"Recent posts
#1
25.7, 25.10 Series / Re: BUSINESS Version 25.10 os-...
Last post by Monviech (Cedrik) - Today at 10:22:44 AMYour custom rules execute in phase1, meaning these definitions need to go before any other definitions in the ruleset.
Currently there is an import option from:
IncludeOptional etc/apache24/modsecurity-crs/rules/*.conf
Yet these most likely match after the other inclusions.
There is no freely available import path before that, but you can add one yourself in:
/usr/local/opnsense/service/templates/OPNsense/Apache/httpd.conf
By changing the template it will be resistant against service restarts, but not updates.
Please open a github ticket if you require a permanent import path for your custom rules.
Please note that we will also generate rule exclusions differently soon in an upcoming OPNWAF version, and use IDs that might overlap with your custom rule IDs (we start from 100001), be careful.
Currently there is an import option from:
IncludeOptional etc/apache24/modsecurity-crs/rules/*.conf
Yet these most likely match after the other inclusions.
There is no freely available import path before that, but you can add one yourself in:
/usr/local/opnsense/service/templates/OPNsense/Apache/httpd.conf
By changing the template it will be resistant against service restarts, but not updates.
Please open a github ticket if you require a permanent import path for your custom rules.
Please note that we will also generate rule exclusions differently soon in an upcoming OPNWAF version, and use IDs that might overlap with your custom rule IDs (we start from 100001), be careful.
#2
26.1 Series / Re: I'm getting "SSH Key misma...
Last post by Patrick M. Hausen - Today at 09:43:59 AMQuote from: BigFreddy on Today at 09:07:01 AM2) Does reinstalling the firewall [...] change SSH keys?
Yes. This is expected. The keys are generated when a host first boots after installation. Remove the old key(s) from your ~/.ssh/known_hosts and acknowledge the new one(s).
#3
26.1 Series / Re: Is latest OPNSesne 26.1.x ...
Last post by PerpetualNewbie - Today at 09:38:06 AMQuote from: newsense on Today at 09:25:48 AMApplying the mitigation will suffice until 26.1.6 arrives, which may not happen next week if nothing else more serious needs patching in the meantime.
Excellent!
For those that didn't read the FreeBSD link, a suggested mitigation:
Quote from: FreeBSDURLIV. Workaround
The mbuf leak can be mitigated by not rate limiting the sending of challenge
ACKs. This can be achieved with immediate effect by setting the
net.inet.tcp.ack_war_timewindow sysctl to 0:
sysctl net.inet.tcp.ack_war_timewindow=0
This mitigation does trade off the leaking of mbufs against additional
CPU/resource cost associated with responding to all challenge ACK eligible
packets received for established TCP connections.
To make this change persistent across reboots, add it to /etc/sysctl.conf.
Quote from: franco on Today at 09:31:58 AMThe timing is unfortunate. We decided to hotfix this for business users later today. The full batch of SA's includes more changes to pf than necessary (or even relevant to us) so this it has to wait for 26.1.6 or you can build a kernel from https://github.com/opnsense/src/commits/stable/26.1/ directly which has all the commits.
Thanks!
#4
Virtual private networks / Re: Issues with new "IPSec" ve...
Last post by user.42 - Today at 09:37:42 AM1st screenshot: local address
is it the address of the wan interface or is it the public ip which differs from the wan interface ip?
is it the address of the wan interface or is it the public ip which differs from the wan interface ip?
#5
General Discussion / Re: TUI for viewing and analys...
Last post by newsense - Today at 09:35:44 AMThanks again, installing it now everywhere.
For those interested it is even usable from a phone depending on the app used.
For those interested it is even usable from a phone depending on the app used.
#6
26.1 Series / Re: Is latest OPNSesne 26.1.x ...
Last post by franco - Today at 09:31:58 AMThe timing is unfortunate. We decided to hotfix this for business users later today. The full batch of SA's includes more changes to pf than necessary (or even relevant to us) so this it has to wait for 26.1.6 or you can build a kernel from https://github.com/opnsense/src/commits/stable/26.1/ directly which has all the commits.
Cheers,
Franco
Cheers,
Franco
#7
26.1 Series / Re: Is latest OPNSesne 26.1.x ...
Last post by newsense - Today at 09:25:48 AMApplying the mitigation will suffice until 26.1.6 arrives, which may not happen next week if nothing else more serious needs patching in the meantime.
#8
26.1 Series / Is latest OPNSesne 26.1.x affe...
Last post by PerpetualNewbie - Today at 09:16:13 AMHello,
If an OPNSense box has no public-facing services, is it at risk for CVE-2026-4247 from the public Internet?
Links:
https://www.freebsd.org/security/advisories/FreeBSD-SA-26:06.tcp.asc
https://www.cvedetails.com/cve/CVE-2026-4247/
If this is a service affecting risk for OPNSense, do you have any estimate for when a patched kernel will be included in an update?
You all are great. This is not criticism or complaint.
Thanks for your hard work! :-)
If an OPNSense box has no public-facing services, is it at risk for CVE-2026-4247 from the public Internet?
Links:
https://www.freebsd.org/security/advisories/FreeBSD-SA-26:06.tcp.asc
https://www.cvedetails.com/cve/CVE-2026-4247/
If this is a service affecting risk for OPNSense, do you have any estimate for when a patched kernel will be included in an update?
You all are great. This is not criticism or complaint.
Thanks for your hard work! :-)
#9
26.1 Series / I'm getting "SSH Key mismatch:...
Last post by BigFreddy - Today at 09:07:01 AMHi,
I have nuked old installation of my OPNSense, did a new install then proceeded to do the initial configuration via the web GUI followed by restoring the old config via the web browser in the said web gui. I then tried SSHing into my firewall and was greeted with this error:
So my questions are:
1) Does major upgrade of the Firewall from one version to another major one could cause to rotate SSH keys ?
2) Does reinstalling the firewall, doing the initial setup in Web GUI followed by restore of the configuration file via web gui would change SSH keys ?
I'm wondering if something nefarious is happening on my firewall as reading online, restoring config file to OPNSense should still retain the old SSH Keys but it this case this haven't happened.
Thanks
I have nuked old installation of my OPNSense, did a new install then proceeded to do the initial configuration via the web GUI followed by restoring the old config via the web browser in the said web gui. I then tried SSHing into my firewall and was greeted with this error:
Code Select
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
ECDSA Key here
Please contact your system administrator.
Add correct key in system path here/known_hosts to get rid of this message.
Offending ECDSA key in system path here/known_hosts:1
remove with:
command to remove it
ECDSA host key for IP Here has changed and you have requested strict checking.
Host key verification failed.
So my questions are:
1) Does major upgrade of the Firewall from one version to another major one could cause to rotate SSH keys ?
2) Does reinstalling the firewall, doing the initial setup in Web GUI followed by restore of the configuration file via web gui would change SSH keys ?
I'm wondering if something nefarious is happening on my firewall as reading online, restoring config file to OPNSense should still retain the old SSH Keys but it this case this haven't happened.
Thanks
#10
General Discussion / Re: TUI for viewing and analys...
Last post by allddd - Today at 08:53:07 AMFor anyone interested, opnsense-filterlog is now also available as a binary package (thanks @franco!) and can be installed via pkg:
The package comes with a man page that's got pretty much the same info as the README:
Currently v0.8.0 is in the repo, v0.9.0 will come with the 26.1.6 release and can now parse all filter log fields/protocols, filter by time, etc.
Code Select
pkg install opnsense-filterlogThe package comes with a man page that's got pretty much the same info as the README:
Code Select
man opnsense-filterlogCurrently v0.8.0 is in the repo, v0.9.0 will come with the 26.1.6 release and can now parse all filter log fields/protocols, filter by time, etc.
