Messages

121

23.1 Legacy Series / Re: after update Nginx wont start error (OPNsense 23.1.10-amd64)

« on: June 23, 2023, 03:36:50 pm »

Thanks Franco for the info and links. That explains it what is buggin here, and looking forward to the next update ;-)

@andyw: you can look at: SERVICES: NGINX: LOG FILE
And see the errors there for trying to solve it. Are you using Naxsi rules?

122

23.1 Legacy Series / Re: after update Nginx wont start error (OPNsense 23.1.10-amd64)

« on: June 22, 2023, 05:14:16 pm »

after the hotfix, I have narrowed it down. When you disable the naxsi rules:

rules SQL Injections 1000-1099 and File Uploads 1500-1600

Nginx starts and works. Hope someone else can see what the "problem" is with naxsi / these rules with the latest nginx

123

General Discussion / Re: Why are specific IP addresses ignored by OPNsense firewall?

« on: June 22, 2023, 04:03:29 pm »

TBF, any sane firewall troubleshooting would go through these steps before making a hot debate on the Internet about an alleged bug. Maybe it's one but if you haven't confirmed if that's the case it's not good because then it also cannot be reproduced.

Thnx and I totally agree.

124

General Discussion / Re: Why are specific IP addresses ignored by OPNsense firewall?

« on: June 22, 2023, 02:11:36 pm »

Agree to the tone of voice.
But the key question about 1 to 3 ip’s being able to pass through is interesting enough to test(?)
Hey speaks about one block rule with thousands of ip’s and those 3 escape it?

How to replicate?
 

125

23.1 Legacy Series / Re: after update Nginx wont start error (OPNsense 23.1.10-amd64)

« on: June 22, 2023, 12:59:13 pm »

ok and thnx for the fast following up

126

23.1 Legacy Series / Re: after update Nginx wont start error (OPNsense 23.1.10-amd64)

« on: June 22, 2023, 12:51:47 pm »

Yes that is correct.

I did another opnsense-revert -r 23.1.9 nginx, installed the normal update, removed the naxsi as stated above, and restarted nginx did work.

Is it that the patches I did are still there? because I know I needed that one for the first error to being fixed:

nginx: [emerg] invalid number of arguments in "load_module" directive in /usr/local/etc/nginx/nginx.conf:9

127

23.1 Legacy Series / Re: after update Nginx wont start error (OPNsense 23.1.10-amd64)

« on: June 22, 2023, 12:42:49 pm »

ok found the problem, besides your fix

it has to do with the Naxsi rules. When I disable: rules 1000-1099, 1400-1500; 1500-1600

nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1000 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:74

nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:50

and some and hit reload and start nginx works, so there has been some change with Naxsi in Nginx what does not start or the Naxsi rules are no longer compatible to this nginx?

128

23.1 Legacy Series / Re: after update Nginx wont start error (OPNsense 23.1.10-amd64)

« on: June 22, 2023, 12:35:17 pm »

Tried reloading config and than a forced reboot for the ultimate reload, but still same error after applying last patch:

   nginx: [emerg] invalid number of arguments in "load_module" directive in /usr/local/etc/nginx/nginx.conf:9

129

23.1 Legacy Series / Re: after update Nginx wont start error (OPNsense 23.1.10-amd64)

« on: June 22, 2023, 12:25:36 pm »

Thnx, tried it right away, same error?

nginx: [emerg] invalid number of arguments in "load_module" directive in /usr/local/etc/nginx/nginx.conf:9

130

23.1 Legacy Series / Re: after update Nginx wont start error (OPNsense 23.1.10-amd64)

« on: June 22, 2023, 12:01:39 pm »

Thanks Franco for the fast replies.
The revert back worked as a charm, so that I can confirm.

back to the update and tried the patch. Another error now (besides the Naxsi ones)

nginx: [emerg] invalid number of arguments in "load_module" directive in /usr/local/etc/nginx/nginx.conf:9

131

23.1 Legacy Series / after update Nginx wont start error (OPNsense 23.1.10-amd64)

« on: June 22, 2023, 11:32:32 am »

After updating to OPNsense 23.1.10-amd64 and a forced reboot, nginx wont start.
First it was because of Naxsi rules (1500, 1000 etc) after disabling them, it still wont start:

nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
nginx: [emerg] unknown directive "vhost_traffic_status_zone" in /usr/local/etc/nginx/opnsense_http_vhost_plugins/vts.conf:1

But.I do not know what is meant by this. Before OPNsense 23.1.10-amd64 it was working and no changes in config other dan now disabling some Naxsi rules....

Others having issues with nginx after updating also?

132

General Discussion / Re: Why are specific IP addresses ignored by OPNsense firewall?

« on: June 22, 2023, 10:21:02 am »

Enter an IP address to show in which aliases it is used.
107.170.237.26
internet_defence
stretchoid_drop (my own block list)

I think he has made a firewall rule as his own “blocklist”

133

General Discussion / Re: Does a virtual-ip with firewall rule -this firewall- not work?

« on: June 22, 2023, 07:22:04 am »

thnx, yes that is what I expected also. But it does not work with the nginx plugin for VIP ipv4.
I only get nginx to work when I add a Nat portforward rule for this VIP to 192.168.1.1 (port 80 and 443).

Is this how the nginx plugin works or is this a bug in nginx plugin / opsense?

N.B. problem still exists after updating to the latest nginx with:
OPNsense 23.1.10_1-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1u 30 May 2023

134

General Discussion / Does a virtual-ip with firewall rule -this firewall- not work?

« on: June 21, 2023, 05:30:19 pm »

I have nginx installed op opnsense with: firewall - rules - wan - destination "this firewall" port 80 and one with port 443.
This works with the opnsense-router/ISP ip and with ipv6, but I have added a virtual-ip (VIP) ipv4 and ipv6 to opnsense, this firewall rule does not work for the VIP ipv4?
Is that normal behavior? I would have expected it to work since virtual ip bind to the wan?

I have made a workaround for this by adding a firewall-NAT-portforward rule- with destination "Virtual ip" and port 80 and one for port 443 both to Redirect target IP [Opnsense LAN ip / 192.168.1.1], that works...
But is that how it should be?

Anybody else with this behavior? or knows how to fix this with VIP ipv4?

135

General Discussion / Re: how to subnet prefix /29 - 8 ipv4 addresses with opnsense

« on: June 20, 2023, 03:49:07 pm »

Thanks again, and I will take a look at it.
There is always a way for improvement  😜