Messages

Completely random thought: checking the list against existing ET Open rules, pruning duplicates.

Another thought: integration with Suricata to not only block on those IPs, but also alert.

Problem solved with `git add --chmod=755 /path/to/script`. Stupid git.

I'm writing some enhancements to OPNsense and am somewhat stuck. I'm including two screenshots. I've modeled my "Interfaces" dropdown to be similar to that of the IDS "Interfaces" dropdown. For some reason, my dropdown isn't populating, except until I click the "Clear All" link. Upon clicking that link, the relevant interfaces appear.

I've hit my head against the wall for a couple days now and I can't figure out what's going on. I'm hoping someone has hit this similar issue and has some pointers. I also don't see any javascript errors nor network errors (all responses are HTTP 200 OK.)

In case the attached images fail to work here, I've uploaded the screenshots here: https://imgur.com/a/qNLseS7

(Apparently, the screenshots exceed the max allowed size, so please use that imgur link above.)

I've created a new script for rc.syshookd/early. It gets installed in my dev build, but with the wrong perms. Instead of being 755, it's 644. On my local filesystem, it's committed as 755. I'm unsure why the discrepancy exists.

Subject says it all. ;)

I'm working off of a private gitlab instance and would like to upstream some patches. How would OPNsense like to approach upstreaming patches where the downstream repo does not reside on GitHub?

Problem solved through discussion over IRC. Thanks, fitch, for the help!

I haven't committed the changes. I'm on the master branch in tools.git and set SETTINGS to 20.7. Do the changes need to be committed before the build framework picks them up?

Output of `git status` in core.git:

On branch master
Your branch is up to date with 'origin/master'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   src/opnsense/mvc/app/controllers/OPNsense/IDS/forms/generalSettings.xml
        modified:   src/opnsense/mvc/app/models/OPNsense/IDS/IDS.xml

no changes added to commit (use "git add" and/or "git commit -a")

I even did a `make clean` to start afresh and my changes to core.git aren't being pulled in. What am I doing wrong?

It has been a while since I last did any development in core.git. I've made my initial DVD ISO image of a custom build of OPNsense 20.7. After building that initial DVD ISO, I made changes to core.git.

I tried running `make clean-dvd clean-core dvd` to try to pick up the changes I made to core.git (related to Suricata), but the newly-built DVD ISO didn't pick up the changes. Am I missing a step or doing something wrong?

Any non-XKCD pointers would be very much appreciated. Thanks! :)

I think the problem I'm having is that I don't want to have to grep the OPNsense codebase (`core.git`) to rebuild in my mind what the JSON objects would look like. Doing that would be very prone to error.

I've started working on a C-based API library (libopnsenseapi). I've noticed that the API documentation ( https://docs.opnsense.org/development/api.html ) is lacking. I'm looking for a description of the JSON objects that get returned from each API endpoint.

For example, when I call `https://opnsense.local/api/core/firmware/getfirmwareconfig`, what is the JSON object that gets returned to me going to look like? I will need to parse the JSON object in a way that makes sense for that particular API endpoint.

It seems to me that right now, I'll need to enumerate each API endpoint to determine what gets returned. Since some of those endpoints cause config changes, I'm a bit weary of doing that.

edit[0]: accidentally hit the "Save" button before I finished writing this post.

How is the beta image so much larger than the current production image? Does it have debugging enabled?

At least part of the growth would be the introduction of a new exploit mitigation: Non-Cross-DSO Control Flow Integrity (CFI). More information about CFI can be found in HardenedBSD's wiki: https://git-01.md.hardenedbsd.org/HardenedBSD/HardenedBSD/wiki#control-flow-integrity-cfi

The ISO has been uploaded here: https://hardenedbsd.org/~shawn/opnsense/2019-03-26_hbsd_11-stable_disc1.iso

Can anyone interesting in running OPNsense 19.1 in a Hyper-V Gen2 instance please test?

I created a gen 2 VM on a windows server 2012R2 hyper-v using the iso and there were no problems. I went all the way through the installation until the final step to reboot, but I didn't boot the installed image.

Awesome! And the original 19.1 ISO caused crashes for you, correct?

HardenedBSD enabled IPv6 privacy extensions by default[1]. Unless explicitly disabled by OPNsense 19.1, they should still be enabled.

[1]: https://github.com/HardenedBSD/hardenedBSD/wiki#generic-system-hardening

I've added the Hardware above.

i tested also on a Server 2012 R2, Gen2, Configuration Version 5.0, there installer works, Live-CD too
E3-1270 v3, Intel Board S1200RP, 32GB ECC RAM

On a Server 2016, Gen2, Configuration Version 8.0, it works like the Server 2012 R2
E3-1240 v5, Supermicro Board X11SSL-CF, 32GB ECC Ram

On the Server 2019 (above) i create a Gen2 Configuration Version 5.0, the same "error"

On a Windows 10 1809, Gen2 Configuration Version 9.0, the same error
i3-4150, Supermicro X10SLV-Q, 8GB RAM (a small PBX-Host)

Something that i can test? (for testing i removed the NIC from the configuration, set use other CPU-Version, error is the same)

Is this your processor, then? https://ark.intel.com/content/www/us/en/ark/products/52276/intel-xeon-processor-e3-1270-8m-cache-3-40-ghz.html

No need for changes on your end. A basic Gen2 config (with secure boot disabled) should be enough for testing.