Recent Posts

61

General Discussion / Re: ESTABLISHED,RELATED - How to block NEW ?

« Last post by meyergru on Today at 03:57:44 pm »

However, my issue is the following when one does step by step :
1. first, A pings B : there is no answer - correct
2. second, B pings A : it works - correct
3. but now, if A pings B, A gets replies - NOT CORRECT

You seem not to understand that - unlike with real stateful traffic like TCP - with ICMP traffic, there is no "state" other than a time period where traffic in the reverse direction was seen.

A established TCP connection is characterized by a quadruple of (src_ip, src_port, dst_ip, dst_port). Thus, you can actually determine which response packets are to be allowed. If a packet was observed with a different dst_port as sender, it would not be allowed, since it cannot be attributed to the existing connection.

With ICMP, this is different. There is no port, only an ICMP subtype. Other than that, there are only (src_ip, dst_ip). Thus, you can only decide based on "soft" factors ("related"), like if within the last few seconds, you saw ICMP traffic between both parties that might explain why another ICMP packet is seen (and being passed).

Try the same test on an iptables-based firewall and you will probably see the same result.
Or, retry step 3 of your test after some time has passed.

62

German - Deutsch / Re: WAN Internetzugang

« Last post by user797979 on Today at 03:50:24 pm »

Hallo viragomann

ich habe im OPNsense (also nicht auf der Weboberfläche), WAN und LAN eine IP-Adresse gegeben. Nicht statisch sondern mit DHCPv4.
Ich habe zuerst WAN und LAN zu einer Schnittstelle zugewiesen und dann ihnen mit DHCP IP-Adressen gegeben.

63

Zenarmor (Sensei) / Re: Updating the packet engine resets web filtering to moderate

« Last post by bimbar on Today at 03:50:20 pm »

Thanks, I did that.

64

German - Deutsch / Re: Wireguard selektives Routing - DNS Leaks neue oder schlechte Idee ?

« Last post by Monviech (Cedrik) on Today at 03:45:28 pm »

Mit Destination NAT die DNS Umfragen umzuleiten ist eine sehr verbreitete Konfiguration, alles in Ordnung damit.

Damit sollten keine DNS Anfragen an der Firewall vorbeigehen können.

Im Zweifelsfall noch eine Firewallregel machen die Port 53 ins Internet blockt.

65

General Discussion / Re: Am I using the API wrong?

« Last post by peskytech on Today at 03:44:20 pm »

You may want to change your format, you are getting a 400 error, so your request is incorrect:
    curl  -k -u user:secret  https://X.X.X.X/api/core/backup/providers
Response:
    {"items":{"this":{"description":"This Firewall","dirname":"\/conf\/backup"}}}

The HTTP 400 Bad Request client error response status code indicates that the server would not process the request due to something the server considered to be a client error.

66

General Discussion / Re: ESTABLISHED,RELATED - How to block NEW ?

« Last post by netnut on Today at 03:38:20 pm »

I read on the different posts that with OPNSense it is actually default behaviour that when B is authorized to A, A can reply to B, and I could test it works well.

Correct, OPNsense is a stateful firewall.

However, my issue is the following when one does step by step :
1. first, A pings B : there is no answer - correct
2. second, B pings A : it works - correct
3. but now, if A pings B, A gets replies - NOT CORRECT

Actually what happens is obviously the following :
- step 1 : there is no rule to accept traffic from A to B so there is no reply
- step 2 : there is a rule to accept traffic from B to A, so as default OPNSense tracks the state of the connexion and replies from A are accepted back to B
- step 3 : when, at that point, A initiates traffic to B, OPNSense uses the previous state of the connexion at step 2 and it accepts the traffic !

Does it ? Can you share a packet trace of the scenario you tested ? (Interfaces: Diagnostics: Packet Capture).

Your example is about ping, which is ICMP, can you reproduce this with a TCP scenario also ?

So, in case there is regular communication from B to A, an attacker could suddenly usurpate the IP address of A to attack B through the firewall.

How can one definitely block traffic from A to B that is initiated by A ?

That is done by a default block rule in OPNsense, please share the packet trace to diag whats happening in your scenario.

67

Tutorials and FAQs / Re: OPNsense aarch64 firmware repository

« Last post by Maurice on Today at 03:25:51 pm »

OPNsense 24.7.9 aarch64 packages and sets released. Includes hotfix 24.7.9_1.

68

German - Deutsch / Re: WAN Internetzugang

« Last post by viragomann on Today at 03:23:44 pm »

Ich habe einen Mini PC welchen ich mit meinem OPNsense Gerät angeschlossen habe.
LAN und WAN sind an meinem Netzwerk angeschlossen und beziehe für beide jeweils eine IP-Adresse vom OPNsense DHCP-Server.

LAN und WAN vom Mini-PC?

Am OPNsense WAN läuft typischerweise kein DHCP Server.

69

General Discussion / moving ISP need to know WAN details

« Last post by robertkwild on Today at 03:18:08 pm »

hi all,

im moving from Zen to sky BB

is anyone on sky here and have they setup there opnsense with it?

ive seen this guide

https://docs.opnsense.org/manual/how-tos/SkyUK.html

anything else i need to know

thanks,
rob

70

24.7 Production Series / Some certificates and a few users are missing after the upgrade to 24.7.1

« Last post by bsilva.ds on Today at 03:03:17 pm »

Hello,

In 24.7.1 (upgraded from 23.7.12_5) all users have only one certificate visible in 'System: Access: Users', it's an old certificate not the new one. Other certificates that were linked 3 days before the upgrade are missing, and I can't see them in 'System: Trust: Certificates'.

One behavior I can notice is that, even with the certificate missing, users are still able to connect to OpenVPN using it, but I can't locate this "new" certificate anywhere in the system.

A few users, very few, have also disappeared. All our users are mapped via LDAP.