Topics

Hi,

I'm on OPNsense 21.7.7 and I've noticed after the daily IDS update cron job runs I get this error:

Code Select Expand

configd.py[82227]: unable to sendback response [OK  ] for [ids][update][None] {c02da2ca-fdd0-44c2-bb74-4861e693fa62}, message was Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run     self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

This happens every day but it does look like the rules are updating as the date stamp in the rules tab is changing.

Suricata is working as well.

I'm updating a lot of rules on a machine which has a dual core Atom (1.7) and 4GB RAM - I'm wondering if this is a timeout of some sort as possibly caused by constrained resources?

Any ideas on if this is anything to worry about?

Hi,

This should be simple to answer and I think I know the answer but just want to confirm.

I've set Suricata to IPS on the WAN interface.

I'm seeing a lot of alerts where the source address is an external IP address (port scans and so on).

Initially this surprised me as I'd just assumed Suricata would sit inside the firewall and only check traffic that had been allowed through the firewall.

But it appears it does this:

Code Select Expand

                        Router.
               ------------------------
Internet <---> | Suricata <-> Firewall |
               -------------------------


rather than this:

Code Select Expand

                        Router.
               ------------------------
Internet <---> | Firewall <-> Suricata |
               -------------------------



Is that correct?

I don't have any open ports in my firewall so for me this is just noise but is still interesting to see what's happening.

Hi,

I'm trying to track memory usage and looked at the health graph for memory.

I've removed all the lines except "free" but I can't figure out how to interpret the values.

My memory is ranging from "28" to about "3.2 / 3.3" but what does this actually mean? Looking at the dashboard shows about 68% usage around the time it's reporting 3.2 so I just assumed this was some sort of percentage i.e. 100-68 = 32. But then what does "28" mean?

I'm sure this is something simple I'm missing!

Thanks.

Hi,

I've got an ELK stack up and running which I'm using for:

• OPNsense syslog
• Sensei (Zenarmor)
• Netflow

Is there any way to get CPU usage, memory usage and even SMART logs into elastic?

Thanks,

E.

Hi,

OPNsense 21.7.4:

On a fresh install of Sensei (Zenarmor), after running the configuration wizard and setting a policy, and then running a health audit I noticed this message:

elasticsearch5-5.6.8_5: checksum mismatch for /usr/local/lib/elasticsearch/config/jvm.options

Is this anything to be concerned about?

I'm using a remote elasticsearch instance. I suspect that sensei is setting something in here which is causing the mismatch perhaps? I did try removing the package and re-installing from fresh but the message still occurs.

Thanks.

Hi,

I've been digging through the auto-generated floating rules and also looking at the BSD documentation for PF.

I'm not sure about a few points:

1) If a rule doesn't specify an interface, does it apply to all interfaces by default - including any WAN/pppoe interfaces? I'm specifically looking at the auto-added ICMPv6 (RFC4890) and CARP rules which look like they would allow traffic that I don't want in on my WAN interface. I don't use IPv6 or CARP.

2) When you disable "Allow IPv6", it looks like it adds a "block all IPv6" floating rule which is "quick" and appears in the list before any of the RFC4890 rules. Does this mean it will take precedence and block all ICMPv6 traffic? Referring back to question 1: does this mean if you don't uncheck "Allow IPv6" it will mean the ICMPv6 RFC4890 traffic will (by default) be allowed in on the WAN interface? Or is there some other mechanism preventing this traffic ingress on WAN?

3) The floating rules are assessed before any other rules correct? I can't see any other rules which would restrict CARP traffic on the WAN interface for example. The default drop rules for IPv6 and IPv4 aren't quick and so the quick CARP rules would take precedence from what I can see.

It's also entirely possible that I've confused myself here digging through all sorts of forum posts and BSD PF documentation all morning :)

At the end of the day, I just need to know that the WAN interface is locked down - I don't allow anything initiated from outside into my network - no open ports etc.

Thanks.

Hi,

I made some LAN-side port forwards to force redirection of all DNS and NTP to my own internal LAN servers. So for example, any NTP. requests to external servers will be redirected to my internal NTP server.

When these port forwards were created, they auto added floating firewall rules. I'm pretty sure I read in a post by Franco that it will only apply those floating rules to the required interfaces as defined by the port forward rule, meaning it shouldn't be opening up ports on the WAN interface, just LAN.

Is there any way I can list these interfaces - GUI or command line? I have a lot of floating rules and I need to check to which interfaces they apply.

I'd also like to view the interfaces for the hidden/auto-added floating rules for things like CARP etc.

Thanks.

Hi,

I just updated from 21.1 (which had latest minor fixes) to 21.7 using the console. I'm on a serial console device image of OPNsense as I'm using a Netgate device.

During the upgrade, I noticed this error message for Chrony (as well as for NUT and SMART plugins):

Code Select Expand

Reloading plugin configuration
Configuring system logging...done.
[149/150] Reinstalling os-chrony-1.3...
[149/150] Extracting os-chrony-1.3: .......... done
configd not running? (check /var/run/configd.pid).
Starting configd.
Traceback (most recent call last):
  File "/usr/local/opnsense/service/configd.py", line 43, in <module>
    import modules.processhandler
  File "/usr/local/opnsense/service/modules/processhandler.py", line 43, in <module>
    from . import ph_inline_actions, syslog_error, syslog_info, syslog_notice, singleton
  File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 32, in <module>
    from . import template
  File "/usr/local/opnsense/service/modules/template.py", line 42, in <module>
    import jinja2
ModuleNotFoundError: No module named 'jinja2'
/usr/local/etc/rc.d/configd: WARNING: failed to start configd
Keep version OPNsense\Chrony\General (0.0.1)
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/Chrony: configd not running!
pkg-static: POST-INSTALL script failed

I booted into the new environment and it *looks* ok - I've ran a health audit and also grepped through my system.log / Dmesg for any potential issues and found none. Also, Chrony looks to be configured correctly and was running - NUT and SMART plugins were also working as expected though they may not be up-to-date - I'm not sure.

Are these messages expected for the upgrade? Do I need to do anything?

I've subsequently upgraded to 21.7.1

Thanks.

Hi,

I've added a policy which applies to all of the abuse.ch lists and some of the ETOpen lists.

This is simply to make them "drop" instead of "alert".

However, I've noticed that when I apply this and then download and update the rules, only some of the rules are set to "drop" with the rest being left at "alert". I've also noticed that only the abuse.ch lists actually seem to update looking at the last updated timestamp.

Is this a known issue? I've not found any posts or bug reports yet which confirms this but I may have missed something. I'm using the community version of OPNsense 21.1.7.

Hi,

Is it possible for OPNsense to sync to a local NTP server but not necessarily serve time to the network as NTPd normally does? I was hoping there may be a smaller NTP client-only daemon.

Or are we limited to running NTPd to sync the clock and then locking it down with the Firewall?

Thanks.

Hi there,

Perhaps I haven't woken up enough yet but I can't figure out why the WebGUI anti-lockout rule appears as a "Port Forward" rule rather than a standard Firewall rule? I've got a LAN interface with NAT enabled.

What does port forwarding / NAT have to do with locally accessing the WebGUI from the LAN interface? Port forwarding is normally used to allow access to a web server on the network from the WAN side right?

I'm obviously missing something here :)

Thanks.

Hi,

I've been reading up as much as I can about how people run OPNsense.

I'm currently running it off an eMMC device and am using Suricata. I'm trying to reduce wear on the eMMC as much as possible so I'm also logging everything to an external syslog server - plus this is convenient.

I was just wondering if there are any benefits or indeed issues if I were to use RAMDisks for /tmp and /var?

I was having a look at: https://forum.opnsense.org/index.php?topic=1233.0 and Franco mentioned issues with service start ups if /var is in RAM - but this was back in 2015. Has this advice changed at all in 21.1? Given I'll be using Suricata I suspect this will cause problems.

Other than logging, is there anything else that might wear out the eMMC quickly or is most of OPNsense loaded into RAM anyway?

Thanks for any feedback.

Hi,

I've installed OPNsense to an ADI board (Netgate SG-2400) with an eMMC device on it. Everything seems to be working fine.

The drive looks to be attached behind a USB controller and presents itself to the system as a SCSI device (/dev/da0).

I've noticed a couple of messages scrolling past at boot:

Code Select Expand

camcontrol: ATA ATA_IDENTIFY via pass_16 failed
camcontrol: ATA ATAPI_IDENTIFY via pass_16 failed

I presume it's just trying to get more details from the disk but since it's not an ATA disk it's failing. Will this cause any problems in the long run?

Also, I've been looking over the SMART plugin and was wondering if it will actually work for this device?

Looking at: https://github.com/opnsense/plugins/blob/master/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh it would seem that the command is hard set to:

Code Select Expand

/usr/local/sbin/smartctl -jH /dev/${DEV}

The command needed for this device is:

Code Select Expand

smartctl -d scsi -H /dev/da0
(https://forum.netgate.com/topic/92679/emmc-on-2440-smart-status-unknown-in-widget)

Thanks for any advice you can give.

Hi all,

I've encountered a similar issue as described in this forum post: https://forum.opnsense.org/index.php?topic=15221.0

I'm trying to install OPNsense 21.1 (serial image) (for the first time - new user) on a Netgate SG-2440 which is Intel Atom C2358 based using an ADI based board and firmware/BIOS. I can't past the "Loading /boot/defaults/loader.conf" message - the spinner just stops.

Since this looks to be hanging on the stage2 boot sequence I've been looking to see what debug is available (https://docs.freebsd.org/en/books/handbook/boot-introduction.html).

I've also been checking to ensure the serial configuration is correct (https://docs.freebsd.org/en/books/handbook/serialconsole-setup.html).

I've been trying loads of different combinations of console="comconsole" and setting the rate to 115200 but I don't know if this is actually the problem since I can get to this screen - I'd assume serial comms are fine:

Code Select Expand

>> FreeBSD/x86 BOOT
Default: 0:ad(0,a)/boot/loader
boot:

I've also tried the kern.vty="vt" / kern.vty="sc" change that was mentioned in the other forum post but no success.

There was one combination of options I tried that did get me once to the main menu to boot the kernel but when I tried it said "can't load 'kernel'; I've no idea what's happening here.

Can anyone point me in the right direction or suggest how I can get more debug?

Thanks.

Hi,

FIrstly thanks to the OPNsense team for actually setting up signing for their images! This is something we expect these days but yet sadly isn't always taken seriously - especially by another "popular" firewall which still refuses to implement any sort of signing!

I did have a question about the documentation however and forgive me if I've missed something as I come from using GPG mostly.

In the installation section it states:

The OpenSSL tool is used for file verification. 4 files are needed for verification:

    The bzip compressed ISO file (<filename>.iso.bz2)

    The SHA-256 checksum file (<filename>.sha256)

    The signature file (<filename>.sig)

    The openssl public key (<filename>.pub)

The commands we use are:

openssl base64 -d -in <filename>.sig -out /tmp/image.sig

openssl dgst -sha256 -verify <key>.pub -signature /tmp/image.sig <image>.img.bz2

So from what I gather, once we've converted the signature back from base64 into binary in the first line, we then (in the second line) do the following, all-in-one:

1. Take the .sig signature (the SHA256 hash of the .img.bz2 signed with OPNsense's private key) and verify its authenticity using the provided public key (which I'd probably pull from another source for extra security).

2. Calculate the SHA256 hash of the .img.bz2 and compare that to the hash we just verified.

If those steps are correct, am I right in assuming the .sha256 file is acutally redundant? In which case we could maybe update the docs to state that verification of integrity & authenticity can be done with the commands above and only three files (.sig, .pub and .img.bz2)

However, if you just want to verify the integrity and perhaps not the authenticity then you can just use the .sha256 file and .img.bz2 file.

Sorry if I sound pedantic - I'm really just trying to understand the steps myself :)

Keep up the good work,

Cheers.

Hi all,

This is my first post to the forum - I've just learned about Opnsense and am very excited to get up and running!

I had a question regarding hardware.

I've got an old Netgate SG-2440 lying around which I intend to put Opnsense on.

I think for all intents and puposes it should be a perfect machine for it.

The important specs are:

Code Select Expand


CPU Intel "Rangeley" Atom C2358 1.7 GHz with QuickAssist
CPU Cores 2
Memory Options 4GB DDR3L Non ECC
Storage Options 32GB eMMC Flash on board (I'll be putting a larger disk in)
Network Interfaces 4x Intel 1GbE
USB Ports 2x 2.0 ports
Console Port Mini USB


My question is more about using Intel CPUs in general on a router. It's clear Opnsense takes security very seriously (using HardenedBSD and all).

There have been a number of issues with Intel CPUs - in particular, exploits in the ME firmware and so on.

Is it a good idea for me to use an Intel Atom C2358 based machine to run Opnsense? Or should I be looking for another platform to run this on?

Are there any actual exploits that I'd need to be aware of that haven't or can't be patched via Opnsense/BSD?

Am I just being overly paranoid? (wouldn't be the first time)

The SG-2440 is spare so it'd be a shame not to use it. I've also got one of the boards which luckily doesn't have the Intel C2358 clock signal component issue.

(and sorry if my question seems a little esoteric!)

Best!

E.