Sensei on OPNsense - Application based filtering

Started by mb, August 25, 2018, 03:38:14 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 26 27 28 29 30 ... 79
User actions
July 10, 2019, 08:25:06 AM #405
Hello,
is it possible to block or release single URLs from the detailed connection view independent of the category? For example, I want to block Cloudstorage completely, but allow exactly one Nextcloud URL.
Best,
Marc
July 10, 2019, 10:48:28 AM #406
Quote from: mb on July 10, 2019, 02:19:07 AM
Hi @donatom3,

Many thanks for the heads-up.

Reading https://forum.opnsense.org/index.php?topic=13436.msg61861#new, I'm guessing this is related to global netmap buffer size. Looks like something changed with the new netmap.

Can you try setting hw.igb.rxd and hw.igb.txd to 1024 and see if that helps.

This is the setting which is working for us for 19.7.r1

If this works, then we'll need to calculate & adjust dev.netmap.buf_num to accommodate 4096 rx/tx descriptors.

MB,

Looks like Franco saw my post and sees that a merge for the ring size didn't make it to the 19.7 netmap kernel.

https://forum.opnsense.org/index.php?topic=13436.msg61879#msg61879

He says he'll have it fixed by release.

For now I've dropped my hw.igb.rxd and txd to 1024 rebooted and it's working. Just need to remember to switch back once they fix it.
July 10, 2019, 06:52:06 PM #407 Last Edit: July 10, 2019, 06:54:47 PM by mb
Quote from: donatom3 on July 10, 2019, 10:48:28 AM

He says he'll have it fixed by release.

For now I've dropped my hw.igb.rxd and txd to 1024 rebooted and it's working. Just need to remember to switch back once they fix it.

@donatom3, perfect. Thanks for your help. This would cause some headache.

July 11, 2019, 01:27:59 AM #408
Quote from: marcri on July 10, 2019, 08:25:06 AM
is it possible to block or release single URLs from the detailed connection view independent of the category? For example, I want to block Cloudstorage completely, but allow exactly one Nextcloud URL.

Hey Marc,

Yes, it is possible. In Web Controls menu, put the whitelisted URL in a user defined custom category. And mark the category as allowed.

Than you should be good to go.

More info:

https://help.sunnyvalley.io/hc/en-us/articles/360025100393-Web-Control

Look for User Defined Categories.

July 12, 2019, 12:54:22 PM #409
Configuration, select Bridge mode.

Please select the interface paris from below boxes to create your protected L2 pridge

change paris to pairs
change pridge to bridge
July 12, 2019, 12:56:23 PM #410
1. allow dates to be entered in european/other  format dd/mm/yyyy or dd/mon/yyyy
2. allow in user web controls Custom Web Category: google (for example) blocking by domain, ie
doubleclick.net as opposed to

stats.g.doubleclick.net
stats.i.doubleclick.net
July 12, 2019, 08:25:52 PM #411
Quote from: aimdev on July 12, 2019, 12:56:23 PM
change paris to pairs
change pridge to bridge

1. allow dates to be entered in european/other  format dd/mm/yyyy or dd/mon/yyyy
2. allow in user web controls Custom Web Category: google (for example) blocking by domain, ie
doubleclick.net as opposed to

stats.g.doubleclick.net
stats.i.doubleclick.net

Hi @aimdev,

Thanks for the corrections. They had been fixed for 1.0.

You should be fine putting domain.com into a user defined category and it should also match subdomain.domain.com.

Didn't it work for you?
July 12, 2019, 08:31:29 PM #412
I didn't try it as the UI seemed to intimate a site (www.google.com)   not a domain, (google.com)
Can you confirm that entering google.com will work, or does it need wildcard character/regex?
Tks
July 13, 2019, 08:43:57 PM #413
Hi @aimdev,

Yep, it should work that way. Just put google.com there and it'll match all subdomains.
July 17, 2019, 04:29:45 AM #414
Anyone experiencing any issues with VMware deployments?
July 18, 2019, 04:14:19 AM #415
@mb

So after the upgrade to 19.7 release I was able to change my tunables back to 4096 for rx and tx.

Here is the issue. And I've seen this on a few upgrades with no changes but firmware or sensei upgrades.

After the unit reboots after the upgrade I can reach the firewall until Sensei's engine starts. At that point it drops all traffic on my protected interfaces. I've been keeping an unprotected interface that I can easily swap to for these times. All I have to do to fix this is to disable "Enable engine heartbeat monitoring". Once I do packets start flowing again and I can re enable it without issue. I'll pull the worker logs and send them to you if that helps.
July 18, 2019, 01:58:09 PM #416
After upgrade OPNsense to 19.7, Sensei shows this error on "Configuration" -> "Cloud Threat Intel"

QuoteError at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:125 - Trying to get property 'availables' of non-object (errno=8)
July 18, 2019, 05:23:53 PM #417 Last Edit: July 18, 2019, 05:25:37 PM by malac
quote author=opnip link=topic=9521.msg62264#msg62264 date=1563451089]
After upgrade OPNsense to 19.7, Sensei shows this error on "Configuration" -> "Cloud Threat Intel"

QuoteError at /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/EngineController.php:125 - Trying to get property 'availables' of non-object (errno=8)
[/quote]

same error on my setup
July 18, 2019, 07:05:00 PM #418
@opnip @malac, thanks for the pointer. Having a look at it.

@donatom3, please go ahead and e-mail the logs to me. Does that happen in every reboot, or was it after the 19.7 upgrade reboot?

July 18, 2019, 09:05:12 PM #419
Hi MB,

where can I configure the retention time for the worker logs? Shouldn't they be compressed somehow?
On my system the worker logs takes about 13GB ...

Thanks and best regards,

    Space
Print
Go Up Pages 1 ... 26 27 28 29 30 ... 79
User actions