"Recent posts
#91
25.7, 25.10 Series / Re: Recommendation: Remove "bl...
Last post by zakaron - December 23, 2025, 07:17:12 PMI am using community edition. I don't know what the business edition includes as far as pre-defined selections, but if the "blocklist.site" lists are not being maintained and stale, I would suggest researching others in the drop down list to use instead.
For what its worth, I did notice under Reports --> Unbound that the count of block sites remained the same after the upgrade even though the actual selections are now removed from the blocklist section, so what franco indicated probably was accurate and that the existing "blocklist.site" lists were still active just with no way to remove until you reconfigure. For me, I decided to research other lists and just rebuild my custom blocklist profile. Not a big deal, especially if it removes stale lists that I was unaware.
I've also been using the emerging threats feed list for many years before switching to Opnsense platform. It is maintained by Proofpoint, so I use the .txt links in the custom blocklist site list: https://rules.emergingthreats.net
For what its worth, I did notice under Reports --> Unbound that the count of block sites remained the same after the upgrade even though the actual selections are now removed from the blocklist section, so what franco indicated probably was accurate and that the existing "blocklist.site" lists were still active just with no way to remove until you reconfigure. For me, I decided to research other lists and just rebuild my custom blocklist profile. Not a big deal, especially if it removes stale lists that I was unaware.
I've also been using the emerging threats feed list for many years before switching to Opnsense platform. It is maintained by Proofpoint, so I use the .txt links in the custom blocklist site list: https://rules.emergingthreats.net
#92
General Discussion / Re: Browser Intrusion which op...
Last post by Monviech (Cedrik) - December 23, 2025, 07:07:08 PMThis forum is certainly not a personal diary where countless threads are opened up that have no real content.
#93
General Discussion / Re: Browser Intrusion which op...
Last post by someone - December 23, 2025, 06:59:14 PMWhat is the title of this forum section. I spent two years working to get this information in which no one on this forum has bothered to mention or been able to help with. I hope it helps others, and helps opnsense. Opnsense is in competition, has obligations and so does this forum. Security is the only thing keeping opnsense and its competitors alive. Are we going to post security related messages here or will opnsense create another topic field. I dont care to see opnsense fall behind, security and the ongoing tasks and countermeasures are huge.
#94
25.7, 25.10 Series / Re: DNSmasq and Unbound Peacef...
Last post by DEC670airp414user - December 23, 2025, 06:54:55 PM #95
General Discussion / Re: Browser Intrusion which op...
Last post by Monviech (Cedrik) - December 23, 2025, 06:53:53 PMCould you create less of these random threads please, they are starting to look like spam. Thank you.
#96
German - Deutsch / Anbindung an die Telematikinfr...
Last post by MichaM - December 23, 2025, 06:44:22 PMHallo Zusammen,
folgende Problematik:
Ich habe als Modem ein Draytek Vigor 167, dahinter die Opnsense mit PPPoe (DSL). Es wurde ein S2S VPN via Ipsec zum Highspeedkonnektor erfolgreich hergestellt. Allerdings funktionieren die damit in Verbindung stehende offene Fachdienste (Kim+, Kvsafenet) nicht.
Es wurden, wie vom Serviceanbieter angegeben, entsprechende Routen und Outbond-Nat-Regeln gesetzt.
Allerdings kommt immer wieder zu einem Timeout.
In einem anderen Forum habe ich gelesen, dass bei der Tunnelschnittstelle die Firewallregel zu überspringen ist. Auf der aktuellen Opnsense Version finde ich diese Einstellung (skip firewall rules) nicht mehr.
Hat jemand eine Idee?
Viele Grüße
Michael
folgende Problematik:
Ich habe als Modem ein Draytek Vigor 167, dahinter die Opnsense mit PPPoe (DSL). Es wurde ein S2S VPN via Ipsec zum Highspeedkonnektor erfolgreich hergestellt. Allerdings funktionieren die damit in Verbindung stehende offene Fachdienste (Kim+, Kvsafenet) nicht.
Es wurden, wie vom Serviceanbieter angegeben, entsprechende Routen und Outbond-Nat-Regeln gesetzt.
Allerdings kommt immer wieder zu einem Timeout.
In einem anderen Forum habe ich gelesen, dass bei der Tunnelschnittstelle die Firewallregel zu überspringen ist. Auf der aktuellen Opnsense Version finde ich diese Einstellung (skip firewall rules) nicht mehr.
Hat jemand eine Idee?
Viele Grüße
Michael
#97
25.7, 25.10 Series / Re: DNSmasq and Unbound Peacef...
Last post by spetrillo - December 23, 2025, 06:41:28 PMIf you use DoT do you just configure the nameservers in that Unbound section and you are good to go? For example the Quad9 DNSSEC IPs?
#98
General Discussion / Browser Intrusion which opnsen...
Last post by someone - December 23, 2025, 06:40:19 PMThere are two types of threats, one I have discovered recently on my own
One: Say your computer is on and no browser open:
That is new connection based, in which a new connection is required, Opnsense firewall and suricata handles these very good.
No one can just make a connection to your computer you didnt ask for. Attackers and bots cant get in
Two: Browser based connections three types, opnsense cannot protect against
One: A connection made by something you clicked on, hovered over
Two: Automatic connection by a connected server, connects you to other servers without permission, also from embedded scripts in webpages
Three: Stolen connections such as cross platform scripts inside websites
If they have a connection they can do what they want on your computer
So how do you protect your operating system and opnsense
I use apparmor and install its extra profiles, it protects your operating system endpoints so bad guys cant destroy or takeover your computer or opnsense. There are many different types of endpoint protection. They also differ in what they trigger off of. Apparmor is access control of endpoints. Endpoints are apps that operate your computer. It is working for me in default configuration once you add the extra profiles with a software manager. If they have access to your computer they have very easy access to opnsense LAN side. I would think everyone needs some type of endpoint protection if you can.
Careful which type of endpoint protection you use, they are not created equal. And I dont care to bash them. Pun.
Protection such as apparmor monitors all commands on your computer, aka access control, others monitor IPs only, others just key words, etc.
I install auditd also so I can see which commands apparmor blocked which are coming through the browser
Suricata is working on decryption where they can scan all incoming traffic. Which will take a large burden off of endpoint protection.
If you are a business there are services offering this.
At home decryption can be done and traffic scanned.
I call it browser intrusion, it has many names and many attacks
One: Say your computer is on and no browser open:
That is new connection based, in which a new connection is required, Opnsense firewall and suricata handles these very good.
No one can just make a connection to your computer you didnt ask for. Attackers and bots cant get in
Two: Browser based connections three types, opnsense cannot protect against
One: A connection made by something you clicked on, hovered over
Two: Automatic connection by a connected server, connects you to other servers without permission, also from embedded scripts in webpages
Three: Stolen connections such as cross platform scripts inside websites
If they have a connection they can do what they want on your computer
So how do you protect your operating system and opnsense
I use apparmor and install its extra profiles, it protects your operating system endpoints so bad guys cant destroy or takeover your computer or opnsense. There are many different types of endpoint protection. They also differ in what they trigger off of. Apparmor is access control of endpoints. Endpoints are apps that operate your computer. It is working for me in default configuration once you add the extra profiles with a software manager. If they have access to your computer they have very easy access to opnsense LAN side. I would think everyone needs some type of endpoint protection if you can.
Careful which type of endpoint protection you use, they are not created equal. And I dont care to bash them. Pun.
Protection such as apparmor monitors all commands on your computer, aka access control, others monitor IPs only, others just key words, etc.
I install auditd also so I can see which commands apparmor blocked which are coming through the browser
Suricata is working on decryption where they can scan all incoming traffic. Which will take a large burden off of endpoint protection.
If you are a business there are services offering this.
At home decryption can be done and traffic scanned.
I call it browser intrusion, it has many names and many attacks
#99
25.7, 25.10 Series / Re: reboot will reset the conf...
Last post by Seimus - December 23, 2025, 05:45:20 PM #100
25.7, 25.10 Series / Re: dnsmasq and ipv6 config
Last post by Patrick M. Hausen - December 23, 2025, 05:36:19 PM3. Kick your ISP until they follow recommended practice 🙂
https://www.rfc-editor.org/rfc/rfc3177
So even a /56 is debatable although in most cases enough (I can theoretically have 256 VLANs with my /56 I get from Deutsche Telekom).
https://www.rfc-editor.org/rfc/rfc3177
Code Select
3. Address Delegation Recommendations
The IESG and the IAB recommend the allocations for the boundary
between the public and the private topology to follow those general
rules:
- /48 in the general case, except for very large subscribers.
- /64 when it is known that one and only one subnet is needed by
design.
- /128 when it is absolutely known that one and only one device
is connecting.
In particular, we recommend:
- Home network subscribers, connecting through on-demand or
always-on connections should receive a /48.
- Small and large enterprises should receive a /48.
- Very large subscribers could receive a /47 or slightly shorter
prefix, or multiple /48's.
[...]
So even a /56 is debatable although in most cases enough (I can theoretically have 256 VLANs with my /56 I get from Deutsche Telekom).
