Recent posts

#1
I had several blocklists added.   I have now removed them entirely.   I am still utilizing DNS over TLS with Nextdns.    I can try just unbound if requested?   but it did the same thing yesterday with just unbound not forwarding

I uninstalled. and reinstalled the plugin,  rebooted the entire firewall.  qfeeds shows:  Database
Size: 138,912 on the widget.
reporting unbound:  234908
Size of blocklist

recreated the firewall rule on floating:
block
all utilized interfaces
direction in
destination Qfeeds malware IP
gateway is default.

on 2 different devices if I bring up " cherrypharm.com"
the website is not blocked and I get a warning on both browsers

wigdet and security > events are 0

#2
26.1 Series / Re: 26.1.rc1 -> 26.1 rc2 ........
Last post by franco - Today at 12:43:26 PM
Nice, if you can try a reboot since it's currently not forced and hostwatch and dhcp6c will not fully restart into their latest version due to this.


Cheers,
Franco
#3
26.1 Series / 26.1.rc1 -> 26.1 rc2 ..... wor...
Last post by notspam - Today at 12:41:02 PM
Upgrade from 26.1.rc1 to 26.1.rc2.
Need two upgrade steps and then it was done successful.
A short test shows normal functionality.
#4
I had two lists, but both disabled. I deleted them and still get ~235000 entries in the blocklist, maybe those are the Qfeeds items.

However, they are there regardless of me having "Register domain feeds" enabled or disabled. How do you register your blocklist into Unbound technically? This looks like there is a downloaded domain list that is injected into Unbound, but after disabling it, the list persists.

I found /var/unbound/data/dnsbl.json that seems to have the data included. I wonder how the different blocklists and the Qfeeds lists are integrated without interfering with one another...
#5
26.1 Series / Re: RC1: hundreds of rc.newwan...
Last post by Patrick M. Hausen - Today at 12:29:52 PM
Situation unchanged with RC2. Already sent a debug log to Franco.
#6
Hmm that's interesting. Once the checkbox is selected in our plugin the domains should register in the unbound plugin without showing in the blocklists section of the unbound plugin. You should see the blocklist size increase in the reporting of unbound: "https://your-firewall-ip:xxx  /ui/unbound/overview ". And of course it should start blocking. Obviously you might not see any blocks depending on the internet usage (people actually opening malicious domains) but if you try to it should definitely show blocks...

Do you have any other blocklists enabled within unbound?

We will try and replicate this behavior.

EDIT: tried it with domain: "naturah.lat" and got blocked perfectly for both A and AAA records. Also showing up as blocked in the unbound report.
#7
Announcements / OPNsense 26.1-RC2 released
Last post by franco - Today at 11:57:47 AM

Good morning again,

The second release candidate for 26.1 brings fixes for issues found by
our awesome community.  As an online-only update you need 26.1-RC1 to
install it.

The long-awaited dhcp6c refresh has been included as well as the latest
version for hostwatch addressing the community concerns collected from
25.7.11.

Here are the changes against version 26.1-RC1:

o system: add XMLRPC option for hostwatch
o interfaces: show ISC-DHCPv6 menu in "idassoc6" mode
o interfaces: fix validation issue in "idassoc6" mode
o interfaces: handle hostwatch user/group via package
o interfaces: avoid forced reloads when PDINFO is not set
o firewall: fix 3 issues and improve instructions in rule migration page
o firewall: improve GeoIP alias expiry condition
o firewall: escape selector in rule_protocol
o kea: add libdhcp_host_cmds.so to expose internal API commands for reservations
o kea: allow "hw-address" for reservations
o kea: add pool in subnet validation
o openvpn: account for CARP status in start and restart cases as well
o radvd: remove faulty empty address exception
o lang: various translation updates
o mvc: add ChangeCase support to ProtocolField for DNAT special case
o ports: dhcp6c v20260122
o ports: hostwatch 1.0.9

Migration notes, known issues and limitations:

o ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
o To accomodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
o Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x.  Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
o The function sessionClose() has also been removed from the MVC code and is no longer needed.  Make sure to remove it from your custom code.
o The custom.yaml support has been removed from intrusion detection.  Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.
o The new host discovery service "hostwatch" is enabled by default (since 25.7.11).  You can always turn it off under Interfaces: Neighbors: Automatic Discovery if you so choose.
o The firewall migration page is not something you need to jump into right away.  Please make yourself familiar with the new rules GUI first and check the documentation for incompatibilities.
o Firewall: NAT: Port Forwarding is now called "Destination NAT".  Firewall rule associations are no longer supported, but the old associated firewall rules remain in place.

Please let us know about your experience!


Stay safe,
Your OPNsense team
#8
General Discussion / Re: WAN failover DNS problem
Last post by pinpoint - Today at 11:56:55 AM
Ok. According to the manual "Do not use the system nameservers option if you have a multi-WAN setup and have Unbound running alongside multiple DNS servers configured in General with separate gateways assigned to them. Unbound will use the locally created routes to reach the system nameservers, which will not work when the gateway is down."
I guess adding nameservers to System: Settings: General is not the way or does it mean if I have selected separate gateways for each nameserver?
#9
26.1 Series / Re: Upgrade to RC1 successful
Last post by franco - Today at 11:46:17 AM
@meyergru haven't forgotten the talk about NAT rule association edits but it's not in RC2 since I need to look at it and RC2 should be out in a few minutes already for further feedback.  I did https://github.com/opnsense/core/commit/6c10a1cb which unhides the edit button but the edit page also has glue regarding that so I need a bit more time to prepare.


Cheers,
Franco
#10
25.1, 25.4 Series / Re: Disk space issue
Last post by Patrick M. Hausen - Today at 11:31:24 AM
@gmartin but do not (!) just go ahead and remove the swap partition, then use the procedure outlined by @Maurice. This will lead to a system with no swap at all. Bad idea.

Quoteroot@oprouter:~ # gpart show
=>       40  113246128  da0  GPT  (54G)
         40     532480    1  efi  (260M)
     532520       1024    2  freebsd-boot  (512K)
     533544   49798144    3  freebsd-ufs  (24G)
   50331688   16777136    4  freebsd-swap  (8.0G)
   67108824   46137344       - free -  (22G)

So from the top of my head without any guarantee it will work - go step by step and check the results before proceeding to the next one, please:

# make sure secondary GPT header is present
gpart recover da0

# disable swap - take note of the device name, e.g. "/dev/da0p4" or "/dev/gpt/swap"
swapoff -a

# remove swap partition
gpart delete -i 4 da0

# resize UFS partition
gpart resize -i 3 -s 36g da0

# recreate swap partiton - if the device in the first step was "/dev/da0p4" use this:
gpart add -i 4 -t freebsd-swap da0

# recreate swap partition - if the device in the first step was "/dev/gpt/SOMELABEL" use this:
gpart add -i 4 -t freebsd-swap -l SOMELABEL da0

# re-enable swap
swapon -a

If that worked you should have a system with 8 G of swap like before and a resized UFS partition. The last step is to resize the UFS proper.

Connect a console and reboot into single user mode. Do not mount the root partition read/write, just leave it read only (this is the normal state after entering single user mode).

fsck -y /
growfs /
df
shutdown -r now

HTH,
Patrick