Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - johnpoz

Pages: [1] 2 3 4 5 ... 7
1
2.4 Development Snapshots / 2.4.0-RC multiple builds?
« on: August 26, 2017, 04:31:41 am »
Seems that the RC is more of a snapshot build?

Normally a RC is locked are they not? From this wording in the announcement
"This release candidate is representative of the final release, and barring any show-stopping problems, will be nearly identical to the final 2.4.0 release."

So why are we seeing snapshots that change in size every build?  Once you announce RC, shouldn't the snaps stop changing unless you go to RC1, RC2, etc..

pfSense-CE-2.4.0-RC-amd64-20170823-0547.iso.gz     23-Aug-2017 11:04           307690774
pfSense-CE-2.4.0-RC-amd64-20170823-1531.iso.gz     23-Aug-2017 20:48           306448876

pfSense-CE-2.4.0-RC-amd64-20170824-0752.iso.gz     24-Aug-2017 13:08           306865936
pfSense-CE-2.4.0-RC-amd64-20170824-1653.iso.gz     24-Aug-2017 22:08           307799099

pfSense-CE-2.4.0-RC-amd64-20170825-1840.iso.gz     25-Aug-2017 23:55           307379660

https://snapshots.pfsense.org/amd64/pfSense_RELENG_2_4_0/installer/

2
Feedback / thank button missing?
« on: August 16, 2017, 10:40:25 am »
So I was going to say thanks for a post from JimP... And couldn't find the button to do so..  Was wondering if maybe somehow I was filtering it with a adblock rule or something, etc.

But then when I checked the feedback threads - I see it.  So then maybe thinking maybe can not "thank" mods/admins?  But that seemed odd.. Since I saw it on a ivor post, etc.

Is there restrictions on which sections or anything else that could limit which posts can get a thank you..  See attached, the button I am talking about.

3
2.4.0-BETA (amd64)
built on Fri Aug 11 01:11:58 CDT 2017
FreeBSD 11.0-RELEASE-p11

The system is on a later version than
the official release.

Never mind - somehow my update settings got switched to stable vs dev snapshots.  Once I moved it back to dev showing a newer snapshot.  But is a bit odd, I for sure do not recall changing that...


4
Feedback / IPv6 issue with netgate DNS.
« on: July 06, 2017, 10:50:57 am »
Not really related to forum.. But seems there is an issue with netgate NS for ipv6.. Seems glue is given, but there are no AAAA records for ns1 and ns2.netgate.com

Some netgate links are starting to show up in the forums, and this may cause issues for some users.

;; QUESTION SECTION:
;netgate.com.                   IN      NS

;; AUTHORITY SECTION:
netgate.com.            172800  IN      NS      ns1.netgate.com.
netgate.com.            172800  IN      NS      ns2.netgate.com.

;; ADDITIONAL SECTION:
ns1.netgate.com.        172800  IN      A       192.207.126.6
ns1.netgate.com.        172800  IN      AAAA    2610:160:11:3::6
ns2.netgate.com.        172800  IN      A       162.208.119.38
ns2.netgate.com.        172800  IN      AAAA    2610:1c1:3::108

This is the glue you get back - but there are no AAAA records for ns1 or ns2.

edit:  These IPs do seem to be valid for the ns1 and ns2, since they answer for netgate.. But seems the cart got ahead of the horses and glue was updated before the NS were themselves updated to reflect the new ipv6 ns.

Code: [Select]
<<>> DiG 9.11.1-P2 <<>> @2610:160:11:3::6 netgate.com SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23099
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netgate.com.                   IN      SOA

;; ANSWER SECTION:
netgate.com.            3600    IN      SOA     ns1.netgate.com. admin.netgate.com. 2016182753 28800 7200 604800 600

;; AUTHORITY SECTION:
netgate.com.            3600    IN      NS      ns2.netgate.com.
netgate.com.            3600    IN      NS      ns1.netgate.com.

;; ADDITIONAL SECTION:
ns1.netgate.com.        3600    IN      A       192.207.126.6
ns2.netgate.com.        3600    IN      A       162.208.119.38

;; Query time: 47 msec
;; SERVER: 2610:160:11:3::6#53(2610:160:11:3::6)
;; WHEN: Thu Jul 06 10:53:51 Central Daylight Time 2017
;; MSG SIZE  rcvd: 150

5
2.4 Development Snapshots / Cert Manager not creating server certs?
« on: July 06, 2017, 08:17:34 am »
So on the current snap

2.4.0-BETA (amd64)
built on Thu Jul 06 07:22:07 CDT 2017
FreeBSD 11.0-RELEASE-p10

Seems cert manger does not create the server cert when told to do so.  But if you run through the openvpn wizard to create it does create server cert.

There is a thread in the openvpn section a user brought this up.
https://forum.pfsense.org/index.php?topic=133209.0

I was able to duplicate his problem.  Should issues like this be reported in redmine, or just brought up here?  Since I could duplicate I did enter it in redmine
https://redmine.pfsense.org/issues/7677  Since I did not see such an issue already listed. 

Via cert manager server cert selected, but user cert listed 1st pic, on using openvpn wizard server cert is created - 2nd pic

6
https://www.debian.org/News/2017/20170425
------------
Shutting down public FTP services

April 25th, 2017

After many years of serving the needs of our users, and some more of declining usage in favor of better options, all public-facing debian.org FTP services will be shut down on November 1, 2017. These are:

    ftp://ftp.debian.org
    ftp://security.debian.org

This decision is driven by the following considerations:

    FTP servers have no support for caching or acceleration.
    Most software implementations have stagnated and are awkward to use and configure.
    Usage of the FTP servers is pretty low as our own installer has not offered FTP as a way to access mirrors for over ten years.
    The protocol is inefficient and requires adding awkward kludges to firewalls and load-balancing daemons.
----------


Lets finally kill off this antiquated POS ;)

7
2.4 Development Snapshots / ssh still 7.2 vs 7.5?
« on: April 20, 2017, 05:43:32 am »
So there was some traffic in another thread related to ssh.  While doing my response in that thread I happened ssh in with a -v and noticed its only 7.2?

debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000

I see that the 7.5p1 is available on the freebsd packages
http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/openssh-portable-7.5.p1,1.txz

Shouldn't this be updated?

I am running the current snap Thu Apr 20 02:05:42 CDT

9
General Discussion / finally got approval for pfsense at work!
« on: January 25, 2017, 12:49:23 pm »
Just got approval to put in a SG-2440 in one of our small branch offices vs the juniper that was there..

Stoked!  Its a foot in the door... I could see them going in all our small branches, and then moving into larger locations and DCs ;)

10
OpenVPN / openvpn 2.4 pfsense update to it?
« on: January 04, 2017, 10:40:04 am »
So just curious is there going to be a _p2 release for 2.3.2 or will 2.3.3 or 2.4 move to openvpn 2.4 now that is released and no longer RC..

OpenVPN 2.4.0 -- released on 2016.12.27
https://openvpn.net/index.php/download/community-downloads.html

Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client's IP address changes (Peer-ID). Also, the new --tls-crypt feature can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new features compared to the one bundled with OpenVPN 2.3. One of major features is the ability to run OpenVPN GUI without administrator privileges. For full details, see the changelog. The new OpenVPN GUI features are documented here.

11
Feedback / Time is off on board
« on: December 15, 2016, 03:05:55 am »
So noticed in one of my posts that the edit time was off.. so did a quick check and seems time is off by quite a bit..


12
So stumbled upon an updated script to send pfsense logs to dshields

https://www.dshield.org/forums/diary/Updated+PFSense+Client/20937/1

And I have gotten it to work, had a few bumps for sure somehow when I had pasted it got a CR in the line format so logs were being sent in 2 lines and dshield not putting anything in.  I also had a weird setup with my email notification where I was sending to gmail via port 587 and that was working for actual notifications, but this script was choking.  Changed to port 465 and checked Enable SMTP over SSL/TLS and now this script will send the email.

And it does send email with the listing from the logs.

2016-09-10 05:43:46 +00:00      94snipped56       1       186.118.8.122   48326   24.13.snipped    23      TCP     S
2016-09-10 05:43:49 +00:00      94snipped56       1       186.118.8.122   48326   24.13.snipped    23      TCP     S
2016-09-10 05:44:26 +00:00      94snipped56       1       166.250.144.100 28403   24.13.snipped    23      TCP     S
2016-09-10 05:44:50 +00:00      94snipped56       1       168.1.128.50    22101   24.13.snipped    995     TCP     S
2016-09-10 05:49:22 +00:00      94snipped56       1       106.187.97.102  35024   24.13.snipped    995     TCP     S
2016-09-10 05:53:19 +00:00      94snipped56       1       45.33.116.208   37018   24.13.snipped    5904    TCP     S

I had changed my TZ to UTC, normally I run it in Central time, but was wondering if that was causing a issue with how it figures out when last entry was sent, etc.  So above is an example of how it sends the logs.. Where my UID been snipped out some of it, and my public IP I have snipped out... But this works and get notifications back from dshield

Errors-To: bounces@dshield.org
Reply-To: info@dshield.org
From: admin@dshield.org

               Authorized Userid: 94snipped56
                          Format: DSHIELD
                        Timezone: +00:00

                   Lines in file: 565
                  Lines rejected: none
Unique lines written to database: 565
  identical lines are added up on import.

Lines written to database (up to 10):
2016-09-10 05:43:46 +00:00   94snipped56   1   186.118.8.122   48326   24.13.snipped   23   TCP   S
2016-09-10 05:43:49 +00:00   94snipped56   1   186.118.8.122   48326   24.13.snipped   23   TCP   S
2016-09-10 05:44:26 +00:00   94snipped56   1   166.250.144.100   28403   24.13.snipped   23   TCP   S
2016-09-10 05:44:50 +00:00   94snipped56   1   168.1.128.50   22101   24.13.snipped   995   TCP   S
2016-09-10 05:49:22 +00:00   94snipped56   1   106.187.97.102   35024   24.13.snipped   995   TCP   S

So that looks like great everything is working..  But the problem is its not sending when it should.  So I have cron job running every 30 mins, at 11 and 41 past the hour.. What it does is say

Sep 11 13:41:03    php       /root/bin/dshieldpfsense.php: no new lines added to log since last run OK
Sep 11 13:11:03    php       /root/bin/dshieldpfsense.php: no new lines added to log since last run OK
Sep 11 12:41:04    php       /root/bin/dshieldpfsense.php: no new lines added to log since last run OK
Sep 11 12:11:03    php       /root/bin/dshieldpfsense.php: no new lines added to log since last run OK
Sep 11 11:41:03    php       /root/bin/dshieldpfsense.php: no new lines added to log since last run OK
Sep 11 11:11:04    php       /root/bin/dshieldpfsense.php: no new lines added to log since last run OK

But clearly if you look there have been multiple blocks in the log that should be sent up. Between times when script last ran

So you can view the script directly here
https://isc.sans.edu/clients/dshieldpfsense.txt or you can find the link in the above link article about it, etc.

I have emailed the author, but its been a week and nothing back..  And I posted on the above article and nothing.  My guess is it has something to do with how pfsense actual uses clog and maybe is not posting the info into the filter.log its opening so when the script run it really just isn't seeing anything new?  And have to wait til something fills up for new stuff to get posted to the log based upon the log file size?

Here is snip of the code that looks at last time, runs thru log and then depending errors and exits, etc..

Code: [Select]
# check when we ran last.
if ( file_exists('/var/run/dshieldlastts') ) {
  $lasttime=file_get_contents('/var/run/dshieldlastts');
}

# read the log
$log=fopen("/var/log/filter.log","r");
while(!feof($log)) {
        $line = fgets($log);
        $line = rtrim($line);
# the name of this function changed in Pfsense 2.3
        if ( $config['version']>=15 ) {
        $flent = parse_firewall_log_line(trim($line));
} else {
        $flent = parse_filter_line(trim($line));
        }

# eliminating ICMP (we don't log that) and TCP with FA and RA flags as these are usually false positives

        if ($flent != "" && in_array($flent['interface'],$interfaces) && $flent['proto']!='ICMP' && $flent['tcpflags']!='FA' && $flent['tcpflags']!='RA' ) {
     $time=strtotime($flent['time']);

# check if this log line is newer then the last one we processesed.
   if ( $time>$lasttime) {
      $linesout.=date("Y-m-d H:i:s P",$time)."\t$uid\t1\t{$flent['srcip']}\t{$flent['srcport']}\t{$flent['dstip']}\t{$flent['dstport']}\t{$flent['proto']}\t{$flent['tcpflags']}\n";
   $flent='';
   $linecnt++;
}
        }
}
fclose($log);

# done reading the log


# dealing with errors
if ( $lasttime>=$time ) {
  log_error("no new lines added to log since last run OK");
  exit();
}
if ( $linecnt==0 ){
   log_error("no new lines found to submit to dshield OK");
   exit();
}

# safe the "last run" time stamp for the next time we will run.

file_put_contents('/var/run/dshieldlastts',$time);

How to correct?  What I would expect to happen is how often I run this script it should send up the amount of hits in the log since the last time it ran be it 1 hour, 2 hours, 30 mins etc.. so normally you would see it submit small numbers of entries every so often, not like 900 entries in 1 email, and then not run submit again for 12 some hours, etc.

13
Feedback / does not list your posting IP when coming from ipv6
« on: September 07, 2016, 06:51:21 am »
So this came up in a thread about ipv6 not working with pfsense sites.  Clearly that is not the case works just fine.

But when showing what was accessing pfsense www and forums via ipv6 without any issue I did notice that the bottom right corner of your post after you post that shows you the IP you posted from seems to be blank when you post via IPv6.  Issue with smf not being fully ipv6?  Not really a big deal, but it is a bit odd.

14
pfBlockerNG / pfBlockerNG trying to do too much?
« on: August 08, 2016, 07:37:39 am »
So while BBcan177 you have done some amazing stuff with this package..  It came up in another thread that maybe your trying to throw everything even the kitchensink into it.  dnsbl, tld, etc.  There are threads with version 2.0 and 2.1 and then with TLD, etc.

While I would love just to have the feature set of your geoip stuff into aliases, I personally do not want or need all the other features you have thrown in.

the ability to create my own list with picking and choosing which countries - kind of like the top 20 but maybe I want countries that are not spammers or in the top 20 in this list and from different regions of the world, etc..  Maybe there already is that option?  If so I did not see it, maybe because of all the other features.

Curious would anyone else like to see slimmed down version of pfblocker?  I really don't want it creating auto firewall rules for me, no offense at your coding stills or anything.  I just do not like the idea of auto rules in any sense of the word.  But I do love the ability to easy pick IP blocks of specific countries to use in an alias.. You made that brain dead easy - would love to see package that does just that..

An easy package for alias management of different list sources, sure ad servers could be in there, etc. your package feature of using custom lists is great.  This is the part I would like to see broken out on its own, I don't want to run a server providing images, etc.  I just want leverage the great work you have done with the alias and geoip and possible other lists, etc.

If there was enough call for this, would you be willing to create I guess sub systems of the overall package that could be used on their own without having to install the whole kitchensink, etc.

15
General Discussion / freerad iphone eap-tls log spam?
« on: August 07, 2016, 08:28:09 am »
I was thinking if putting this in freerad package section.  But to be honest I believe its more a design issue with iphone than anything could set on freerad, or the wireless config.

So I use eap-tls to auth my devices that support it.  currently this is 2 iphones (5s and 5c) and ipad (air2) and few laptops.  But laptops never do it because they actually go off ;)  I don't recall ever seeing it happen on my ipad either.  Will keep an eye out for it.  All running ios 9.3.4

But the phones seem to auth every few minutes when not being used.  Which ends up generating lots of log spam..

example
Aug 7 08:03:49    radiusd    62035    Login OK: [j-iphone] (from client uapac port 0 cli AC-FD-EC-62-34-97) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:55:04    radiusd    62035    Login OK: [j-iphone] (from client uapac port 0 cli AC-FD-EC-62-34-97) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:48:48    radiusd    62035    Login OK: [j-iphone] (from client uapac port 0 cli AC-FD-EC-62-34-97) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:46:37    radiusd    62035    Login OK: [j-iphone] (from client uapac port 0 cli AC-FD-EC-62-34-97) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:44:12    radiusd    62035    Login OK: [j-iphone] (from client uapac port 0 cli AC-FD-EC-62-34-97) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:36:51    radiusd    62035    Login OK: [k-iphone] (from client uapac port 0 cli 80-00-6E-9D-EA-DE) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:35:30    radiusd    62035    Login OK: [j-iphone] (from client uapac port 0 cli AC-FD-EC-62-34-97) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:33:48    radiusd    62035    Login OK: [j-iphone] (from client uapac port 0 cli AC-FD-EC-62-34-97) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:31:31    radiusd    62035    Login OK: [k-iphone] (from client uapac port 0 cli 80-00-6E-9D-EA-DE) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:30:48    radiusd    62035    Login OK: [k-iphone] (from client uapac port 0 cli 80-00-6E-9D-EA-DE) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:29:18    radiusd    62035    Login OK: [k-iphone] (from client uapac port 0 cli 80-00-6E-9D-EA-DE) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:27:25    radiusd    62035    Login OK: [k-iphone] (from client uapac port 0 cli 80-00-6E-9D-EA-DE) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:26:49    radiusd    62035    Login OK: [j-iphone] (from client uapac port 0 cli AC-FD-EC-62-34-97) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:26:21    radiusd    62035    Login OK: [j-iphone] (from client uapac port 0 cli AC-FD-EC-62-34-97) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:18:48    radiusd    62035    Login OK: [j-iphone] (from client uapac port 0 cli AC-FD-EC-62-34-97) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2
Aug 7 07:17:17    radiusd    62035    Login OK: [k-iphone] (from client uapac port 0 cli 80-00-6E-9D-EA-DE) A2-2A-A8-15-4F-07:unifi-ent 192.168.2.2

Does anyone have any suggestions, is there some setting on the phone not to do this. I sure could not log it.. But kind of like to see when they auth or if they move to a different AP, etc.  But it does generate a lot of unwanted log entries then the phones are just sitting on the dresser charging ;)

Guess could change them to the psk ssid before going to bed or just turning off the wifi..  I would post this on some apple community somewhere - but I don't think there would be much support for eap-tls wifi auth using freerad in that userbase...

Pages: [1] 2 3 4 5 ... 7