021, 01:27:40 am »

Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

are you using Snort on Opns? i am having issues with Suricata.

No I'm using suricata with additional Snort Rules. Use 29190. Don't use 3.x rules.

8

Intrusion Detection and Prevention / Re: log4j vulnerability detection

« on: December 13, 2021, 04:06:43 pm »

Snort Rules in server-web and server-other detect Log4j aswell. As long as traffic is not end to end encrypted.

https://www.snort.org/advisories/talos-rules-2021-12-11

9

21.7 Legacy Series / Re: Certificate renewal

« on: October 09, 2021, 05:13:49 pm »

sorry, didn't guess that this is a hint of adding a new feature 

Kind of. Actually the question was more like "am I blind", "is there an easy way" or "can I achieve this via cmdline" to renew certificates.

However thanks for help!

10

21.7 Legacy Series / Re: Certificate renewal

« on: October 09, 2021, 03:08:22 pm »

ah
you can try to export "old" certs .crt and .key files from System: Trust: Authorities (for CA cert) or System: Trust: Certificates (for server's certs).
then do what @bartjsmit advised.
what didn't work for CA?
did you specify the keyUsage?

Thank you. No everything works with the CA, however I thought a simple renew button would have been nice as long as the private keys are managed by OPNSense.

11

21.7 Legacy Series / Re: ZFS Health Status and Menu Coming Soon?

« on: October 09, 2021, 03:04:32 pm »

As for configuring ZFS from the GUI for use cases such as snapshots/boot environments that might be part of a future business edition instead.


Cheers,
Franco

Any plans to impelement automatic snapshots before any opnsense-code or opnsense-update? I saw this on TrueNAS.

12

21.7 Legacy Series / Re: Certificate renewal

« on: October 09, 2021, 12:00:54 pm »

I do have the following certificates issued by OPNSense.

CA
|_ Inspection CA -> SSL Inspection Web Proxy
|_ Signing CA
   |_ Several Certificates for Web Servers

Now some certificates for webservers are expired and the inspection CA is expired. How to get these resigned with the same private key or if only possible to resign without private key?

I thought there is a better way than deleting and issue again.

13

21.7 Legacy Series / Re: Certificate renewal

« on: October 06, 2021, 03:41:24 pm »

I've to dig this up again. This feels unconfortable when the private key was generated by opnsense and I don't know where the certificates are on the FS.

Thanks for the tipp bartjsmit, but this doesn't work with a SubCA.


Is there a way to renew a certificate previously signed within OPNSense via CLI?

14

Intrusion Detection and Prevention / Re: Suricata and time-out blocked ips and other questions

« on: September 28, 2021, 07:09:19 pm »

1) Check Rules and Policy Tab
2) Its called passlist.
3) Not out of the box. Whats the requirement here?

15

21.7 Legacy Series / Certificate renewal

« on: September 25, 2021, 03:24:50 pm »

Hello,
is there any way to renew certificates that have been issued?

I use this as "light" CA, as other systems are to comlicated.

Cheers