"Recent posts
#1
General Discussion / Re: NAXSI
Last post by someone - Today at 02:00:48 AMA few things
My first opnsense instance was protected by apparmor because it was a vm, shared systems
Ok I found out more on what my attacks are
one, the blocked commands I was picking up in logs is in line with crypto malware
two, how it gets there through the browser
I didnt have a name for it but IBM and global security does. Its called zero-click attacks
Its been in cve's since the year 2000, no one can fix it yet.
IBM has a video on zero-click attacks and the first two seconds of it say, boom your hacked, just that fast
Its software of different types downloaded through the browser, two names pegasus, stagefright, thats just two,
not counting all the others and the variations of it, the amount of code varies.
They affect phones and computers, All they have to do to hack your phone is call you
You dont have to answer or even touch your phone and your hacked
There is more information on these types attacks, just some of millions of attacks
This software is sold to people, the one shown was subscription based, strange, around 700 a year
Reason its hard to see, its not just encrypted, it can be double encrypted, it can be obfuscated before encryption,
So decrypting packets doesnt pick it up, they usually skip it
Remember I was talking about the hands on tools to see and break down these embedded malware code
Anyway, these attacks, different types, come through the browser, and effect your phone
Yes I hunt them in spare time sometimes, and bug bounty
Have found a few, I didnt save then, they are dangerous around your system, Ill have to save them from now on
And the corporations didnt offer to pay me, they did ask me to help.
My first opnsense instance was protected by apparmor because it was a vm, shared systems
Ok I found out more on what my attacks are
one, the blocked commands I was picking up in logs is in line with crypto malware
two, how it gets there through the browser
I didnt have a name for it but IBM and global security does. Its called zero-click attacks
Its been in cve's since the year 2000, no one can fix it yet.
IBM has a video on zero-click attacks and the first two seconds of it say, boom your hacked, just that fast
Its software of different types downloaded through the browser, two names pegasus, stagefright, thats just two,
not counting all the others and the variations of it, the amount of code varies.
They affect phones and computers, All they have to do to hack your phone is call you
You dont have to answer or even touch your phone and your hacked
There is more information on these types attacks, just some of millions of attacks
This software is sold to people, the one shown was subscription based, strange, around 700 a year
Reason its hard to see, its not just encrypted, it can be double encrypted, it can be obfuscated before encryption,
So decrypting packets doesnt pick it up, they usually skip it
Remember I was talking about the hands on tools to see and break down these embedded malware code
Anyway, these attacks, different types, come through the browser, and effect your phone
Yes I hunt them in spare time sometimes, and bug bounty
Have found a few, I didnt save then, they are dangerous around your system, Ill have to save them from now on
And the corporations didnt offer to pay me, they did ask me to help.
#2
25.7, 25.10 Series / choose shell for item 8 in /us...
Last post by tessus - Today at 12:48:08 AMIn the /usr/local/sbin/opnsense-shell script that is used as the shell for the root user, the shell when selecting menu entry 8 is hard-coded to /bin/csh.
I would like to use bash (/usr/local/bin/bash) instead.
Can you please point me to the correct repo for this script so that I can submit a PR? I am thinking of reading a file (e.g. /etc/opnsense-shell) and in case the file exists and has a CMD_SHELL var, it will be used. Otherwise the current default is used. We can discuss the specifics in the PR.
What do you think?
I would like to use bash (/usr/local/bin/bash) instead.
Can you please point me to the correct repo for this script so that I can submit a PR? I am thinking of reading a file (e.g. /etc/opnsense-shell) and in case the file exists and has a CMD_SHELL var, it will be used. Otherwise the current default is used. We can discuss the specifics in the PR.
What do you think?
#3
25.7, 25.10 Series / Re: OPNsense 25.7.10 - Partial...
Last post by franco - January 08, 2026, 10:21:01 PMThe failure detection we added certainly works as expected. Unfortunately the current package manager isn't very good in these instances. We will be looking into it shortly. It's not our territory, but it seems we need to dig into this.
Cheers,
Franco
Cheers,
Franco
#4
25.7, 25.10 Series / Re: ACME Client "Invalid Domai...
Last post by torgeir - January 08, 2026, 09:47:18 PMI don't know what changed and I don't like the solution, as I'm not sure its an OK one in all scenarios.
Kinda baffled that the acme.sh master branch also has this.
The code is incredibly brittle. I'm surprised it works at all tbh.
Kinda baffled that the acme.sh master branch also has this.
The code is incredibly brittle. I'm surprised it works at all tbh.
#5
25.7, 25.10 Series / Re: ACME Client "Invalid Domai...
Last post by torgeir - January 08, 2026, 09:32:28 PMTo me it seems that the regexp on line 209 of /usr/local/share/examples/acme.sh/dnsapi/dns_cf.sh does not match the returned content from cloudflare, causing the invalid domain error.
I changed line 209 from this
to this (its line 210 here as I added a comment above it, the bracket in _egrep_o regex is the only thing that changed)
Which seems to fix this.
This gave me a new kind of error: A 403 "User account ID doesn't match account ID in authorization" and recreated my token with Zone Zone Edit and Zone DNS Read permissions. I removed "CF Account ID" from Services -> ACME Client -> Challenge Types, and now only use
- CF API Token
- CF Zone ID (Optional)
It works again.
I changed line 209 from this
Code Select
sed -n 209p /usr/local/share/examples/acme.sh/dnsapi/dns_cf.sh.20260108.bak
_domain_id=$(echo "$response" | _egrep_o "\[.\"id\": *\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ")
to this (its line 210 here as I added a comment above it, the bracket in _egrep_o regex is the only thing that changed)
Code Select
> sed -n 210p /usr/local/share/examples/acme.sh/dnsapi/dns_cf.sh
_domain_id=$(echo "$response" | _egrep_o "\"id\": *\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ")
Which seems to fix this.
This gave me a new kind of error: A 403 "User account ID doesn't match account ID in authorization" and recreated my token with Zone Zone Edit and Zone DNS Read permissions. I removed "CF Account ID" from Services -> ACME Client -> Challenge Types, and now only use
- CF API Token
- CF Zone ID (Optional)
It works again.
#6
General Discussion / Redundant "allow access to DH...
Last post by ewb - January 08, 2026, 09:27:55 PMI have 2 installations on N150 hardware. Both started from the 25.7 community release but both are running 25.7.10 now.
This is a basic setup with Unbound forwarding to Dnsmasq for the local domain, no VPN or intrusion detection, a couple of custom firewall rules and aliases. On my older install there are 23 Automatic LAN firewall rules including 8 to "allow access to DHCP server" of which 5 are for IPV6 UDP, and the other 3 encompass IPv4 also.
On my 2nd install which is substantially the same, I updated to 25.7.10 directly from the original release. Here I have these same 8 rules but also 5 others described as "allow access to DHCPv6 server on LAN." These do not have a help icon. These are listed *ahead* of the 8. These look identical to the 5 IPV6 UDP rules above. They are all quick rules so this probably doesn't matter functionally, but something seems fishy here.
I did get an "unexpected error" during the firmware update, but failed to see any details on that and I don't know how to go back and retrieve that log file. There is nothing in /var/log/pkg/latest.log about an error.
If I disable Dnsmasq, the 8 rules go away but the 5 redundant rules do not. Re-enabling Dnsmasq brings the 8 rules back.
Both installs seem to be working properly. The 1st is "in production" while I am just testing the 2nd one with one LAN side PC.
Is there a way to correct this?
This is a basic setup with Unbound forwarding to Dnsmasq for the local domain, no VPN or intrusion detection, a couple of custom firewall rules and aliases. On my older install there are 23 Automatic LAN firewall rules including 8 to "allow access to DHCP server" of which 5 are for IPV6 UDP, and the other 3 encompass IPv4 also.
On my 2nd install which is substantially the same, I updated to 25.7.10 directly from the original release. Here I have these same 8 rules but also 5 others described as "allow access to DHCPv6 server on LAN." These do not have a help icon. These are listed *ahead* of the 8. These look identical to the 5 IPV6 UDP rules above. They are all quick rules so this probably doesn't matter functionally, but something seems fishy here.
I did get an "unexpected error" during the firmware update, but failed to see any details on that and I don't know how to go back and retrieve that log file. There is nothing in /var/log/pkg/latest.log about an error.
If I disable Dnsmasq, the 8 rules go away but the 5 redundant rules do not. Re-enabling Dnsmasq brings the 8 rules back.
Both installs seem to be working properly. The 1st is "in production" while I am just testing the 2nd one with one LAN side PC.
Is there a way to correct this?
#7
25.7, 25.10 Series / OPNsense 25.7.10 - Partial upd...
Last post by vpx23 - January 08, 2026, 09:04:19 PMJust documenting this error, don't know if it's just my system.
First try:
Second try:
First try:
Code Select
***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.7.9_7 (amd64) at Thu Jan 8 20:49:46 CET 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (76 candidates): .......... done
Processing candidates (76 candidates): .. done
The following 14 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
dnscrypt-proxy2: 2.1.5_19 -> 2.1.5_20
dpinger: 3.3 -> 3.4
gettext-runtime: 0.23.1 -> 0.26
glib: 2.84.1_3,2 -> 2.84.4,2
libucl: 0.9.2_2 -> 0.9.3
nss: 3.118.1 -> 3.119.1
opnsense: 25.7.9_7 -> 25.7.10
opnsense-update: 25.7.8 -> 25.7.10
php83-phpseclib: 3.0.47 -> 3.0.48
py311-anyio: 4.11.0 -> 4.12.0
py311-certifi: 2025.10.5 -> 2025.11.12
py311-numpy: 1.26.4_10,1 -> 1.26.4_11,1
py311-tzdata: 2025.2 -> 2025.3
py311-urllib3: 2.5.0,1 -> 2.6.0,1
Number of packages to be upgraded: 14
25 MiB to be downloaded.
[1/14] Fetching py311-anyio-4.12.0.pkg: .......... done
[2/14] Fetching dpinger-3.4.pkg: .. done
[3/14] Fetching opnsense-update-25.7.10.pkg: ..... done
[4/14] Fetching py311-numpy-1.26.4_11,1.pkg: .......... done
[5/14] Fetching nss-3.119.1.pkg: .......... done
[6/14] Fetching dnscrypt-proxy2-2.1.5_20.pkg: .......... done
[7/14] Fetching php83-phpseclib-3.0.48.pkg: .......... done
[8/14] Fetching py311-certifi-2025.11.12.pkg: .......... done
[9/14] Fetching py311-tzdata-2025.3.pkg: .......... done
[10/14] Fetching gettext-runtime-0.26.pkg: .......... done
[11/14] Fetching py311-urllib3-2.6.0,1.pkg: .......... done
[12/14] Fetching glib-2.84.4,2.pkg: .......... done
[13/14] Fetching libucl-0.9.3.pkg: .......... done
[14/14] Fetching opnsense-25.7.10.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/14] Upgrading dnscrypt-proxy2 from 2.1.5_19 to 2.1.5_20...
===> Creating groups
Using existing group '_dnscrypt-proxy'
===> Creating users
Using existing user '_dnscrypt-proxy'
[1/14] Extracting dnscrypt-proxy2-2.1.5_20: ....... done
[2/14] Upgrading dpinger from 3.3 to 3.4...
[2/14] Extracting dpinger-3.4: .... done
[3/14] Upgrading gettext-runtime from 0.23.1 to 0.26...
[3/14] Extracting gettext-runtime-0.26: .......... done
[4/14] Upgrading glib from 2.84.1_3,2 to 2.84.4,2...
[4/14] Extracting glib-2.84.4,2: .......... done
[5/14] Upgrading libucl from 0.9.2_2 to 0.9.3...
[5/14] Extracting libucl-0.9.3: .......... done
[6/14] Upgrading nss from 3.118.1 to 3.119.1...
[6/14] Extracting nss-3.119.1: .......... done
[7/14] Upgrading opnsense-update from 25.7.8 to 25.7.10...
[7/14] Extracting opnsense-update-25.7.10: .......... done
[8/14] Upgrading php83-phpseclib from 3.0.47 to 3.0.48...
[8/14] Extracting php83-phpseclib-3.0.48: ......... done
[9/14] Upgrading py311-anyio from 4.11.0 to 4.12.0...
[9/14] Extracting py311-anyio-4.12.0: .......... done
[10/14] Upgrading py311-certifi from 2025.10.5 to 2025.11.12...
[10/14] Extracting py311-certifi-2025.11.12: .......... done
[11/14] Upgrading py311-numpy from 1.26.4_10,1 to 1.26.4_11,1...
[11/14] Extracting py311-numpy-1.26.4_11,1: .......... done
[12/14] Upgrading opnsense from 25.7.9_7 to 25.7.10...
[12/14] Extracting opnsense-25.7.10: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
[13/14] Upgrading py311-tzdata from 2025.2 to 2025.3...
[13/14] Extracting py311-tzdata-2025.3: .......... done
pkg-static: Fail to rename /usr/local/lib/python3.11/site-packages/tzdata/zoneinfo/.pkgtemp.Factory.xFcsyJuky7kf -> /usr/local/lib/python3.11/site-packages/tzdata/zoneinfo/Factory:No such file or directory
Starting web GUI...done.
Partial update failure detected: attempting automatic cleanup.
No further actions will be taken. Please restart the update now.
***DONE***Second try:
Code Select
***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.7.10 (amd64) at Thu Jan 8 20:52:59 CET 2026
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (64 candidates): .......... done
Processing candidates (64 candidates): . done
Checking integrity... done (0 conflicting)
The following 2 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
py311-tzdata: 2025.2 -> 2025.3
py311-urllib3: 2.5.0,1 -> 2.6.0,1
Number of packages to be upgraded: 2
[1/2] Upgrading py311-tzdata from 2025.2 to 2025.3...
[1/2] Extracting py311-tzdata-2025.3: .......... done
py311-tzdata-2025.2: missing file /usr/local/lib/python3.11/site-packages/tzdata-2025.2.dist-info/LICENSE
py311-tzdata-2025.2: missing file /usr/local/lib/python3.11/site-packages/tzdata-2025.2.dist-info/LICENSE_APACHE
py311-tzdata-2025.2: missing file /usr/local/lib/python3.11/site-packages/tzdata-2025.2.dist-info/METADATA
py311-tzdata-2025.2: missing file /usr/local/lib/python3.11/site-packages/tzdata-2025.2.dist-info/RECORD
py311-tzdata-2025.2: missing file /usr/local/lib/python3.11/site-packages/tzdata-2025.2.dist-info/WHEEL
py311-tzdata-2025.2: missing file /usr/local/lib/python3.11/site-packages/tzdata-2025.2.dist-info/top_level.txt
py311-tzdata-2025.2: missing file /usr/local/share/licenses/py311-tzdata-2025.2/APACHE20
py311-tzdata-2025.2: missing file /usr/local/share/licenses/py311-tzdata-2025.2/LICENSE
py311-tzdata-2025.2: missing file /usr/local/share/licenses/py311-tzdata-2025.2/catalog.mk
[2/2] Upgrading py311-urllib3 from 2.5.0,1 to 2.6.0,1...
[2/2] Extracting py311-urllib3-2.6.0,1: .......... done
=====
Message from py311-urllib3-2.6.0,1:
--
Since version 1.25 HTTPS connections are now verified by default which is done
via "cert_reqs = 'CERT_REQUIRED'". While certificate verification can be
disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on.
Various consumers of net/py-urllib3 already have implemented routines that
either explicitly enable or disable HTTPS certificate verification (e.g. via
configuration settings, CLI arguments, etc.).
Yet it may happen that there are still some consumers which don't explicitly
enable/disable certificate verification for HTTPS connections which could then
lead to errors (as is often the case with self-signed certificates).
In case of an error one should try first to temporarily disable certificate
verification of the problematic urllib3 consumer to see if that approach will
remedy the issue.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
The following package files will be deleted:
/var/cache/pkg/nss-3.119.1.pkg
/var/cache/pkg/opnsense-update-25.7.10~87bc1e1d0a.pkg
/var/cache/pkg/py311-certifi-2025.11.12~215272b159.pkg
/var/cache/pkg/py311-anyio-4.12.0~f3781d8bca.pkg
/var/cache/pkg/dnscrypt-proxy2-2.1.5_20.pkg
/var/cache/pkg/opnsense-25.7.10~e8fe778b04.pkg
/var/cache/pkg/php83-phpseclib-3.0.48~5bf8d63581.pkg
/var/cache/pkg/glib-2.84.4,2~6b60e61d06.pkg
/var/cache/pkg/py311-numpy-1.26.4_11,1~d5a615882f.pkg
/var/cache/pkg/nss-3.119.1~4b1fda0aab.pkg
/var/cache/pkg/py311-certifi-2025.11.12.pkg
/var/cache/pkg/dpinger-3.4~276601a0c0.pkg
/var/cache/pkg/gettext-runtime-0.26~dadd59a075.pkg
/var/cache/pkg/py311-tzdata-2025.3~fa615f73d6.pkg
/var/cache/pkg/py311-urllib3-2.6.0,1.pkg
/var/cache/pkg/opnsense-25.7.10.pkg
/var/cache/pkg/dnscrypt-proxy2-2.1.5_20~49cbf483a0.pkg
/var/cache/pkg/dpinger-3.4.pkg
/var/cache/pkg/py311-anyio-4.12.0.pkg
/var/cache/pkg/py311-urllib3-2.6.0,1~c0b1f10e54.pkg
/var/cache/pkg/py311-numpy-1.26.4_11,1.pkg
/var/cache/pkg/glib-2.84.4,2.pkg
/var/cache/pkg/py311-tzdata-2025.3.pkg
/var/cache/pkg/php83-phpseclib-3.0.48.pkg
/var/cache/pkg/libucl-0.9.3~417cf27395.pkg
/var/cache/pkg/gettext-runtime-0.26.pkg
/var/cache/pkg/opnsense-update-25.7.10.pkg
/var/cache/pkg/libucl-0.9.3.pkg
The cleanup will free 25 MiB
Deleting files: .......... done
Nothing to do.
Starting web GUI...done.
Fetching base-25.7.10-amd64.txz: ......................... done
Fetching kernel-25.7.10-amd64.txz: ......... done
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!
! A critical upgrade is in progress. !
! Please do not turn off the system. !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Installing kernel-25.7.10-amd64.txz... done
Installing base-25.7.10-amd64.txz... done
Cleaning obsolete files... done
Please reboot.
***REBOOT*** #8
25.1, 25.4 Series / Re: NUT is in a Shutdown loop ...
Last post by janesluth46 - January 08, 2026, 07:18:12 PMIt sounds like NUT is still picking up stale Netclient config and immediately acting on it, which triggers the shutdown. I'd suggest fully clearing any remaining NUT config (including `/usr/local/etc/nut/*`), rebooting, then configuring Standalone from scratch with the USB UPS only connected. Also double-check that upsmon is set to **master** and that no old UPS definitions pointing to the NAS remain. I reported same at football bros.io
#9
Zenarmor (Sensei) / Re: Youtube NOT blocked
Last post by Seimus - January 08, 2026, 06:37:47 PMQuote from: sy on January 08, 2026, 12:33:53 PMHi @arthurdaire,
Please block QUIC protocol as well in Media Streaming category.
This will block all UDP 443 not only the one designed for youtube and not only QUIC as it will match as well DTLS (TLS over UDP). Google is not the only company using this. So careful.
Regards,
S.
#10
German - Deutsch / Re: Probleme beim einrichten v...
Last post by TehSoulja - January 08, 2026, 06:04:49 PMQuote from: meyergru on January 08, 2026, 05:33:19 PMQuote from: meyergru on January 07, 2026, 08:35:14 PMund der richtige LAN-Port verwendet wird
;-)
Ich muss gestehen es war für mich absolut nicht ersichtlich das es einen bestimmten port gibt der ins Internet darf während die anderen eher nur "deko" sind.
