Messages

46

20.7 Legacy Series / Weird problem with NAT Reflection

« on: September 27, 2020, 01:09:43 am »

Hello,
so I noticed the following problem.

Before using NAT Reflection I used remapping specific domains to internal IP Adresses (my dyndns address) with Unbound and Pi-Hole. Worked perfectly, certificates valid.

I thought about using NAT-Reflection to get rid of these domain rewrites. So I enabled it and removed the DNS entries.

My Application is forwareded on Port 80 and 443.

When I enable NAT-Reflection + Create Rules and connect via Wireguard and enter for ex. x.x.x.1 to get access on OPNSense, I land on the application forwareded to 80 and 443 instead of OPNSense WebIF.

Any ideas or solution to this?

Cheers

47

20.7 Legacy Series / Re: updating to 20.7.3 stopped at "reloading template wireguard"

« on: September 25, 2020, 07:22:34 pm »

Same for me, stuck at:

Code: [Select]

Reloading template OPNsense/Quagga: OK
EDIT: Reboot and running the updated solved the problem. No issues.

48

Development and Code Review / Re: How to update MAC vendor db?

« on: September 22, 2020, 06:19:35 pm »

Great franco, thank you!

Hope you can implement 0.8.0 directly and skip 0.7.20.

If you need any help or pull request let me know.

Which branch is it?

49

Development and Code Review / Re: How to update MAC vendor db?

« on: September 18, 2020, 10:23:08 am »

Oh yes, franco. You‘re correct.

Check the commit I posted on netaddr. The method has been removed. That‘s why changed it.

https://github.com/netaddr/netaddr/commit/5b2807ff91640c959dc358334f626cea0e28778c

EDIT:
Here we go:

Code: [Select]

--- list_macdb.py.old   2020-09-18 10:42:50.178232000 +0200
+++ list_macdb.py       2020-09-18 10:39:20.059022000 +0200
@@ -27,12 +27,12 @@
 import os.path
 import sys
 import ujson
-import netaddr.eui.ieee
+import imp

 if __name__ == '__main__':
     result=dict()
-    if os.path.isfile(netaddr.eui.ieee.OUI_REGISTRY_PATH):
-        for line in open(netaddr.eui.ieee.OUI_REGISTRY_PATH, 'rb'):
+    if os.path.isfile((imp.find_module('netaddr')[1])+'/eui/oui.txt'):
+        for line in open((imp.find_module('netaddr')[1])+'/eui/oui.txt', 'rb'):
             line = line.decode()
             if line.find('(base 16)') > -1:
                 parts=line.split('(base 16)')


50

Development and Code Review / Re: How to update MAC vendor db?

« on: September 18, 2020, 09:34:10 am »

Morning franco,
what do you mean exactly the same? referred to?

I know it breaks, will try to improve that, I'm quiet new to python.

51

Development and Code Review / Re: How to update MAC vendor db?

« on: September 18, 2020, 01:31:18 am »

Bad code and ARP Vendor Lookup works different than DHCP Leases. DHCP leases always parses the complete list, instead of looking up each single item with netaddr method. I'm not a programmer, I may check how to build this better.

Fix for DHCP:
/usr/local/opnsense/scripts/interfaces/list_macdb.py

Code: [Select]

--- list_macdb.py.old   2020-09-18 01:28:10.300640000 +0200
+++ list_macdb.py       2020-09-18 01:27:01.729241000 +0200
@@ -27,12 +27,11 @@
 import os.path
 import sys
 import ujson
-import netaddr.eui.ieee

 if __name__ == '__main__':
     result=dict()
-    if os.path.isfile(netaddr.eui.ieee.OUI_REGISTRY_PATH):
-        for line in open(netaddr.eui.ieee.OUI_REGISTRY_PATH, 'rb'):
+    if os.path.isfile('/usr/local/lib/python3.7/site-packages/netaddr/eui/oui.txt'):
+        for line in open('/usr/local/lib/python3.7/site-packages/netaddr/eui/oui.txt', 'rb'):
             line = line.decode()
             if line.find('(base 16)') > -1:
                 parts=line.split('(base 16)')


52

Development and Code Review / Re: How to update MAC vendor db?

« on: September 18, 2020, 12:31:12 am »

Works like a charm on ARP Table. However breaks Vendor Lookup in DHCP completely.

distinfo

Code: [Select]

TIMESTAMP = 1600381665
SHA256 (netaddr-0.7.20.tar.gz) = d09252e5aec3913815d77eb8e8ea8fa6eb33521253e52f977f6abaa964776f3e
SIZE (netaddr-0.7.20.tar.gz) = 1889698


Code: [Select]

rm files/patch-setup.py
Makefile

Code: [Select]

--- Makefile.old        2020-09-18 00:29:47.359512000 +0200
+++ Makefile    2020-09-18 00:29:53.599067000 +0200
@@ -2,7 +2,7 @@
 # $FreeBSD$

 PORTNAME=      netaddr
-PORTVERSION=   0.7.19
+PORTVERSION=   0.7.20
 PORTREVISION=  1
 CATEGORIES=    net python
 MASTER_SITES=  CHEESESHOP
EDIT:
DHCP Leases uses the following command:
configctl interface list macdb json
Execute error

Its broken as a method does not exist anymore:

Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/interfaces/list_macdb.py", line 39, in <module>
    if os.path.isfile(netaddr.eui.ieee.OUI_REGISTRY_PATH):
AttributeError: module 'netaddr.eui.ieee' has no attribute 'OUI_REGISTRY_PATH'

https://github.com/netaddr/netaddr/commit/5b2807ff91640c959dc358334f626cea0e28778c

EDIT2:
0.8.0 released 6 days ago.

53

Development and Code Review / Re: How to update MAC vendor db?

« on: September 17, 2020, 11:25:28 pm »

Finally the Package including Databases have been updated (last more than 3 years ago)

Can we get an update of this package to have finally granular vendor mac addr lookup?

https://netaddr.readthedocs.io/en/latest/changes.html
Release: 0.7.20
Date: 19 Jun 2020

(This is at least the used library for ARP Table?!)
https://github.com/opnsense/core/blob/master/src/opnsense/scripts/interfaces/list_macdb.py

54

20.7 Legacy Series / Re: Call for testing: official netmap kernel

« on: September 17, 2020, 04:03:55 pm »

Upgrading on a system with igb drivers gains no improvement or benefit correct?

55

20.7 Legacy Series / Re: Firmware Flavour vs clean install (are settings retained?)

« on: September 05, 2020, 03:54:04 pm »

The settings are restored to LibreSSL, but I can't see any LibreSSL Images.

So you have to check for Updates after restore to get back to LibreSSL.

56

20.7 Legacy Series / Re: Firewall Rules Optimization

« on: September 05, 2020, 02:37:08 pm »

Thanks alot.

Really good article about pfctl.

57

20.7 Legacy Series / Firewall Rules Optimization

« on: September 03, 2020, 07:59:04 pm »

Hello @Firewall Advanced Settings, I can find "Firewall Rules Optimization". It allows None, Basic and Profile.

I searched for pfctl and found the exact same description. What is it exactly doing on "Profile"?

What is the best setting for maximum optimization if I've spare memory and processor time?

Cheers

58

Intrusion Detection and Prevention / Re: Suricata prevents Battle.net login - no drops or alerts logged

« on: August 31, 2020, 11:00:54 am »

All rules regarding battle.net and for ex. warcraft are disabled in "Rules" overview?

59

Intrusion Detection and Prevention / Re: Send IPS alerts by e-mail

« on: August 23, 2020, 02:57:35 pm »

I agree if running IDS, but I'm running IPS. I want to block malicous traffic to my exposed systems.

I don't need notifications for any DShield blocks so I check that manually from day to day.

60

Intrusion Detection and Prevention / Re: Home network in IDS/IPS

« on: August 23, 2020, 02:55:17 pm »

Yes as long your ip range is within RFC1918 according to the description.