"Recent posts
#1
Web Proxy Filtering and Caching / Re: Squid Proxy | Allow only s...
Last post by Monviech (Cedrik) - Today at 02:27:32 PMWhat you want is most likely possible with a web proxy, but at a much higher performance and complexity cost.
The simplest would be a DNS filter (Unbound) or a Firewall Rule based filter (Dnsmasq).
Just giving alternatives, I am not a pro at squid so I cannot help with it much.
The simplest would be a DNS filter (Unbound) or a Firewall Rule based filter (Dnsmasq).
Just giving alternatives, I am not a pro at squid so I cannot help with it much.
#2
25.7, 25.10 Series / Re: OPNCentral cannot provisio...
Last post by franco - Today at 02:19:47 PMOn Reddid we concluded the troubleshooting and now 25.10.1 offers an updated OPNBEcore package which reverts the bad code for the time being.
Cheers,
Franco
Cheers,
Franco
#3
25.7, 25.10 Series / Unbound Blocklists - How to ex...
Last post by gspannu - Today at 02:07:07 PMI have started using the recently introduced (upgraded) Unbound Blocklists in 25.7.9
My setup:
I have a fairly simple LAN setup
Main subnet: 192.168.1.1/24 (static IP defined for most clients)
Guest vLan subnet: 192.168.10.1/24
Unbound as main Recursive DNS resolver on port 53
dnsmasq running as DHCP on port 53035
Requirements:
1) I do not want any blocklists for my Guest subnet (192.168.10.1/24) clients
This is easy to implement in DNS blocklists, I add an entry with no blocklists; and set the source as 192.168.10.1/24. No DNS query from this subnet is blocked. Works exactly as expected.
2) I want all of my main LAN clients (192.168.1.1/24) to be using Blocklists, except 3 specific clients (192.168.1.24, 192.168.1.36, 192.168.1.100)
I add an entry with appropriate blocklists; and set the source as 192.168.1.1/24. All DNS queries from this subnet run through block lists.
Works as expected - but not for the 3 specific clients as expected.
Therefore,
3) I add another entry with no blocklists; and set the source as the 3 specific clients (192.168.1.24, 192.168.1.36, 192.168.1.100).
All DNS queries from these specific clients should not run through blocklists - however, these 3 clients also run through blocklists, Not working as expected.
------------------
I tried changing the order of the entries as well, making the 3 specific clients entry as the 1st entry.
Using the tester GUI, it shows that the 3 clients are also part of the policy in 192.168.1.1/24. It seems that Unbound is not treating the matches in a sequential fashion.
-----------------
Can someone guide me how to setup the Blocklists to achieve the desired outcome?
Suggestion:
I think, the Unbound blocklist GUI screen should also have an entry for 'Excluded Net' in addition to the 'Source Net' - this could then perhaps achieve the desired result
or make Unbound Blocklists process/match the 'Source Net' entries sequentially; so the first match gets processed according to the rules.
My setup:
I have a fairly simple LAN setup
Main subnet: 192.168.1.1/24 (static IP defined for most clients)
Guest vLan subnet: 192.168.10.1/24
Unbound as main Recursive DNS resolver on port 53
dnsmasq running as DHCP on port 53035
Requirements:
1) I do not want any blocklists for my Guest subnet (192.168.10.1/24) clients
This is easy to implement in DNS blocklists, I add an entry with no blocklists; and set the source as 192.168.10.1/24. No DNS query from this subnet is blocked. Works exactly as expected.
2) I want all of my main LAN clients (192.168.1.1/24) to be using Blocklists, except 3 specific clients (192.168.1.24, 192.168.1.36, 192.168.1.100)
I add an entry with appropriate blocklists; and set the source as 192.168.1.1/24. All DNS queries from this subnet run through block lists.
Works as expected - but not for the 3 specific clients as expected.
Therefore,
3) I add another entry with no blocklists; and set the source as the 3 specific clients (192.168.1.24, 192.168.1.36, 192.168.1.100).
All DNS queries from these specific clients should not run through blocklists - however, these 3 clients also run through blocklists, Not working as expected.
------------------
I tried changing the order of the entries as well, making the 3 specific clients entry as the 1st entry.
Using the tester GUI, it shows that the 3 clients are also part of the policy in 192.168.1.1/24. It seems that Unbound is not treating the matches in a sequential fashion.
-----------------
Can someone guide me how to setup the Blocklists to achieve the desired outcome?
Suggestion:
I think, the Unbound blocklist GUI screen should also have an entry for 'Excluded Net' in addition to the 'Source Net' - this could then perhaps achieve the desired result
or make Unbound Blocklists process/match the 'Source Net' entries sequentially; so the first match gets processed according to the rules.
#4
25.7, 25.10 Series / Re: Help Troubleshooting OPNse...
Last post by mb19 - Today at 01:53:19 PMbut, I have one more question regarding NTP on the WAN side.
Wouldn't it be risky to allow my router to receive incoming requests on port 123 and forward them to OPNsense? like, wouldn't this expose the firewall to a DDoS?
I say this bc I'm in an enterprise environment and I don't really know what the standard practice is — should I do that and then implement a whitelist for the NTP pool servers or apply rate limiting on incoming NTP traffic?
Or is it generally recommended not to expose NTP to the Internet at all and just find a workaround?
Sorry if these are basic questions, I'm still junior :(
Wouldn't it be risky to allow my router to receive incoming requests on port 123 and forward them to OPNsense? like, wouldn't this expose the firewall to a DDoS?
I say this bc I'm in an enterprise environment and I don't really know what the standard practice is — should I do that and then implement a whitelist for the NTP pool servers or apply rate limiting on incoming NTP traffic?
Or is it generally recommended not to expose NTP to the Internet at all and just find a workaround?
Sorry if these are basic questions, I'm still junior :(
#5
Web Proxy Filtering and Caching / Re: Squid Proxy | Allow only s...
Last post by bpill - Today at 01:53:17 PMok. Just to be clear: What we want to achieve is not possible using the web proxy feature?
#6
25.7, 25.10 Series / Re: Possible firewall bug?
Last post by Lymba_Sysm - Today at 01:49:50 PMQuote from: Patrick M. Hausen on Today at 11:37:06 AMYou have blanks/spaces in these strings. Remove them.
Yeah.. That was it. Thanks, stupid on my behalf.
#7
25.7, 25.10 Series / Re: Service Wazuh broken
Last post by franco - Today at 01:15:25 PMWhich version then?
#8
25.7, 25.10 Series / Re: Help Troubleshooting OPNse...
Last post by mb19 - Today at 12:58:37 PMSorry, but you mean on the router and not on the OPNsense, right?
(Sooorry, I just re-read it and you were very clear 😅. I'm going to contact the ISP provider since I don't have access. I'll update the post once I have more info / if it solves it)
(Sooorry, I just re-read it and you were very clear 😅. I'm going to contact the ISP provider since I don't have access. I'll update the post once I have more info / if it solves it)
#9
Web Proxy Filtering and Caching / Re: Squid Proxy | Allow only s...
Last post by Monviech (Cedrik) - Today at 12:58:03 PMIt depends on the firewall rules you create for the alias.
#10
25.7, 25.10 Series / Service Wazuh broken
Last post by bazbaz - Today at 12:56:04 PMHi,
I have wazuh plugin installed. When I save configuration, it reports and error and service goes down.
The log reports:
thanks
I have wazuh plugin installed. When I save configuration, it reports and error and service goes down.
The log reports:
Code Select
Error
configd.py
[3d1df881-9d0b-4791-b22a-4d23e0e41bfd] Script action failed with Command '/usr/local/opnsense/scripts/syslog/queryLog.py --limit '50' --offset '0' --filter '1.1.1.1.' --module 'wazuhagent' --filename 'activeresponses' --severity 'Emergency,Alert,Critical,Error,Warning,Notice,Informational' --valid_from '1764849145.539'' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 89, in execute subprocess.run(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/syslog/queryLog.py --limit '50' --offset '0' --filter '1.1.1.1.' --module 'wazuhagent' --filename 'activeresponses' --severity 'Emergency,Alert,Critical,Error,Warning,Notice,Informational' --valid_from '1764849145.539'' returned non-zero exit status 1.
any idea?thanks
