Messages

151

22.1 Legacy Series / Re: [22.1.6] DHCP leases not registered in Unbound

« on: April 20, 2022, 05:10:31 pm »

The lease should show up in dhcpleases.conf once Unbound was restarted. The process to generate the file is:

# pgrep -f unbound_dhcpd.py

(should be up and running by showing a PID)

This process will also log to the Unbound log:

# opnsense-log resolver

Here's how to restart it and watch the log file:

# configctl -d unbound restart && opnsense-log -f resolver

Any errors here related to the host in question?


Cheers,
Franco

Restarted with

Code: [Select]

# configctl -d unbound restart && opnsense-log -f resolver no errors were printed related to the host in question, logging level is set to "2" would think that would be enough to show these errors. But can adjust if needed.

152

22.1 Legacy Series / Re: [22.1.6] DHCP leases not registered in Unbound

« on: April 20, 2022, 04:53:17 pm »

To reiterate, make sure that the entry exists in

# cat /var/dhcpd/var/db/dhcpd.leases

and is valid (as in not already expired). Then make sure the entry exists in

# cat /var/unbound/dhcpleases.conf

When doing a restart of Unbound there should be no issue that valid entries do not end up in this file if they exist in the former.

Then, redo the testing to resolve the DHCP lease. If it doesn't work but it exists in both files the test was wrong. Sometimes domain mismatches can make this happen...


Cheers,
Franco

I confirmed that the entry exists and is not expired in the

Code: [Select]

# cat /var/dhcpd/var/db/dhcpd.leases
I however do not see this entry in

Code: [Select]

# cat /var/unbound/dhcpleases.conf
Even after restarting the service the entry does not show up in the file. I also question if restarting the service should even be necessary?  I can provide a screenshot if there is a less public way for me to do so.  Just don't want to post up a list of hosts names and IP's on a public forum if it can be avoided. 

153

22.1 Legacy Series / Re: [22.1.6] DHCP leases not registered in Unbound

« on: April 20, 2022, 02:54:09 am »

But is it expired or not. Pasting the entry here would certainly help reduce guesswork.


Cheers,
Franco

I'm experiencing the same issue also just upgraded to 22.1.6.  I do find an entry in the DHCP lease file for the missing DNS entry.  It shows active and that the lease will expire tomorrow.  However I'm unable to resolve it with nslookup from the cli of the firewall or from any other device even after restarting the unbound service, as the OP stated.  I've had this issue for some time and posted about it a long time ago, the difference then was restarting the unbound service brought the new entries in, unlike this time, I can't seem to get unbound to bring them in.  I can provide evidence but don't want to post publicly.

154

General Discussion / Information on enhancing security of wordpress server

« on: March 28, 2022, 07:47:08 pm »

I'm in the processes of spooling up a Wordpress server.  The server is properly segmented in a DMZ.  In the past I would simple NAT port 80 and 443 to my server and follow best practice for securing that server.  This is how I've done things for years.  I think this is an acceptable methodology still.  However, I'd like to see what other things I might do to mitigate threats.  I already have IPS setup.  I thought about using a reverse proxy, and even setting up a WAF, but the instructions in the OPNsense guide only seem to be an overview not a guide.  With my lack of experience with setting up a WAF and/or reverse proxy I'm struggling to fully grasp what I need to do or if this is even the best path to take. 

Looking for some information on guides or just general ideology to better secure this implementation from external threats.  Maybe following KISS methodology and just using NAT is still the best way. 

155

22.1 Legacy Series / Anyway to manually set display of interface duplex and speed?

« on: February 22, 2022, 10:04:59 pm »

I currently have a Intel x550-t2 card installed and it works just fine.  However it doesn't correctly display interface speed and duplex on 2.5Gbps connections, 1 and 10 display correctly.  I figure it's just missing information somewhere and was curious if I could just manually add it myself to cure my OCD annoyance here lol. 

156

22.1 Legacy Series / Re: Default Deny Rule - Once Again

« on: February 16, 2022, 09:22:13 pm »

It's hard to provide a lot of guidance without some info on network layout and rule sets.  If it's happened in the past it seems to be an environmental issue of some type with your particular configuration.  It'll be a bit hard to weed out potentially.  If it's happened more than once on different distributions my first thought would be a design issue is somehow creating the issue you are seeing.  It's possible it's a bug that's specific to your setup, but it's also possible your configuration is causing you pain and the firewall is functioning as designed (I've chased that red herring a few times). 

I had a specific issue one time NAT'ing IPSEC traffic across a Watchguard firewall between to JUNIPER VPN endpoints.  Technically what I was doing wasn't supported or even proper for that matter.  Due to our specific requirements it had to be designed this way.  It worked for a long time but at some random point the firewall would just start silently dropping packets even though the rule was in place.  A reboot of the firewall or a reapply of the rule would sometimes bring it back.  I never figured out if it was a bug or just an issue with how I was improperly configured or a combination of both. 

I give that long story just to give a representation of what I'm getting at. 

If you mange to root out a bug, it can be reported here https://github.com/opnsense/core/issues/new?assignees=&labels=&template=feature_request.md&title=

157

Zenarmor (Sensei) / Re: Trusting Sensei

« on: January 19, 2022, 10:27:59 pm »

I might be missing something in this thread and not going to get caught up in the argument.  But you can view their privacy policy here https://www.sunnyvalley.io/legal/privacy-policy.  This will detail what they collect and how they use it.  Read through this and you can make your decision if you are comfortable with the policy or not.   

158

Intrusion Detection and Prevention / Re: Proper Ruleset for IDS and Firewall on following detection

« on: January 13, 2022, 07:05:55 pm »

Thanks for your feedback. I need to run that through my head what are the options for me. I'll take a look at zenarmor. Seems like a fitting solution and less ram is something that sounds good to me. For more Ram, I'd need another APU or find an old PC to run opnsense on.

Ah didn't know you were running on a APU, that'll be harder to add ram to .

159

Intrusion Detection and Prevention / Re: Proper Ruleset for IDS and Firewall on following detection

« on: January 13, 2022, 03:30:29 pm »

Thanks alot for the input. I will run malwarebytes over it.
Meanwhile I have another thing that is bugging me:
I get those alerts for connection to a .biz and .cloud address that i would like to use the firewall on, if possible.
I already told suricata to drop them, but they keep on popping up, also having the flag to be "allowed" to pass through.
I am not the brightest bulb regarding firewall and suricata settings. I also can't run IPS instead of IDS because of memory.
Any idea how to setup the firewall that they don't popup?

Code: [Select]

2022-01-13T13:47:52.698167+0100 2027863 allowed wan 192.168.0.2 4429 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.673658+0100 2027863 allowed wan 192.168.0.2 54846 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.653052+0100 2027863 allowed wan 192.168.0.2 48538 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.643888+0100 2027863 allowed wan 192.168.0.2 37436 217.160.82.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.623157+0100 2027863 allowed wan 192.168.0.2 13648 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.622745+0100 2027863 allowed wan 192.168.0.2 36422 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.612215+0100 2027863 allowed wan 192.168.0.2 33396 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.603882+0100 2027863 allowed wan 192.168.0.2 45495 217.160.82.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.583251+0100 2027863 allowed wan 192.168.0.2 35145 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.581649+0100 2027863 allowed wan 192.168.0.2 24309 185.132.32.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.569699+0100 2027863 allowed wan 192.168.0.2 62882 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.558900+0100 2027863 allowed wan 192.168.0.2 12915 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.552599+0100 2027863 allowed wan 192.168.0.2 43095 185.132.32.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.541694+0100 2027863 allowed wan 192.168.0.2 59307 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.527505+0100 2027863 allowed wan 192.168.0.2 35049 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.526289+0100 2027863 allowed wan 192.168.0.2 18341 217.160.83.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.525678+0100 2027863 allowed wan 192.168.0.2 22338 217.160.82.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.524232+0100 2027863 allowed wan 192.168.0.2 58652 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.523396+0100 2027863 allowed wan 192.168.0.2 37851 156.154.125.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.518676+0100 2027863 allowed wan 192.168.0.2 59472 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.484347+0100 2027863 allowed wan 192.168.0.2 24890 217.160.83.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.483929+0100 2027863 allowed wan 192.168.0.2 61148 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.481112+0100 2027863 allowed wan 192.168.0.2 19132 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.476844+0100 2027863 allowed wan 192.168.0.2 54645 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.476337+0100 2027863 allowed wan 192.168.0.2 17989 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.450989+0100 2027863 allowed wan 192.168.0.2 29572 185.132.32.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.450782+0100 2027863 allowed wan 192.168.0.2 62568 217.160.80.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.421765+0100 2027863 allowed wan 192.168.0.2 36385 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.421539+0100 2027863 allowed wan 192.168.0.2 30058 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.418944+0100 2027863 allowed wan 192.168.0.2 23849 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.418357+0100 2027863 allowed wan 192.168.0.2 44626 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.417421+0100 2027863 allowed wan 192.168.0.2 41847 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.416169+0100 2027863 allowed wan 192.168.0.2 61354 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.413759+0100 2027863 allowed wan 192.168.0.2 24896 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.381671+0100 2027863 allowed wan 192.168.0.2 11827 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.381330+0100 2027863 allowed wan 192.168.0.2 27976 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.379455+0100 2027863 allowed wan 192.168.0.2 9047 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.374545+0100 2027863 allowed wan 192.168.0.2 51799 217.160.81.195 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.363598+0100 2027863 allowed wan 192.168.0.2 47803 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.363274+0100 2027863 allowed wan 192.168.0.2 58848 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.362959+0100 2027863 allowed wan 192.168.0.2 18401 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.353066+0100 2027863 allowed wan 192.168.0.2 61134 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.352807+0100 2027863 allowed wan 192.168.0.2 14789 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.352078+0100 2027863 allowed wan 192.168.0.2 20751 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:52.351162+0100 2027863 allowed wan 192.168.0.2 29378 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:47:44.374404+0100 2027865 allowed wan 192.168.0.2 50580 205.251.197.233 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:47:44.351494+0100 2027865 allowed wan 192.168.0.2 22185 205.251.198.14 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:47:44.340358+0100 2027865 allowed wan 192.168.0.2 33704 205.251.194.208 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:47:44.320512+0100 2027865 allowed wan 192.168.0.2 49131 205.251.197.233 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:47:44.311792+0100 2027865 allowed wan 192.168.0.2 34742 205.251.198.14 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.859926+0100 2027865 allowed wan 192.168.0.2 56364 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.843627+0100 2027863 allowed wan 192.168.0.2 7824 156.154.66.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:29:16.842432+0100 2027863 allowed wan 192.168.0.2 18212 156.154.66.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:29:16.837147+0100 2027865 allowed wan 192.168.0.2 36600 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.805659+0100 2027865 allowed wan 192.168.0.2 12782 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.792593+0100 2027863 allowed wan 192.168.0.2 33311 156.154.69.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:29:16.792070+0100 2027863 allowed wan 192.168.0.2 32832 156.154.67.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:29:16.729668+0100 2027865 allowed wan 192.168.0.2 51040 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.685873+0100 2027863 allowed wan 192.168.0.2 33583 156.154.67.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:29:16.683009+0100 2027863 allowed wan 192.168.0.2 40436 156.154.69.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:29:16.666397+0100 2027865 allowed wan 192.168.0.2 5694 205.251.199.196 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.616205+0100 2027865 allowed wan 192.168.0.2 28638 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:29:16.573029+0100 2027865 allowed wan 192.168.0.2 16737 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:28:55.489059+0100 2027865 allowed wan 192.168.0.2 12554 205.251.193.216 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:28:54.393541+0100 2027865 allowed wan 192.168.0.2 55728 205.251.199.235 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:28:54.302682+0100 2027865 allowed wan 192.168.0.2 28844 205.251.194.57 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:28:53.885024+0100 2027865 allowed wan 192.168.0.2 17822 205.251.197.240 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:28:53.805721+0100 2027863 allowed wan 192.168.0.2 16216 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.715443+0100 2027865 allowed wan 192.168.0.2 61597 37.209.196.10 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T13:28:53.600341+0100 2027863 allowed wan 192.168.0.2 33149 156.154.125.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.597788+0100 2027863 allowed wan 192.168.0.2 21605 8.20.241.106 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.510345+0100 2027863 allowed wan 192.168.0.2 29033 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.508700+0100 2027863 allowed wan 192.168.0.2 37459 8.20.241.106 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.498303+0100 2027863 allowed wan 192.168.0.2 53948 176.97.158.110 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.435377+0100 2027863 allowed wan 192.168.0.2 18914 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.434980+0100 2027863 allowed wan 192.168.0.2 48285 37.209.192.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.433694+0100 2027863 allowed wan 192.168.0.2 64816 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:53.431939+0100 2027863 allowed wan 192.168.0.2 56089 37.209.194.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:44.357773+0100 2027863 allowed wan 192.168.0.2 39556 156.154.65.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:44.356476+0100 2027863 allowed wan 192.168.0.2 10883 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:44.247825+0100 2027863 allowed wan 192.168.0.2 57419 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:44.244866+0100 2027863 allowed wan 192.168.0.2 23116 156.154.69.196 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:44.202758+0100 2027863 allowed wan 192.168.0.2 45043 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T13:28:44.201651+0100 2027863 allowed wan 192.168.0.2 64633 37.209.196.13 53 ET INFO Observed DNS Query to .biz TLD
2022-01-13T12:43:02.231632+0100 2028651 allowed wan 192.168.0.2 20204 104.107.217.217 80 ET USER_AGENTS Steam HTTP Client User-Agent
2022-01-13T08:12:20.039878+0100 2027865 allowed wan 192.168.0.2 45769 173.245.59.112 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:12:19.980355+0100 2027865 allowed wan 192.168.0.2 31034 37.209.196.10 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:09:01.059268+0100 2027865 allowed wan 192.168.0.2 12516 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:09:01.029399+0100 2027865 allowed wan 192.168.0.2 21075 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:09:00.997556+0100 2027865 allowed wan 192.168.0.2 48293 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:09:00.969271+0100 2027865 allowed wan 192.168.0.2 43307 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:09:00.943702+0100 2027865 allowed wan 192.168.0.2 13811 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:09:00.185653+0100 2027865 allowed wan 192.168.0.2 20990 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:07:41.536582+0100 2027865 allowed wan 192.168.0.2 31047 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:07:41.499046+0100 2027865 allowed wan 192.168.0.2 17004 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:07:41.468826+0100 2027865 allowed wan 192.168.0.2 6574 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:07:41.446155+0100 2027865 allowed wan 192.168.0.2 29722 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.758026+0100 2027865 allowed wan 192.168.0.2 56337 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.740972+0100 2027865 allowed wan 192.168.0.2 44401 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.718528+0100 2027865 allowed wan 192.168.0.2 18045 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.696855+0100 2027865 allowed wan 192.168.0.2 53492 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.666341+0100 2027865 allowed wan 192.168.0.2 58501 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.624650+0100 2027865 allowed wan 192.168.0.2 48127 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.593363+0100 2027865 allowed wan 192.168.0.2 41994 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:06:40.575082+0100 2027865 allowed wan 192.168.0.2 52802 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:13.216627+0100 2027865 allowed wan 192.168.0.2 18912 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:13.190978+0100 2027865 allowed wan 192.168.0.2 9983 205.251.198.94 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.944523+0100 2027865 allowed wan 192.168.0.2 52128 205.251.194.6 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.867541+0100 2027865 allowed wan 192.168.0.2 45429 205.251.192.227 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.814128+0100 2027865 allowed wan 192.168.0.2 24806 205.251.197.192 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.396212+0100 2027865 allowed wan 192.168.0.2 6751 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.376644+0100 2027865 allowed wan 192.168.0.2 45504 205.251.195.133 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.346661+0100 2027865 allowed wan 192.168.0.2 5751 205.251.193.237 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.326686+0100 2027865 allowed wan 192.168.0.2 46673 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.308596+0100 2027865 allowed wan 192.168.0.2 60876 205.251.193.237 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:12.287799+0100 2027865 allowed wan 192.168.0.2 61439 205.251.196.155 53 ET INFO Observed DNS Query to .cloud TLD
2022-01-13T08:05:04.681704+0100 2027863 allowed wan 192.168.0.2 28986 156.154.124.65 53 ET INFO Observed DNS Query to .biz TLD
Update: Malwarebytes couldn't find anything :/ Still thanks for your advice

I think you might be going about this the wrong way.  I would suggest updating your hardware to be able to use IPS.  Since threats are constantly changing, you won't be able to just build firewall rules every time.  You need an active system.  If memory is all you need, I would suggest buying some ram, it's pretty cheap usually.

Also if you are only concerned with outbound internet browsing type traffic, Zenarmor might be a better fit for you.  Again you are going to have memory constraints.  Usually Suricata is going to sit on your WAN connections for inbound traffic to say a website on your network.  Zenarmor is more for outbound web traffic and requires a LOT less tuning and configuring to get it working properly. 

160

Intrusion Detection and Prevention / Re: Proper Ruleset for IDS and Firewall on following detection

« on: January 10, 2022, 03:34:18 pm »

The Mozilla user agent just means you are using Firefox.  That rule can probably just be disabled in IDS unless you want to know when it's happening. 

For the JA3 detections, you'll need to spend some time on that one.  I'd be slightly concerned that you downloaded some malware, but not 100% sure.  Might be worth running the free version of MalwareBytes and see if it comes up with anything.

https://sslbl.abuse.ch/ssl-certificates/signature/Tofsee/
https://sslbl.abuse.ch/ja3-fingerprints/0cc1e84568e471aa1d62ad4158ade6b5/

161

21.7 Legacy Series / Re: Graph view of Unbound statistics

« on: January 10, 2022, 03:26:43 pm »

I would like to see this as well.  But far as I know nothing is built in, you would need to pull the statistical data into a third party tool to graph it. 

162

Virtual private networks / Re: WireGuard - Multiple client/peer to single server?

« on: December 23, 2021, 03:56:29 am »

Did you click Apply after re-adding it?

Just to sanity check:

On your device, the interface public key is the same as in the Endpoint config for that device on OPNsense?
And on your device, the peer public key is the same as in the Local config for that device on OPNsense?

Yea, clicked apply, just removed and re-added once more just in case.

Correct on the keys.  Keeping in mind this worked up until I added a second endpoint and poof it all blew up. 

Might have to put this down for the night, been at this all afternoon and have made no progress, I'm starting to get super annoyed that something seemingly so simple seems impossible.  I had OpenVPN up in going in less than 30 min and it's been good for probably a year without issue.  I'm something like 5 hours into this and still don't have a working config...makes no sense to me.

Appreciate the replies and help. 

163

Virtual private networks / Re: WireGuard - Multiple client/peer to single server?

« on: December 23, 2021, 03:24:38 am »

Tried removing the first endpoint and re-adding.  Now I can't even get it added to the config now.  I think this is bugged. 

164

Virtual private networks / Re: WireGuard - Multiple client/peer to single server?

« on: December 23, 2021, 02:14:11 am »

Post screenshots of all the relevant configs on OPNsense and your devices (masking private keys and public IPs/domains) and that might help troubleshoot

See if any of this is helpful. 

165

Virtual private networks / Re: WireGuard - Multiple client/peer to single server?

« on: December 23, 2021, 02:00:27 am »

Should be fine then. I have 3 peers for my road warrior setup and all can connect simultaneously. My only other thought is there is something wrong with the keys.

Yea I'd think that to.  I've been over it and over it.  Sometimes one works and the other doesn't, sometimes, neither work, now only the second one I setup works, and I can't get the first one to work even after reboot.  I don't understand this even a little bit.  OpenVPN still works flawless and WAN interfaces look good, so I don't know what is happening.  My android devices are on Android 12, maybe there is something goofy there?  Don't have another external device to test with unfortunately.  The lack of logging and information on the server side of WireGuard is almost enough for me to give up on it.  Only trying to use it over OpenVPN because my wife hate's the 2FA OpenVPN login process.