Stuck on OPNWAF

Started by WMINTIENS, February 29, 2024, 04:47:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 29, 2024, 04:47:19 PM
Hi out there

I want to protect a Internal server using OPNWAF

so I created a DNS record ie. out.mydomain.net

On the firewall under Web Application I created
- Gateways
>> Virtual server out.mydomain.net port 443
>> defined a certificate (internal) for this
-Locations
>>Path = /
>>Remote dest = https://internal-server:8443
>>virtual = out (above)

- testing .. did not work, I saw request coming in being blocked by the "default deny state violation rule"
so I thought we need a additional rule ... but got lost what to next.
-  a friend told to just add a port forwarding rule .. but don't get how

Thanks for looking into this
Wim
February 29, 2024, 05:20:34 PM #1
You have to create a rule in "WAN" allowing TCP 80 and 443 to "This Firewall".
You don't need a Port Forward if your external IP Address is bound to the "WAN" of the OPNsense.


Additionally you should make sure that your Firewall's Web interface doesn't listen on these ports.
You can change the default listening ports in "System: Settings: Administration". Change the TCP Port to 4444 for example, and enable "HTTP Redirect" Disable web GUI redirect rule" checkbox. Make sure your administrative interface allows connections to this TCP port to "This Firewall" also (though there is an anti lockout rule which should take care of that automatically on the "LAN" interface.

Hardware:
DEC740
March 05, 2024, 08:04:29 AM #2
Monviech,

The issue is that it keep hitting the following rule : 'default deny/ state violation rule'.
This is the 2nd rule in the list and I cannot add  rule before this.

How does you solution help overriding this ?

Thanks for elaborating on it

Wim
March 05, 2024, 08:15:22 AM #3
Monviech,

I just tried the following, according what I understood for your initial feedback, the firewall is blocking incomming request because it uses the 443 also for its management.

so I changes the Port were the Virt server is listing on to 444 and i tried from outside the url :https://my-fqdn>:444 but this also hits the 'block everything from outside" rule.

thanks for looking into this.

Wim
March 05, 2024, 08:32:06 AM #4
You need to create a rule on WAN permitting this traffic as Monviech wrote.

Interface: WAN
Action: allow
Direction: in
Source: any
Destination: "WAN address" or "This Firewall"
Destination port: 444
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 05, 2024, 08:43:12 AM #5
Patrick,

I did all this, but this rule is at the bottom, after all the default rules it never gets to that rule,
as I mentioned the 2nd rule is the automatic created rule , deny everything from outside.
and I cannot move the rule before this automatic created rule.

KR Wim
March 05, 2024, 08:47:16 AM #6
The second rule does not have Quick Match (yellow lightning) so it only matches if no other rule after it matched
March 05, 2024, 05:02:47 PM #7 Last Edit: March 05, 2024, 05:16:01 PM by WMINTIENS
gents,

I fixed somehow the firewall rule issue, so far so good.

Now I'm having an issue with the authenication using certificates.

- created in the FW a Root certificate
- created in the FW a intermediate certificate signed by the Root
- created a server certificate for the Virt Server signed by the intermediate
- created a CRL for the intermediate
I exported the above public keys and imported them in my windows trust store.
- created in the FW a client certificate signed by the intermediate
I exported the P12 client cert (priv + Pub ) key and installed in my browser.

in the gateway under virt server:
* server cert = the server cert created above
* CA for client Auth = intermediate CA
*CRL for client auth = On
*ACME = off

*header sec = default
*TLS security = modern




But!! i get now this issue
<FQDN< didn't accept your login certificate or a login certificate may not have been provided.
Try contacting your organisation.
ERR_BAD_SSL_CLIENT_AUTH_CERT

We calling the FQDN of the virtual server, Edge asks me to select a client cert in a pop-up, providing the one I created above and imported.


So what am I doing wrong this time

Thanks !
March 06, 2024, 11:29:30 AM #8 Last Edit: March 06, 2024, 11:31:31 AM by WMINTIENS
Hi

besides the issue with the certificate see other post. Create a CSR a let it sign by the FW ICA.

I still get the bad client SSL cert.

I debugged the TLS auth using Openssl & saw this:

Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5732 bytes and written 2107 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
<<< TLS 1.2, RecordHeader [length 0005]
    17 03 03 00 13
<<< TLS 1.3, InnerContent [length 0001]
    15
<<< TLS 1.3, Alert [length 0002], fatal unknown_ca
    02 30
2C6D0000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl\record\rec_layer_s3.c:865:SSL alert number 48


looking foward to comments &  help!

Wim
Print
Go Up Pages1
User actions