Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - chemlud

#1981
..post screenshot of NAT outbound... Again, here it works just fine ;-)
#1982
German - Deutsch / Re: Firewall "härten"
March 20, 2019, 06:54:17 PM
Bei meinen Mininetzen geht seit Jahren kein ICMP,  nicht rein nicht raus. Bisher ist die Welt nicht untergegangen...

Würde ich im privaten Bereich grundsätzlich so machen, es sei denn, der Samsung-TV muss dringend irgendwohin leaken, damit er funktioniert.
#1983
So the traffic is apparently not leaving the LAN interface. Anything in the firewall logs?

Have a look here again, it works for me just fine:

Quote from: deZillium on March 20, 2019, 01:05:32 PM

Why it will not work:
1) you mess up with the outbound NAT rules.
2) you are blocking private/invalid on OPNSense's WAN
3) there isn't any rule that allows it (there should be, the default allow LAN to any, assuming you are connecting from OPNSense's LAN interface)
4) your modem is bridged, possibly using a specific port for the bridge, while leaving the rest as a "local tech support" access. ie port 1 is bridged, port 2+3 are not, port 4 is for a VOIP setup.

#1984
...installed and rebooted. Stable for the moment...

Many thanks! Any way to store this unbound 1.8.1 locally and install via console, in case I decide to update my production systems? :-)

PS: Stored a copy on my computer (wget....) and on the opnsense (fetch). But how to install it from my computer on another opnsense? Do I need to setup a webserver on my computer? No idea how to mount an USB-stick on my sense by hand...
#1985
German - Deutsch / Re: Mails auf viren scannen
March 20, 2019, 03:44:26 PM
IDS / IPS als shortcut? Ein lokaler Emailserver ist keine kleine Nummer mehr...
#1986
do a package capture (Interfaces -Diagnostics), first on LAN then on WAN while you try to access the modiem via http or https (depends...) and see, where your packages go to.
#1987
Yepp, if I disable "Block private" on WAN, I can access the modem even without the NAT rule. However, with block private on WAN, the NAT rule takes over and allows the otherwise blocked private IP   of my modem...

fun!
#1988
SOURCE, not Destination is 192.168.100.0/24 (if that's your modems network)...

Interfaces -> Diagnostics -> Ping is the direct way ;-) And you have to allow ICMP in the firewall rules for LAN to make a ping work. And http/https to reach the web interface of your modem

#1989
Firewall -> NAT -> Outbound (set to Hybrid)

Interface WAN

Source "Network of your MODEM, e.g. 192.168.100.0/24"

Translation/target INTERFACE address


____________

Save, apply, works here...
#1990
...same difference, w/o DNSsec reboot came back fine, but trying to update the only client in LAN kills off unbound after some seconds.
#1991
1.9.1 installed, on reboot:

Mar 19 09:34:27 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.11.1 ::)
Mar 19 09:34:27 kernel: em4: permanently promiscuous mode enabled
Mar 19 09:34:27 kernel: em3: link state changed to DOWN
Mar 19 09:34:27 kernel: em3: permanently promiscuous mode enabled
Mar 19 09:34:08 kernel: pid 38636 (unbound), uid 59: exited on signal 11
Mar 19 09:34:07 kernel: OK
Mar 19 09:34:06 kernel: OK
Mar 19 09:33:13 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Mar 19 09:33:13 opnsense: /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway '192.168.199.1'


...and after manual restart:

Mar 19 09:36:52 kernel: -> pid: 5881 ppid: 1 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
Mar 19 09:36:52 kernel: [HBSD SEGVGUARD] [unbound (5881)] Suspension expired.
Mar 19 09:36:52 kernel: pid 5881 (unbound), uid 59: exited on signal 11
Mar 19 09:35:37 kernel: pid 6235 (unbound), uid 59: exited on signal 11


I disabled DNSsec for the moment to see, if it makes a difference...
#1992
Quote from: Charles2019 on March 19, 2019, 01:33:31 AM
Yes I'm able to reach my cable modem through OPNSense.

How? :-D

PS: OK, I added an outbound NAT rule for the network my cable modem is running its web interface on, inserted the IP in the browser and was there. As I suggested in the beginning. ;-)
#1993
That worked well, but now the console doesn'T stop throwing text lines for minutes now. Is it making the WHOLE sense? I thought it was just unbound I ordered... :-D


PS: some minutes later...


root@OPN0119:/usr/ports/dns/unbound # make package deinstall install

***skipped some million lines of text outpt here...***

ln -sf "tls_init.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_new.3"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_add_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_clear_keys.3"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ca_file."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ca_mem.3"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ca_path."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_cert_fil"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_cert_mem"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_crl_file"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_crl_mem."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_key_file"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_key_mem."
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_keypair_"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ocsp_sta"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_ocsp_sta"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_set_verify_d"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_verify_clien"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_config_verify_clien"
ln -sf "tls_load_file.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_unload_file.3"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_ocsp_process_response.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_peer_oc"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_close.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_error.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_handshake.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_reset.3"
ln -sf "tls_read.3" "/usr/obj/usr/ports/security/libressl/work/stage/usr/local/man/man3/tls_write.3"
/bin/mkdir -p '/usr/obj/usr/ports/security/libressl/work/stage/usr/local/libdata/pkgconfig'
install  -m 0644 libcrypto.pc libssl.pc libtls.pc openssl.pc '/usr/obj/usr/ports/security/libressl/work/stage/usr/l'
/bin/rm -f -r /usr/obj/usr/ports/security/libressl/work/stage//usr/local/etc/ssl/cert.pem
====> Compressing man pages (compress-man)
===>  Installing for libressl-2.7.4
===>  Checking if libressl already installed
===>   libressl-2.7.4 is already installed
      You may wish to ``make deinstall'' and install this port again
      by ``make reinstall'' to upgrade it properly.
      If you really wish to overwrite the old port of libressl
      without deleting it first, set the variable "FORCE_PKG_REGISTER"
      in your environment or the "make install" command line.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/security/libressl
*** Error code 1

Stop.
make: stopped in /usr/ports/dns/unbound

#1994
...now we have:

root@OPN0119:/usr/ports/dns/unbound # make package deinstall install
===>   unbound-1.8.1 depends on package: autoconf>=2.69 - found
===>   unbound-1.8.1 depends on package: automake>=1.16.1 - found
===>   unbound-1.8.1 depends on executable: libtoolize - not found
===>  License GPLv2 accepted by the user
===>   libtool-2.4.6 depends on file: /usr/local/sbin/pkg - found
=> libtool-2.4.6.tar.xz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch https://ftpmirror.gnu.org/libtool/libtool-2.4.6.tar.xz
libtool-2.4.6.tar.xz                          100% of  950 kB 3227 kBps 00m00s
===> Fetching all distfiles required by libtool-2.4.6 for building
===>  Extracting for libtool-2.4.6
=> SHA256 Checksum OK for libtool-2.4.6.tar.xz.
===>  Patching for libtool-2.4.6
===>   libtool-2.4.6 depends on executable: gm4 - found
===>   libtool-2.4.6 depends on executable: gmake - found
===>   libtool-2.4.6 depends on executable: makeinfo - not found
===>  License GPLv3+ accepted by the user
===>   texinfo-6.5,1 depends on file: /usr/local/sbin/pkg - found
=> htmlxref.cnf doesn't seem to exist in /usr/ports/distfiles/texinfo/6.5.
=> Attempting to fetch http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137,6
=> Attempting to fetch http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expecte6
=> Attempting to fetch http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expected 2016
=> Attempting to fetch http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: size mismatch: expecte6
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf
fetch: http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137, actual 6
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/ports/distfiles/texinfo/6.5 and try again.
*** Error code 1

Stop.
make[2]: stopped in /usr/ports/print/texinfo
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/devel/libtool
*** Error code 1

Stop.
make: stopped in /usr/ports/dns/unbound


...still sumfink missing
#1995
"Block private networks" on WAN? The modems IP is allowed on LAN firewall rules? Might be that in the setup of the modem the concurrent use of the private address has to be configured?