Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - johnpoz

Pages: [1] 2 3 4 5 ... 7
1
Feedback / pfsense and qnap - just saw this - NICE!
« on: January 11, 2018, 07:28:07 am »
https://www.netgate.com/blog/qnap-to-add-pfsense-to-its-products.html

Fantastic to see pfsense expanding.. Very exciting times to be sure!!

I was just thinking of replacing my old esxi host that runs as my nas and use to be my pfsense on vm with a qnap nas.. ;)  Looks like I was looking at the right company...

2
webGUI / Rearrange interface listings?
« on: December 20, 2017, 04:51:56 am »
So it seems that interfaces under assignments and the dashboard widget are listed in order wan, lan and then opt# so you get a list like this

wan
lan
opt1
opt2
opt3
....

Does not matter what you might relabel the optX too... Question is there a way to change this listing order so you can order them by type or name vs order they were created.  Without having to delete them all and then add them in the order you would like to see them.

Would like the vlans in section, physical in section, etc.  How you can reorg firewall rule orders by just dragging them around and can even insert separators with labels would be nice..  Currently they are really just in the order you added them.

3
Don't forget that pfsense has very handy easy to use Cert Manager that allow for creation of your own CA's and signing of CSRs and Creation of certs for use in all your other devices.

I have been doing this for years to be honest.. Web interfaces for applications I run both locally and on vps all over the globe.. Where I do not need public trusted certs I just use CA I created in pfsense that I trust.

Everyone is all about the letsencrypt free certs these days..  But unless you have lots of users or unknown people accessing whatever it a Cert from your own CA that only you trust is quite often more than enough..

And with the ability to add Sans to CSRs this comes in really handy for very appliances and such that ssl cert feature sets are limited.  For example recently got a new sg300-28 switch.. And while I love the feature set of the switch - cisco and implementing ssl is very painfull if you ask me..  There are a few great threads around the net about importing certs into these lines of switches dealing with creating your certs with openssl, etc.

But just wanted to post up that such stuff can just be done with the Cert Manager in pfsense..  And very simple.. Using my sg300 as example.. Using the gui just create the csr.. But they do not allow to put in more than CN.. Well as we all know many current browsers will balk at you if the cert does not have san as well..  So you just create the CSR on the switch..   Using whatever CN you want.. Then in pfsense sign the csr remembering to add SAN for CN, and whatever else you want.. So I always add the IP as well as the FQDN I use.. if you might hit that switch using multiple IPs - but them all in.

Then just import the cert after you signed it - and the sans will be available.

Other advantage to this over say the ACME stuff is you can use rfc1918 address and non public domains..  And you can set the cert good for 10 years so you don't have to dick with it again like you do with ACME..

See attach nice green lock with both name and ip.. Any questions on using cert manager in pfsense to manage certs for your devices just ask.

4
2.4 Development Snapshots / 2.4.0-RC multiple builds?
« on: August 26, 2017, 04:31:41 am »
Seems that the RC is more of a snapshot build?

Normally a RC is locked are they not? From this wording in the announcement
"This release candidate is representative of the final release, and barring any show-stopping problems, will be nearly identical to the final 2.4.0 release."

So why are we seeing snapshots that change in size every build?  Once you announce RC, shouldn't the snaps stop changing unless you go to RC1, RC2, etc..

pfSense-CE-2.4.0-RC-amd64-20170823-0547.iso.gz     23-Aug-2017 11:04           307690774
pfSense-CE-2.4.0-RC-amd64-20170823-1531.iso.gz     23-Aug-2017 20:48           306448876

pfSense-CE-2.4.0-RC-amd64-20170824-0752.iso.gz     24-Aug-2017 13:08           306865936
pfSense-CE-2.4.0-RC-amd64-20170824-1653.iso.gz     24-Aug-2017 22:08           307799099

pfSense-CE-2.4.0-RC-amd64-20170825-1840.iso.gz     25-Aug-2017 23:55           307379660

https://snapshots.pfsense.org/amd64/pfSense_RELENG_2_4_0/installer/

5
Feedback / thank button missing?
« on: August 16, 2017, 10:40:25 am »
So I was going to say thanks for a post from JimP... And couldn't find the button to do so..  Was wondering if maybe somehow I was filtering it with a adblock rule or something, etc.

But then when I checked the feedback threads - I see it.  So then maybe thinking maybe can not "thank" mods/admins?  But that seemed odd.. Since I saw it on a ivor post, etc.

Is there restrictions on which sections or anything else that could limit which posts can get a thank you..  See attached, the button I am talking about.

6
2.4.0-BETA (amd64)
built on Fri Aug 11 01:11:58 CDT 2017
FreeBSD 11.0-RELEASE-p11

The system is on a later version than
the official release.

Never mind - somehow my update settings got switched to stable vs dev snapshots.  Once I moved it back to dev showing a newer snapshot.  But is a bit odd, I for sure do not recall changing that...


7
Feedback / IPv6 issue with netgate DNS.
« on: July 06, 2017, 10:50:57 am »
Not really related to forum.. But seems there is an issue with netgate NS for ipv6.. Seems glue is given, but there are no AAAA records for ns1 and ns2.netgate.com

Some netgate links are starting to show up in the forums, and this may cause issues for some users.

;; QUESTION SECTION:
;netgate.com.                   IN      NS

;; AUTHORITY SECTION:
netgate.com.            172800  IN      NS      ns1.netgate.com.
netgate.com.            172800  IN      NS      ns2.netgate.com.

;; ADDITIONAL SECTION:
ns1.netgate.com.        172800  IN      A       192.207.126.6
ns1.netgate.com.        172800  IN      AAAA    2610:160:11:3::6
ns2.netgate.com.        172800  IN      A       162.208.119.38
ns2.netgate.com.        172800  IN      AAAA    2610:1c1:3::108

This is the glue you get back - but there are no AAAA records for ns1 or ns2.

edit:  These IPs do seem to be valid for the ns1 and ns2, since they answer for netgate.. But seems the cart got ahead of the horses and glue was updated before the NS were themselves updated to reflect the new ipv6 ns.

Code: [Select]
<<>> DiG 9.11.1-P2 <<>> @2610:160:11:3::6 netgate.com SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23099
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netgate.com.                   IN      SOA

;; ANSWER SECTION:
netgate.com.            3600    IN      SOA     ns1.netgate.com. admin.netgate.com. 2016182753 28800 7200 604800 600

;; AUTHORITY SECTION:
netgate.com.            3600    IN      NS      ns2.netgate.com.
netgate.com.            3600    IN      NS      ns1.netgate.com.

;; ADDITIONAL SECTION:
ns1.netgate.com.        3600    IN      A       192.207.126.6
ns2.netgate.com.        3600    IN      A       162.208.119.38

;; Query time: 47 msec
;; SERVER: 2610:160:11:3::6#53(2610:160:11:3::6)
;; WHEN: Thu Jul 06 10:53:51 Central Daylight Time 2017
;; MSG SIZE  rcvd: 150

8
2.4 Development Snapshots / Cert Manager not creating server certs?
« on: July 06, 2017, 08:17:34 am »
So on the current snap

2.4.0-BETA (amd64)
built on Thu Jul 06 07:22:07 CDT 2017
FreeBSD 11.0-RELEASE-p10

Seems cert manger does not create the server cert when told to do so.  But if you run through the openvpn wizard to create it does create server cert.

There is a thread in the openvpn section a user brought this up.
https://forum.pfsense.org/index.php?topic=133209.0

I was able to duplicate his problem.  Should issues like this be reported in redmine, or just brought up here?  Since I could duplicate I did enter it in redmine
https://redmine.pfsense.org/issues/7677  Since I did not see such an issue already listed. 

Via cert manager server cert selected, but user cert listed 1st pic, on using openvpn wizard server cert is created - 2nd pic

9
https://www.debian.org/News/2017/20170425
------------
Shutting down public FTP services

April 25th, 2017

After many years of serving the needs of our users, and some more of declining usage in favor of better options, all public-facing debian.org FTP services will be shut down on November 1, 2017. These are:

    ftp://ftp.debian.org
    ftp://security.debian.org

This decision is driven by the following considerations:

    FTP servers have no support for caching or acceleration.
    Most software implementations have stagnated and are awkward to use and configure.
    Usage of the FTP servers is pretty low as our own installer has not offered FTP as a way to access mirrors for over ten years.
    The protocol is inefficient and requires adding awkward kludges to firewalls and load-balancing daemons.
----------


Lets finally kill off this antiquated POS ;)

10
2.4 Development Snapshots / ssh still 7.2 vs 7.5?
« on: April 20, 2017, 05:43:32 am »
So there was some traffic in another thread related to ssh.  While doing my response in that thread I happened ssh in with a -v and noticed its only 7.2?

debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000

I see that the 7.5p1 is available on the freebsd packages
http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/openssh-portable-7.5.p1,1.txz

Shouldn't this be updated?

I am running the current snap Thu Apr 20 02:05:42 CDT

11
General Discussion / One way to get iot devices more secure ;)
« on: April 07, 2017, 05:10:10 am »

12
General Discussion / finally got approval for pfsense at work!
« on: January 25, 2017, 12:49:23 pm »
Just got approval to put in a SG-2440 in one of our small branch offices vs the juniper that was there..

Stoked!  Its a foot in the door... I could see them going in all our small branches, and then moving into larger locations and DCs ;)

13
OpenVPN / openvpn 2.4 pfsense update to it?
« on: January 04, 2017, 10:40:04 am »
So just curious is there going to be a _p2 release for 2.3.2 or will 2.3.3 or 2.4 move to openvpn 2.4 now that is released and no longer RC..

OpenVPN 2.4.0 -- released on 2016.12.27
https://openvpn.net/index.php/download/community-downloads.html

Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client's IP address changes (Peer-ID). Also, the new --tls-crypt feature can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new features compared to the one bundled with OpenVPN 2.3. One of major features is the ability to run OpenVPN GUI without administrator privileges. For full details, see the changelog. The new OpenVPN GUI features are documented here.

14
Feedback / Time is off on board
« on: December 15, 2016, 03:05:55 am »
So noticed in one of my posts that the edit time was off.. so did a quick check and seems time is off by quite a bit..


15
So stumbled upon an updated script to send pfsense logs to dshields

https://www.dshield.org/forums/diary/Updated+PFSense+Client/20937/1

And I have gotten it to work, had a few bumps for sure somehow when I had pasted it got a CR in the line format so logs were being sent in 2 lines and dshield not putting anything in.  I also had a weird setup with my email notification where I was sending to gmail via port 587 and that was working for actual notifications, but this script was choking.  Changed to port 465 and checked Enable SMTP over SSL/TLS and now this script will send the email.

And it does send email with the listing from the logs.

2016-09-10 05:43:46 +00:00      94snipped56       1       186.118.8.122   48326   24.13.snipped    23      TCP     S
2016-09-10 05:43:49 +00:00      94snipped56       1       186.118.8.122   48326   24.13.snipped    23      TCP     S
2016-09-10 05:44:26 +00:00      94snipped56       1       166.250.144.100 28403   24.13.snipped    23      TCP     S
2016-09-10 05:44:50 +00:00      94snipped56       1       168.1.128.50    22101   24.13.snipped    995     TCP     S
2016-09-10 05:49:22 +00:00      94snipped56       1       106.187.97.102  35024   24.13.snipped    995     TCP     S
2016-09-10 05:53:19 +00:00      94snipped56       1       45.33.116.208   37018   24.13.snipped    5904    TCP     S

I had changed my TZ to UTC, normally I run it in Central time, but was wondering if that was causing a issue with how it figures out when last entry was sent, etc.  So above is an example of how it sends the logs.. Where my UID been snipped out some of it, and my public IP I have snipped out... But this works and get notifications back from dshield

Errors-To: bounces@dshield.org
Reply-To: info@dshield.org
From: admin@dshield.org

               Authorized Userid: 94snipped56
                          Format: DSHIELD
                        Timezone: +00:00

                   Lines in file: 565
                  Lines rejected: none
Unique lines written to database: 565
  identical lines are added up on import.

Lines written to database (up to 10):
2016-09-10 05:43:46 +00:00   94snipped56   1   186.118.8.122   48326   24.13.snipped   23   TCP   S
2016-09-10 05:43:49 +00:00   94snipped56   1   186.118.8.122   48326   24.13.snipped   23   TCP   S
2016-09-10 05:44:26 +00:00   94snipped56   1   166.250.144.100   28403   24.13.snipped   23   TCP   S
2016-09-10 05:44:50 +00:00   94snipped56   1   168.1.128.50   22101   24.13.snipped   995   TCP   S
2016-09-10 05:49:22 +00:00   94snipped56   1   106.187.97.102   35024   24.13.snipped   995   TCP   S

So that looks like great everything is working..  But the problem is its not sending when it should.  So I have cron job running every 30 mins, at 11 and 41 past the hour.. What it does is say

Sep 11 13:41:03    php       /root/bin/dshieldpfsense.php: no new lines added to log since last run OK
Sep 11 13:11:03    php       /root/bin/dshieldpfsense.php: no new lines added to log since last run OK
Sep 11 12:41:04    php       /root/bin/dshieldpfsense.php: no new lines added to log since last run OK
Sep 11 12:11:03    php       /root/bin/dshieldpfsense.php: no new lines added to log since last run OK
Sep 11 11:41:03    php       /root/bin/dshieldpfsense.php: no new lines added to log since last run OK
Sep 11 11:11:04    php       /root/bin/dshieldpfsense.php: no new lines added to log since last run OK

But clearly if you look there have been multiple blocks in the log that should be sent up. Between times when script last ran

So you can view the script directly here
https://isc.sans.edu/clients/dshieldpfsense.txt or you can find the link in the above link article about it, etc.

I have emailed the author, but its been a week and nothing back..  And I posted on the above article and nothing.  My guess is it has something to do with how pfsense actual uses clog and maybe is not posting the info into the filter.log its opening so when the script run it really just isn't seeing anything new?  And have to wait til something fills up for new stuff to get posted to the log based upon the log file size?

Here is snip of the code that looks at last time, runs thru log and then depending errors and exits, etc..

Code: [Select]
# check when we ran last.
if ( file_exists('/var/run/dshieldlastts') ) {
  $lasttime=file_get_contents('/var/run/dshieldlastts');
}

# read the log
$log=fopen("/var/log/filter.log","r");
while(!feof($log)) {
        $line = fgets($log);
        $line = rtrim($line);
# the name of this function changed in Pfsense 2.3
        if ( $config['version']>=15 ) {
        $flent = parse_firewall_log_line(trim($line));
} else {
        $flent = parse_filter_line(trim($line));
        }

# eliminating ICMP (we don't log that) and TCP with FA and RA flags as these are usually false positives

        if ($flent != "" && in_array($flent['interface'],$interfaces) && $flent['proto']!='ICMP' && $flent['tcpflags']!='FA' && $flent['tcpflags']!='RA' ) {
     $time=strtotime($flent['time']);

# check if this log line is newer then the last one we processesed.
   if ( $time>$lasttime) {
      $linesout.=date("Y-m-d H:i:s P",$time)."\t$uid\t1\t{$flent['srcip']}\t{$flent['srcport']}\t{$flent['dstip']}\t{$flent['dstport']}\t{$flent['proto']}\t{$flent['tcpflags']}\n";
   $flent='';
   $linecnt++;
}
        }
}
fclose($log);

# done reading the log


# dealing with errors
if ( $lasttime>=$time ) {
  log_error("no new lines added to log since last run OK");
  exit();
}
if ( $linecnt==0 ){
   log_error("no new lines found to submit to dshield OK");
   exit();
}

# safe the "last run" time stamp for the next time we will run.

file_put_contents('/var/run/dshieldlastts',$time);

How to correct?  What I would expect to happen is how often I run this script it should send up the amount of hits in the log since the last time it ran be it 1 hour, 2 hours, 30 mins etc.. so normally you would see it submit small numbers of entries every so often, not like 900 entries in 1 email, and then not run submit again for 12 some hours, etc.

Pages: [1] 2 3 4 5 ... 7