"Recent posts
#1
26.1, 26,4 Series / Re: "Inverting destinations is...
Last post by Patrick M. Hausen - Today at 08:28:30 PMIf you have an active connection which you intend to block the problem is possibly not that your alias are not updated in a timely fashion, but that you need to flush the firewall states.
An active TCP connection that once was permitted stays that way because of the stateful firewall, even if you change the rules.
Of course flushing the firewall states will disrupt all active connections which is exactly why it does not happen by default.
An active TCP connection that once was permitted stays that way because of the stateful firewall, even if you change the rules.
Of course flushing the firewall states will disrupt all active connections which is exactly why it does not happen by default.
#2
26.1, 26,4 Series / How concerned should we be abo...
Last post by allenlook - Today at 08:28:06 PMQuestion is in the subject, but to reiterate, how concerned should we be about the latest supply chain attack methods like Mini Shai-Hulud?
Software that "includes" or "imports" many external libraries of unknown provenance seem to be at very heightened risk now that the supply chain itself is being compromised.
Should we be worried about OPNsense?
-- From Brave AI --
Mini Shai-Hulud is a self-propagating supply chain worm campaign attributed to the cybercriminal group TeamPCP (also tracked as UNC6780), which emerged in April 2026 as the fourth generation of the Shai-Hulud malware family. The attack targets the npm and PyPI ecosystems, compromising over 170 packages by leveraging CI/CD trust relationships to steal developer and cloud credentials.
The malware operates by injecting malicious code into trusted packages, such as those in the SAP Cloud Application Programming Model, TanStack, and Mistral AI ecosystems. It uses a two-stage payload that downloads the Bun JavaScript runtime to execute obfuscated code, harvesting tokens from GitHub, AWS, Azure, Google Cloud, and Kubernetes. The stolen data is exfiltrated via encrypted commits to public GitHub repositories or through the anonymous messaging app Session.
Key characteristics of the campaign include:
SLSA Provenance Forgery: Mini Shai-Hulud compromised packages with valid SLSA Build Level 3 attestations, proving that process integrity controls can be defeated.
OIDC Token Extraction: The worm extracts OpenID Connect tokens directly from GitHub Actions runner memory to gain publish credentials without needing stolen passwords.
Persistence: It embeds itself into developer tooling configuration files, such as VS Code and Claude Code, to maintain access to workstations.
High-Profile Impact: The attack affected organizations including OpenAI, Mistral AI, and GitHub, with OpenAI confirming limited credential exfiltration from internal source code repositories.
Mitigation: Security experts recommend rotating all cloud and developer credentials, auditing CI/CD pipelines for unauthorized access, and reviewing package lockfiles for suspicious changes.
Software that "includes" or "imports" many external libraries of unknown provenance seem to be at very heightened risk now that the supply chain itself is being compromised.
Should we be worried about OPNsense?
-- From Brave AI --
Mini Shai-Hulud is a self-propagating supply chain worm campaign attributed to the cybercriminal group TeamPCP (also tracked as UNC6780), which emerged in April 2026 as the fourth generation of the Shai-Hulud malware family. The attack targets the npm and PyPI ecosystems, compromising over 170 packages by leveraging CI/CD trust relationships to steal developer and cloud credentials.
The malware operates by injecting malicious code into trusted packages, such as those in the SAP Cloud Application Programming Model, TanStack, and Mistral AI ecosystems. It uses a two-stage payload that downloads the Bun JavaScript runtime to execute obfuscated code, harvesting tokens from GitHub, AWS, Azure, Google Cloud, and Kubernetes. The stolen data is exfiltrated via encrypted commits to public GitHub repositories or through the anonymous messaging app Session.
Key characteristics of the campaign include:
SLSA Provenance Forgery: Mini Shai-Hulud compromised packages with valid SLSA Build Level 3 attestations, proving that process integrity controls can be defeated.
OIDC Token Extraction: The worm extracts OpenID Connect tokens directly from GitHub Actions runner memory to gain publish credentials without needing stolen passwords.
Persistence: It embeds itself into developer tooling configuration files, such as VS Code and Claude Code, to maintain access to workstations.
High-Profile Impact: The attack affected organizations including OpenAI, Mistral AI, and GitHub, with OpenAI confirming limited credential exfiltration from internal source code repositories.
Mitigation: Security experts recommend rotating all cloud and developer credentials, auditing CI/CD pipelines for unauthorized access, and reviewing package lockfiles for suspicious changes.
#3
Q-Feeds (Threat intelligence) / Re: Q-Feeds Events - nothing s...
Last post by lmoore - Today at 08:18:56 PMQuote from: Q-Feeds on Today at 07:24:57 PMcan someone with these problems share the output of this command?Code Select/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs
Since updating to OPNsense 26.1.9, the Events tab now shows events.
I've included a sanitised partial extract from the command.
#4
26.1, 26,4 Series / System: Firmware: Updates: con...
Last post by dinguz - Today at 07:43:03 PMThe output displayed in System > Firmware > Updates (both firmware upgrade output and audit results) is not streamed line-by-line. Instead, output appears to be buffered and flushed in large chunks, causing long pauses followed by sudden bursts of text. Live streaming would give better visibility into progress.
#5
Hardware and Performance / Re: Battery Replacement: DEC74...
Last post by proformap - Today at 07:36:55 PMQuote from: DEC740airp414user on Today at 01:08:25 PMwow that is kinda crazy
Crazy - indeed.
There must have been something really weird going on with the LR44 - leakage, short circuit or something of that nature, which resulted in disintegration / bulging, pulling the metal bracket off the PCB ... just speculating.
Good news is that soldering the bracket worked and for now the DEC740 seems to work fine.
#6
26.1, 26,4 Series / Re: Help: Kea DHCP4 High CPU
Last post by FrankB7558 - Today at 07:32:29 PMHi,
I got the same situation after configuring the following:
before:
I have a bridge0, it is 1 member, a lan interface
after:
I've added ovpns1 to the bridge, put openvpn in tap mode
At the moment I don't have any usefull logging, can you say if your configuration with bridge interface and vpn is perhaps the same?
I got the same situation after configuring the following:
before:
I have a bridge0, it is 1 member, a lan interface
after:
I've added ovpns1 to the bridge, put openvpn in tap mode
At the moment I don't have any usefull logging, can you say if your configuration with bridge interface and vpn is perhaps the same?
#7
Q-Feeds (Threat intelligence) / Re: Q-Feeds Events - nothing s...
Last post by Q-Feeds - Today at 07:24:57 PMcan someone with these problems share the output of this command?
Code Select
/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs #8
German - Deutsch / Leidige Thema CGNAT
Last post by Zapad - Today at 05:55:45 PMHallo Zusammen,
bin z.Zeit im ausland habe meine Sense mitgenommen und einen anschluß mit CGNAT ohne IP6 bekommen.
Der IP bereich ist 100.64.0.0/16
Das Problem ist das manche Seiten nicht erreichbar sind, weder mit deren Router über NAT noch über die Sense.
tuh ich aber Deren Huawei Router in Bridge Modus versetzen und klemme meinen Linux Laptop dran kriege ich eine
IP aus dem 100.64'er bereich und es klappt mit allen seiten klemme ich meine Sense statt dem Laptop nur
gefühlt die Hälfte.....
ich weiss das es Probleme mit Shared IP gibt aber dann dürfte ich auch über Laptop mit bridged wan nichts kriegen oder?
Kann ich an der Sense was tun das die sich wie mein Laptop benimmt!?
bin z.Zeit im ausland habe meine Sense mitgenommen und einen anschluß mit CGNAT ohne IP6 bekommen.
Der IP bereich ist 100.64.0.0/16
Das Problem ist das manche Seiten nicht erreichbar sind, weder mit deren Router über NAT noch über die Sense.
tuh ich aber Deren Huawei Router in Bridge Modus versetzen und klemme meinen Linux Laptop dran kriege ich eine
IP aus dem 100.64'er bereich und es klappt mit allen seiten klemme ich meine Sense statt dem Laptop nur
gefühlt die Hälfte.....
ich weiss das es Probleme mit Shared IP gibt aber dann dürfte ich auch über Laptop mit bridged wan nichts kriegen oder?
Kann ich an der Sense was tun das die sich wie mein Laptop benimmt!?
#9
26.1, 26,4 Series / Issue at update to 26.1.9
Last post by mschaeffler - Today at 05:50:21 PMHello,
at the update to 26.1.9 I got this error:
Afterwards the update was fine and the firewall seems to be working normally.
BR, Mathias
at the update to 26.1.9 I got this error:
Code Select
Stopping configd...done
Starting configd.
Fatal error: Uncaught Error: Class "OPNsense\Base\Menu\MenuContainer" not found in /usr/local/opnsense/mvc/app/models/OPNsense/DHCPv4/Menu/Menu.php:34
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Autoload/Loader.php(49): require_once()
#1 [internal function]: OPNsense\Autoload\Loader->autoload('OPNsense\\DHCPv4...')
#2 /usr/local/opnsense/mvc/script/run_migrations.php(64): ReflectionClass->__construct('OPNsense\\DHCPv4...')
#3 {main}
thrown in /usr/local/opnsense/mvc/app/models/OPNsense/DHCPv4/Menu/Menu.php on line 34
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
Reloading template OPNsense/Syslog: OKAfterwards the update was fine and the firewall seems to be working normally.
BR, Mathias
#10
26.1, 26,4 Series / Re: "Inverting destinations is...
Last post by techturtle - Today at 05:45:35 PMMultiple sources/destinations become multiple rules under the hood - that's a bit different than I anticipated. Probably this is the cause, why implementation of negation gets complicated.
So back to nested aliases: Is there any info, how these are synced?
Given parent alias P and nested aliases C1, C2, I'd like to have P synced immediately in a blocking fashion, as soon as either C1 or C2 is changed. I.e. if a rule using P is to be consulted for a packet, application of this rule should wait till P has fully flushed / synced.
Is that possible?
So back to nested aliases: Is there any info, how these are synced?
Given parent alias P and nested aliases C1, C2, I'd like to have P synced immediately in a blocking fashion, as soon as either C1 or C2 is changed. I.e. if a rule using P is to be consulted for a packet, application of this rule should wait till P has fully flushed / synced.
Is that possible?
