Merge branch 'opnsense:master' into master
@ -1,213 +0,0 @@
|
||||
=======
|
||||
HAProxy
|
||||
=======
|
||||
|
||||
------------
|
||||
Installation
|
||||
------------
|
||||
|
||||
First of all, you have to install the HAProxy plugin (os-haproxy) from the
|
||||
plugins view.
|
||||
|
||||
.. image:: ../images/menu_plugins.png
|
||||
|
||||
-------------------------------------
|
||||
First Step: Configure Backend Servers
|
||||
-------------------------------------
|
||||
|
||||
.. image:: images/haproxy_servers.png
|
||||
|
||||
On the "Servers" page, click `+` to open a dialog to create a new server.
|
||||
A server consist of a name, IP and port.
|
||||
Create an entry for every Server you want to load balance.
|
||||
|
||||
.. image:: images/haproxy_edit_server.png
|
||||
|
||||
For a HTTP Backend, configure like this:
|
||||
|
||||
========================== ===========================
|
||||
**Name** Name of this server
|
||||
**Description** Keep it empty
|
||||
**FQDN or IP** Enter the IP of your Server
|
||||
**Port** Port of the Server
|
||||
**SSL** Keep the default (disabled)
|
||||
**Verify SSL Certificate** Keep the default (checked)
|
||||
**SSL Verify CA** Keep the default (empty)
|
||||
========================== ===========================
|
||||
|
||||
--------------------------------
|
||||
Second Step: Configure a Backend
|
||||
--------------------------------
|
||||
|
||||
Now, as we have the backend services,
|
||||
we can build a backend by combining them to groups of
|
||||
servers, which will serve the same service.
|
||||
For example if you are hosting a Webservice and want to
|
||||
scale horizontally, every server in the cluster will be
|
||||
a "Server", but they will be combined to a so called
|
||||
"Backend", so HAProxy can load balance between them.
|
||||
|
||||
To create a new Backend, click the `+`.
|
||||
|
||||
|
||||
.. image:: images/haproxy_backends.png
|
||||
|
||||
And fill out the form:
|
||||
|
||||
.. image:: images/haproxy_edit_backend.png
|
||||
|
||||
.. Note::
|
||||
The "Balancing Algorithm" field is important to care about as many
|
||||
web applications depend on a state.
|
||||
For example, if your web application stores session data on a local
|
||||
disk, you may get some trouble when using an algorithm like Round
|
||||
Robin. In such a case, the request of the same client always needs
|
||||
to be sent to the same backend servers.
|
||||
For example by default PHP stores session data in files while Ruby
|
||||
on Rails stores session information in a cookie by default.
|
||||
Please look up your web framework documentation for information how
|
||||
this is handled. Consider writeing files as problematic as well if
|
||||
there is no shared storage.
|
||||
|
||||
======================= ===============================================
|
||||
**Enabled** Enable the Backend (checked)
|
||||
**Name** Enter a name for the Backend
|
||||
**Description** Enter an optional description
|
||||
**Mode** Select the mode HTTP as this is an HTTP backend
|
||||
**Balancing Algorithm** Select an load balancing algorithm
|
||||
**Servers** Select the previously configured servers
|
||||
======================= ===============================================
|
||||
|
||||
--------------------------------
|
||||
Third Step: Configure Conditions
|
||||
--------------------------------
|
||||
|
||||
In this step an Condition will has to be created which is later used to decide
|
||||
which traffic from a frontend belongs to which backend.
|
||||
|
||||
To create a new Condition, you have to go to "Rules & Checks -> Conditions"
|
||||
and create one by clicking the `+` button:
|
||||
|
||||
(Picture is from Previous Version but it still looks as good as the same)
|
||||
|
||||
.. image:: images/haproxy_acls.png
|
||||
|
||||
In the open modal dialog, the following form will show up:
|
||||
|
||||
.. image:: images/haproxy_edit_acl.png
|
||||
|
||||
==================== ================================================
|
||||
**Name** Choose a name for this Condition
|
||||
**Description** Keep it empty or choose one for your information
|
||||
**Expression** Select "Host contains"
|
||||
**Negate condition** Keep it unchecked
|
||||
**Value** Enter the (partial) hostname to compare
|
||||
==================== ================================================
|
||||
|
||||
Click "Save changes".
|
||||
|
||||
---------------------------------------
|
||||
Fourth Step: Configure an Rule
|
||||
---------------------------------------
|
||||
|
||||
As promised in the previous step, the Conditions will be used.
|
||||
A Rule can use multiple conditions to decide which Rule is going to be used.
|
||||
To create a new Rule, you have to go to "Rules & Checks -> Rules"
|
||||
and create one by clicking the `+` button:
|
||||
|
||||
(Picture is from Previous Version but it still looks as good as the same)
|
||||
|
||||
.. image:: images/haproxy_actions.png
|
||||
|
||||
A form dialog opens and we can fill it out like the following:
|
||||
|
||||
(Picture is from Previous Version but it still looks as good as the same)
|
||||
|
||||
.. image:: images/haproxy_edit_action.png
|
||||
|
||||
.. Note::
|
||||
You can map multiple Hostnames to the same Backend by adding multiple
|
||||
ACLs and choosing the logical operator "OR".
|
||||
|
||||
==================== ===================================
|
||||
**Name** Choose a name for this Action
|
||||
**Description** You can add an optional description
|
||||
**Test Type** Keep it at the default ("IF")
|
||||
**Select ACLs** Select the ACLs to be used
|
||||
**Logical operator** Keep the default ("AND")
|
||||
**Choose action** Choose "Use Backend"
|
||||
**Use Server** Keep the default ("none")
|
||||
==================== ===================================
|
||||
|
||||
-------------------------------
|
||||
Fifth Step Configure a frontend
|
||||
-------------------------------
|
||||
|
||||
Now its nearly done. The only thing that needs to be configured for HAProxy
|
||||
is a Public Service.
|
||||
A Public Service is a a group of bound ports which are used for incoming connections.
|
||||
From this Public Service we need to know which backend the request will routed to.
|
||||
For this, the previously configured action is needed.
|
||||
If you got multiple domains with the same port on one IP, you differentiate them with rules!
|
||||
Don't create multiple Public Services. For example, if you only want to forward example.org:80 and example.com:80, just create one Public Service. If you want to forward example.org:80, example.org:443, example.com:80, and example.com:443, create only two Public Services, one for port 80 (example.org and example.com) and one for port 443 (example.org and example.com).
|
||||
|
||||
To create a new Public Service, click the `+` button:
|
||||
|
||||
(Picture is from Previous Version but it still looks as good as the same)
|
||||
|
||||
.. image:: images/haproxy_frontends.png
|
||||
|
||||
The following modal dialog opens and the frontend can be set up:
|
||||
|
||||
.. image:: images/haproxy_edit_frontend.png
|
||||
|
||||
.. Warning::
|
||||
If you configure a port that is already in use, the configuration test
|
||||
will be successful but the start of HAProxy will fail silently.
|
||||
Please ensure that the used port is free - especially if the number
|
||||
conflicts with the web configuration of OPNsense.
|
||||
|
||||
|
||||
General Settings
|
||||
================
|
||||
|
||||
=================== ===========================================================================
|
||||
**Enabled** Checked
|
||||
**Name** Use any name
|
||||
**Description** You may keep it empty
|
||||
**Listen Address** Enter one or more host:port combinations, use 0.0.0.0:80 for HTTP via IPv4
|
||||
**Type** Choose HTTP / HTTPS
|
||||
**Default Backend** Keep the default of "None"
|
||||
=================== ===========================================================================
|
||||
|
||||
Advanced settings
|
||||
=================
|
||||
|
||||
Enbable the X-Forwarded-For-header so the backend will know the real IP of
|
||||
the client.
|
||||
|
||||
Actions (ACLs)
|
||||
==============
|
||||
|
||||
Here you have to activate the previously configured actions, so HAProxy
|
||||
is going to operate based due the rules/conditions.
|
||||
|
||||
All other Options
|
||||
=================
|
||||
|
||||
Keep all other options at the default
|
||||
|
||||
----------------------------
|
||||
Sixth step: Enable and start
|
||||
----------------------------
|
||||
|
||||
This is the last step - on the General tab, we will enable the service
|
||||
after a config test.
|
||||
|
||||
.. image:: images/haproxy_general.png
|
||||
|
||||
For that, the "Enable HAProxy" checkbox needs to be checked.
|
||||
|
||||
On this screen, check "Enable HAProxy" and click "Apply".
|
||||
If everything went OK HAProxy will start.
|
||||
Now you need to configure firewall rules for accessing your HAProxy instance.
|
@ -1,85 +0,0 @@
|
||||
HAProxy How-Tos
|
||||
===============
|
||||
|
||||
Redirect Root directory
|
||||
-----------------------
|
||||
|
||||
Create a condition:
|
||||
|
||||
.. image:: images/haproxy_root_path_condition.png
|
||||
|
||||
============== ==============
|
||||
name root
|
||||
Condition type Path matches
|
||||
Path matches /
|
||||
============== ==============
|
||||
|
||||
Create a Rule:
|
||||
|
||||
.. image:: images/haproxy_forward_to_dir_rule.png
|
||||
|
||||
======================= ===================================================
|
||||
name forward_to_dir
|
||||
Test type IF
|
||||
conditions root
|
||||
Logical ops none
|
||||
Execute function http-request redirect
|
||||
HTTP Redirect parameter code 301 location http://www.example.net/directory/
|
||||
======================= ===================================================
|
||||
|
||||
Please note that 301 is for a permanent redirect. If you want to do it teporary,
|
||||
you will have to use another status code.
|
||||
|
||||
|
||||
|
||||
Under Public Services edit your frontend and add "forward_to_dir" to Select Rules.
|
||||
|
||||
.. image:: images/haproxy_forward_to_dir_service.png
|
||||
|
||||
|
||||
Add Basic Authentication to a Service
|
||||
-------------------------------------
|
||||
|
||||
I have a Webapplication which have to be exposed to the outside and doesn't allow authentication.
|
||||
So HAProxy with basic auth would be just fine to get a mininum of security.
|
||||
|
||||
* Go to "Rules & Conditions" - "Conditions" and Add a new one:
|
||||
|
||||
.. image:: images/haproxy_condition_add_authentication.png
|
||||
|
||||
=================== =================
|
||||
name choose a name
|
||||
Condition type Custom
|
||||
option pass-through http_auth(admins)
|
||||
=================== =================
|
||||
|
||||
* Add a rule:
|
||||
|
||||
.. image:: images/haproxy_edit_rule_authentication.png
|
||||
|
||||
================ =================================
|
||||
name a name for your rule
|
||||
Test type UNLESS
|
||||
condition select the previously created one
|
||||
Logical operator none
|
||||
Execute function http-request auth"
|
||||
================ =================================
|
||||
|
||||
* Go to your frontend and add the ACL to it.
|
||||
|
||||
.. image:: images/haproxy_frontend_add_authentication.png
|
||||
|
||||
|
||||
* Go to :menuselection:`Settings --> Global Parameters`, enable the advanced mode (top left), and add your users to configuration
|
||||
via the "Custom options"
|
||||
|
||||
.. image:: images/haproxy_settings_global_params_auth.png
|
||||
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
userlist admins
|
||||
user test1 insecure-password pw1
|
||||
user test2 insecure-password pw2
|
||||
|
||||
|
Before Width: | Height: | Size: 52 KiB |
Before Width: | Height: | Size: 52 KiB |
Before Width: | Height: | Size: 52 KiB |
Before Width: | Height: | Size: 35 KiB |
Before Width: | Height: | Size: 28 KiB |
Before Width: | Height: | Size: 98 KiB |
Before Width: | Height: | Size: 110 KiB |
Before Width: | Height: | Size: 106 KiB |
Before Width: | Height: | Size: 38 KiB |
Before Width: | Height: | Size: 24 KiB |
Before Width: | Height: | Size: 43 KiB |
Before Width: | Height: | Size: 5.5 KiB |
Before Width: | Height: | Size: 6.3 KiB |
Before Width: | Height: | Size: 25 KiB |
Before Width: | Height: | Size: 22 KiB |
Before Width: | Height: | Size: 28 KiB |
Before Width: | Height: | Size: 57 KiB |
Before Width: | Height: | Size: 71 KiB |
@ -0,0 +1,69 @@
|
||||
=============================================
|
||||
IPS Bypass local traffic from inspection
|
||||
=============================================
|
||||
|
||||
.. Note:: This tutorial explains how to bypass traffic between local attached networks. Following this tutorial will result in traffic only being inspected between external (WAN) networks and internal (LAN) networks. With bypass enabled, routing performance is improved significantly between local networks while IPS is used.
|
||||
.. Tip:: If you only have 1 interface selected in Intrusion Detection, you don't have to follow this tutorial. There won't be any performance benefit.
|
||||
.. Warning:: Traffic between local networks won't be inspected anymore, so use this with care!
|
||||
|
||||
-------------
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
- Some features described on this page were added in the latest version. Always keep your system up to date.
|
||||
- Intrusion Detection should be **enabled** and **IPS mode** selected.
|
||||
- Only **internal networks** should be selected in **Interfaces** (LAN, OPT1 etc..), **not the WAN interface**.
|
||||
|
||||
-----------------
|
||||
Create new Rules
|
||||
-----------------
|
||||
|
||||
To start go to :menuselection:`Services --> Intrusion Detection --> Administration` and select the tab :menuselection:`User defined`.
|
||||
|
||||
Select **+** to add a new rule.
|
||||
|
||||
- Input the **Source IP** with CIDR-Suffix, e.g. ``10.0.0.0/8``
|
||||
- Input the **Destination IP** with CIDR-Suffix, e.g. ``10.0.0.0/8``
|
||||
- Select the **Action** as *Pass*
|
||||
- Enable the **Bypass** checkbox
|
||||
- Set the **Description** as "Bypass net 10.0.0.0 to 10.0.0.0"
|
||||
|
||||
Select **+** or **clone** to create additional new rules.
|
||||
|
||||
* Repeat the above steps to create rules between each of the RFC1918 Private IPv4 subnets, ``192.168.0.0/16``, ``172.16.0.0/12``, ``10.0.0.0/8``. Don't forget to adjust the description.
|
||||
|
||||
.. Note:: The finished ruleset for IPv4 should include the following rules:
|
||||
|
||||
================== ================== ========== ========== ======================================
|
||||
**Source IP** **Destination IP** **Action** **Bypass** **Description**
|
||||
================== ================== ========== ========== ======================================
|
||||
10.0.0.0/8 10.0.0.0/8 Pass X Bypass net 10.0.0.0 to 10.0.0.0
|
||||
10.0.0.0/8 172.16.0.0/12 Pass X Bypass net 10.0.0.0 to 172.16.0.0
|
||||
10.0.0.0/8 192.168.0.0/16 Pass X Bypass net 10.0.0.0 to 192.168.0.0
|
||||
172.16.0.0/12 10.0.0.0/8 Pass X Bypass net 172.16.0.0 to 10.0.0.0
|
||||
172.16.0.0/12 172.16.0.0/12 Pass X Bypass net 172.16.0.0 to 172.16.0.0
|
||||
172.16.0.0/12 192.168.0.0/16 Pass X Bypass net 172.16.0.0 to 192.168.0.0
|
||||
192.168.0.0/16 10.0.0.0/8 Pass X Bypass net 192.168.0.0 to 10.0.0.0
|
||||
192.168.0.0/16 172.16.0.0/12 Pass X Bypass net 192.168.0.0 to 172.16.0.0
|
||||
192.168.0.0/16 192.168.0.0/16 Pass X Bypass net 192.168.0.0 to 192.168.0.0
|
||||
================== ================== ========== ========== ======================================
|
||||
|
||||
.. Tip::
|
||||
|
||||
- If you use IPv6 - e.g. with *Track Interface* or *Static IPv6* - create an additional rule.
|
||||
- You can find your *IPv6 prefix* in :menuselection:`Interfaces --> Overview --> WAN` - e.g ``2001:db8:a:aa00::/56``.
|
||||
- You only have to create 1 rule, because all of the *Track IPv6 Interface - IPv6 Prefix ID* networks - e.g. ``2001:db8:a:aa01::/64``, ``2001:db8:a:aa02::/64`` - are already included in the ``/56`` Prefix.
|
||||
- Please note that this only works if your Prefix is static.
|
||||
|
||||
-------------------
|
||||
Apply configuration
|
||||
-------------------
|
||||
|
||||
Apply the configuration by pressing the **Apply** button at the bottom of
|
||||
the form.
|
||||
|
||||
-------------------
|
||||
External Resources
|
||||
-------------------
|
||||
- https://docs.suricata.io/en/suricata-6.0.0/rules/bypass-keyword.html
|
||||
- https://docs.suricata.io/en/suricata-6.0.0/performance/ignoring-traffic.html
|
@ -0,0 +1,154 @@
|
||||
======================================
|
||||
Configure IPv6 behind an AVM Fritz!Box
|
||||
======================================
|
||||
**Original Author:** Thomas Klein
|
||||
|
||||
------------
|
||||
Introduction
|
||||
------------
|
||||
|
||||
The `AVM Fritz!Box`, or FB for short, is a popular home router for
|
||||
DSL, Cable and Fiber in Germany. This guide will setup a OPNSense
|
||||
behind a FB, handover delegated prefixes from the provider and
|
||||
configure local interfaces on the OPNSense to cope with dynamically changing IPv6 prefixes.
|
||||
|
||||
This guide is based on a Vodafone Cable connection (formerly Kabel-BW) and an
|
||||
`AVM Fritz!Box Cable 6591` running `Fritz!OS 7.29`.
|
||||
|
||||
The settings presented here should work for most other dial-up scenarios and FB models
|
||||
too. The size of the delegated subnet may differ.
|
||||
|
||||
------------
|
||||
The Scenario
|
||||
------------
|
||||
|
||||
This guide will configure a home network behind a common dial-up type ISP connection.
|
||||
The OPNsense has an interface pointing to the ISP named `WAN` and has three internal
|
||||
interfaces called `DMZ`, `LAN` and `WLAN`. Each of those internal interfaces will get a /64
|
||||
subnet from the delegated IPv6 prefix. This way it is easy to control the dataflow between
|
||||
all four segments on the OPNsense.
|
||||
|
||||
In this example the dial-up ISP assigns a `/59` prefix to the FB, so there are enough bits left
|
||||
for subnetting in a SOHO setup.
|
||||
|
||||
------------------------------
|
||||
Step 1 - prepare the Fritz!Box
|
||||
------------------------------
|
||||
|
||||
The AVM website has a knowledge base article about the basic settings required on each FB model to enable IPv6 on client devices.
|
||||
https://avm.de/service/wissensdatenbank/dok/FRITZ-Box-6591-cable/1239_IPv6-Subnetz-in-FRITZ-Box-einrichten/
|
||||
The crucial setting is the checkbox **allow other routers IPv6 prefixes**. Without that the delegated internal prefixes will
|
||||
not be reachable from the Internet.
|
||||
|
||||
Also, not stated in above document, it is possible to modify the **Internet - Permit Access** settings for
|
||||
the OPNsense host. Select :menuselection:`Internet --> Permit Access --> <your OPN Host> --> IPv6 Settings --> Open firewall for delegated IPv6 prefixes of this device`
|
||||
in order to make your delegated internal subnets available via Internet.
|
||||
|
||||
------------------------------------
|
||||
Step 2 - configure the WAN interface
|
||||
------------------------------------
|
||||
|
||||
On the OPNSense go to :menuselection:`Interfaces --> WAN` and set the configuration type for IPv6 to **DHCPv6**. On the bottom part of the dialog in
|
||||
**DHCPv6 Client configuration** make sure to select
|
||||
|
||||
* checkbox: **Request only an IPv6 prefix**
|
||||
* checkbox: **Send IPv6 prefix hint**
|
||||
* dropdown: **Prefix delegation size**. For this example setup select `60`
|
||||
|
||||
Note the following:
|
||||
|
||||
1. the requested prefix differs by one bit compared to what the ISP delegated the FB (60 vs. 59)
|
||||
2. the setting **Request only an IPv6 prefix** is the important part.
|
||||
With this setting the FB acknowledges
|
||||
the OPNsense as a router and really delegates a prefix. The OPNSense will only get a link-local `0xfe80`
|
||||
address but that is fine. If this checkbox is not selected the FB considers the OPNsense as an end-user device
|
||||
and plainly refuses to delegate a prefix to it. The OPNsense end up with an valid IPv6 address but with `/64`
|
||||
netmask so nothing to delegate into the internal network.
|
||||
|
||||
-----------------------------------------------------------
|
||||
Step 3 - configure the internal DMZ / LAN / WLAN interfaces
|
||||
-----------------------------------------------------------
|
||||
|
||||
Now it is time to set up the internal interfaces. The settings are more or less the same for all of them.
|
||||
Instead of **DHCPv6** select **Track Interface** and on the bottom IPv6 dialog and choose the `WAN` interface for tracking.
|
||||
This is also the place to divide the delegated prefix into distinct subnets. Just specify an individual **Interface prefix ID**
|
||||
for each interface. In this example the FB gave us `aaaa:bbbb:cccc:9410::/60` and we choose:
|
||||
|
||||
========= =================== =======================
|
||||
Interface Interface prefix ID result-prefix
|
||||
========= =================== =======================
|
||||
`DMZ` `0x01` `aaaa:bbbb:cccc:9411::`
|
||||
`WLAN` `0x02` `aaaa:bbbb:cccc:9412::`
|
||||
`LAN` `0x03` `aaaa:bbbb:cccc:9413::`
|
||||
========= =================== =======================
|
||||
|
||||
The **Interface prefix Id** acts as the subnet extension (for lack of better wording) on top of the prefix provided by the FB.
|
||||
In this example we have a /60 prefix so effectively there are 4 bits left for subnetting. As a result valid values for **Interface prefix Id** are between `0x00` and `0x0f`.
|
||||
|
||||
In order to being able to manually set up the router advertisements in the next step make sure to select the checkbox
|
||||
**Allow manual adjustment of DHCPv6 and Router Advertisements** for each of the internal interfaces. If the
|
||||
setting is not used the system tries to set sane defaults for both Router Advertisements and DHCPv6 server.
|
||||
|
||||
----------------------------------------------
|
||||
Step 3.1 - configure the Router Advertisements
|
||||
----------------------------------------------
|
||||
|
||||
With the new subnets in place it is time to configure the **Router Advertisements**.
|
||||
For this guide the following settings have been chosen:
|
||||
|
||||
=========================== =========== ======================================================================
|
||||
Setting Value Comment
|
||||
=========================== =========== ======================================================================
|
||||
Router Advertisements Assisted this enables DHCPv6 and SLAAC
|
||||
Router Priority Normal Default is high which would work too
|
||||
Source Address Automatic the default
|
||||
Advertise Default Gateway checked the default
|
||||
Advertise Routes empty
|
||||
DNS options empty this gives away the OPNsense as DNS server with the current dynamic IP
|
||||
=========================== =========== ======================================================================
|
||||
|
||||
---------------------------------------
|
||||
Step 3.2 - configure the DHCPv6 service
|
||||
---------------------------------------
|
||||
|
||||
The clients would now be able to grab an IPv6 via SLAAC, find their router and get a DNS resolver but not all clients do
|
||||
know SLAAC. Also there are valid reasons to assign fixed IPv6 address via DHCP to some clients for instance to make them available
|
||||
from the Internet.
|
||||
|
||||
In :menuselection:`Services --> DHCPv6 --> [DMZ]` (and similar for the other interfaces) the DHCPv6 settings can be configured.
|
||||
Initially the dynamically acquired subnet including the interface id and the available range is shown.
|
||||
|
||||
Consider assigning a suitable address pool for DHCP client leases. The target range for the DMZ looks like
|
||||
this: `aaaa:bbbb:cccc:9411::1:0` --> `aaaa:bbbb:cccc:9411::1:ffff`.
|
||||
|
||||
But wait! The prefix is dynamic. How to deal with that?
|
||||
|
||||
Easy. Just omit the variable prefix and configure the DHCPv6 range to be `::1:0` --> `::1:ffff`
|
||||
|
||||
OPNSense will automatically prefix this pattern with the dynamically acquired prefix.
|
||||
|
||||
Repeat for all the other subnets. Do not forget to configure the `Domain search list` to match the SOHO internal DNS domain if applicable.
|
||||
|
||||
-----------------------------
|
||||
Step 4 - setup Firewall rules
|
||||
-----------------------------
|
||||
|
||||
By default outgoing traffic should already be possible but traffic from the Internet to the internal server needs a firewall rule.
|
||||
There are different philosophies on how to manage firewall rules. Just use a similar strategy as with your IPv4 setup so rule management
|
||||
is consistent.
|
||||
|
||||
Keep in mind that the `DMZ` / `LAN` / `WLAN` prefix is dynamic. The build-in macros like `DMZ net` will work for the whole network.
|
||||
But if you need a rule for a single server your should setup an alias pointing to your (fixed) DHCP IP and use this instead.
|
||||
|
||||
---------------
|
||||
Troubleshooting
|
||||
---------------
|
||||
|
||||
While discovering the specifics of IPv6 behind a FB in combination with OPNsense the first point of debugging was always
|
||||
connecting via SSH to OPNsense on the CLI.
|
||||
|
||||
In the directory `/tmp/` you will find several IPv6 related intermediate files. The most helpful here was `/tmp/<interfacename>_prefixv6`.
|
||||
In this file you will find the prefix delegated to you by your upstream router. If you are behind an FB and this file does not exist chances
|
||||
are you forgot to seth the **Request only an IPv6 prefix** setting on the WAN interface.
|
||||
|
||||
Another helpful command is `radvdump`. This tool dumps the output of the router advertisements in a nicely formatted way.
|
@ -0,0 +1,177 @@
|
||||
==========================
|
||||
Wazuh Agent
|
||||
==========================
|
||||
|
||||
--------------------------------------
|
||||
Introduction
|
||||
--------------------------------------
|
||||
|
||||
`Wazuh <https://wazuh.com/>`__ is an open source unified XDR (Extended Detection and Response) and SIEM (Security Information en Event Management)
|
||||
system capable of offering protection for endpoints and cloud workloads.
|
||||
|
||||
The Wazuh architecture is based on agents, running on the monitored endpoints, which collect information and are capable of
|
||||
executing active responses directed by the manager.
|
||||
|
||||
The goal of this plugin is to offer an easily installable plugin to connect to the Wazuh manager.
|
||||
|
||||
.. Note::
|
||||
The scope of Wazuh on OPNsense is only to offer configurable agent support. We do not plan nor advise to run the Wazuh
|
||||
central components on OPNsense. Detailed information on how to install these on supported platforms are available directly from the
|
||||
`Wazuh website <https://documentation.wazuh.com/current/installation-guide/index.html>`__
|
||||
or you can use their cloud based offering available `here <https://wazuh.com/cloud/>`__
|
||||
|
||||
|
||||
.. Warning::
|
||||
This plugin is provided "as-is" and with very limited [tier 3] community support from the OPNsense team. Using a SIEM/XDR system
|
||||
requires knowledge which usually is out of the (free) community support scope.
|
||||
|
||||
|
||||
--------------------------------------
|
||||
Installation
|
||||
--------------------------------------
|
||||
|
||||
Installation of this plugin is rather easy, go to :menuselection:`System --> Firmware --> Plugins` and search for **os-wazuh-agent**,
|
||||
use the [+] button to install it.
|
||||
|
||||
Next go to :menuselection:`Services --> Wazuh Agent --> Settings` to configure the service.
|
||||
|
||||
|
||||
.. Tip::
|
||||
When the ossec log offers too limited insights when debugging issues, try to increase the debug level. You can find this setting under
|
||||
General settings when "advanced mode" is enabled.
|
||||
|
||||
--------------------------------------
|
||||
Connecting the agent
|
||||
--------------------------------------
|
||||
|
||||
To connect the agent to the manager, just fill in a hostname under **General Settings/Manager hostname**, make sure
|
||||
the agent is marked enabled and optionally specify a connect password under **Authentication/Password**.
|
||||
|
||||
Next go to the manager to see if the agent registered itself.
|
||||
|
||||
|
||||
--------------------------------------
|
||||
Selecting which logs to ingest
|
||||
--------------------------------------
|
||||
|
||||
Our Wazuh agent plugin supports syslog targets like we use in the rest of the product, so if an application sends
|
||||
its feed to syslog and registers the application name as described in our `development documentation <https://docs.opnsense.org/development/backend/legacy.html#syslog>`__
|
||||
it can be selected to send to Wazuh as well.
|
||||
|
||||
For Intrusion detection we can send the events as well using the same (eve) datafeed used in OPNsense, just mark the
|
||||
**Intrusion detection events** in the general settings.
|
||||
|
||||
.. Note::
|
||||
Wazuh only supports `rfc3164 <https://datatracker.ietf.org/doc/html/rfc3164>`__ formatted syslog messages, for that reason
|
||||
we record a copy of the requested events into a file named :code:`/var/ossec/logs/opnsense_syslog.log` using that format.
|
||||
|
||||
|
||||
--------------------------------------
|
||||
Installing custom ossec.conf entries
|
||||
--------------------------------------
|
||||
|
||||
Some Wazuh modules are directly selectable from the gui, but when a feature is needed, which is not offered in the
|
||||
plugin, it's possible to add static sections manually.
|
||||
|
||||
You can add these in :code:`/usr/local/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/`, for example, to
|
||||
add a custom json feed, add a file containing the following content in there:
|
||||
|
||||
.. code-block:: xml
|
||||
:linenos:
|
||||
:caption: /usr/local/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/099-my-feed.conf
|
||||
|
||||
<localfile>
|
||||
<log_format>json</log_format>
|
||||
<location>/path/to/my/file.json</location>
|
||||
</localfile>
|
||||
|
||||
|
||||
--------------------------------------
|
||||
Use active responses
|
||||
--------------------------------------
|
||||
|
||||
Wazuh supports `active responses <https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html>`__
|
||||
so the manager can direct defensive actions when needed. The plugin ships with one action named :code:`opnsense-fw` to
|
||||
drop traffic from a specified source address.
|
||||
|
||||
.. Note::
|
||||
|
||||
The opnsense-fw action is stateful and can add and delete addresses from the firewall, more context on these type
|
||||
of actions can be found in the `Wazuh <https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html>`__
|
||||
documentation.
|
||||
|
||||
|
||||
To use this action, you need to add some configuration in the manager, starting with the definition of this action.
|
||||
|
||||
.. code-block:: xml
|
||||
:linenos:
|
||||
:caption: /var/ossec/etc/ossec.conf
|
||||
|
||||
<ossec_config>
|
||||
<command>
|
||||
<name>opnsense-fw</name>
|
||||
<executable>opnsense-fw</executable>
|
||||
<timeout_allowed>yes</timeout_allowed>
|
||||
</command>
|
||||
</ossec_config>
|
||||
|
||||
After which you can use it in active-response rules, like this:
|
||||
|
||||
.. code-block:: xml
|
||||
:linenos:
|
||||
:caption: /var/ossec/etc/ossec.conf
|
||||
|
||||
<ossec_config>
|
||||
<active-response>
|
||||
<disabled>no</disabled>
|
||||
<command>opnsense-fw</command>
|
||||
<location>defined-agent</location>
|
||||
<agent_id>001</agent_id>
|
||||
<rules_id>100201</rules_id>
|
||||
<timeout>180</timeout>
|
||||
</active-response>
|
||||
</ossec_config>
|
||||
|
||||
|
||||
The official `documentation <https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-to-configure.html>`__
|
||||
contains more information about the options available.
|
||||
|
||||
.. Tip::
|
||||
Active responses are logged into :menuselection:`Services --> Wazuh Agent --> Logfile / active-responses`, including
|
||||
the messages received from the manager.
|
||||
|
||||
|
||||
To quickly test if an active-response can be executed on the agent, we advise to use the API console under :menuselection:`Wazuh --> Tools --> API console`.
|
||||
Executing the :code:`opnsense-fw` command for address :code:`172.16.1.30` on agent :code:`001` can be done using:
|
||||
|
||||
.. code-block:: xml
|
||||
:linenos:
|
||||
|
||||
PUT /active-response?agents_list=001
|
||||
{
|
||||
"command": "!opnsense-fw",
|
||||
"custom": false,
|
||||
"alert": {
|
||||
"data": {
|
||||
"srcip": "172.16.1.30"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
.. Tip::
|
||||
|
||||
Wazuh offers quite some `proof of concept <https://documentation.wazuh.com/current/proof-of-concept-guide/index.html>`__ documents and blog posts,
|
||||
like `this <https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/>`__
|
||||
document explaining how Suricata and Wazuh can be combined to respond to detected threats.
|
||||
|
||||
--------------------------------------
|
||||
Test rule detection
|
||||
--------------------------------------
|
||||
|
||||
In case log entries are being collected in :code:`/var/ossec/logs/opnsense_syslog.log` and no events are being collected
|
||||
in the Manager, it's usually a good idea to check how Wazuh processes these lines.
|
||||
|
||||
The :menuselection:`Wazuh --> Tools --> Ruleset test` menu item in the manager offers an easy to use tool to inspect log
|
||||
events.
|
||||
|
@ -0,0 +1,525 @@
|
||||
===========================================================================================
|
||||
23.7 "Restless Roadrunner" Series
|
||||
===========================================================================================
|
||||
|
||||
|
||||
|
||||
For more than 8 and a half years now, OPNsense is driving innovation
|
||||
through modularising and hardening the open source firewall, with simple
|
||||
and reliable firmware upgrades, multi-language support, fast adoption
|
||||
of upstream software updates as well as clear and stable 2-Clause BSD
|
||||
licensing.
|
||||
|
||||
23.7, nicknamed "Restless Roadrunner", features numerous MVC/API conversions
|
||||
including the new OpenVPN "instances" configuration option, OpenVPN group
|
||||
alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2
|
||||
plus much more.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/23.7/
|
||||
* US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.7/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.7/
|
||||
* South America: http://mirror.ueb.edu.ec/opnsense/releases/23.7/
|
||||
* East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.7/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
23.7.3 (August 30, 2023)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Recently we improved the workflow for bringing language updates to the
|
||||
release so here we are with an updated translation package including
|
||||
added support for Korean. Thanks a lot to all contributors for keeping
|
||||
this going strong!
|
||||
|
||||
If you would like to help with translations you can sign up via:
|
||||
|
||||
https://poeditor.com/projects/view?id=179921
|
||||
|
||||
Of note is also the largely rewritten backend for the WireGuard kernel
|
||||
module plugin which offers separate services for each instance much
|
||||
like OpenVPN offers it. The requirement of the wireguard-tools and bash
|
||||
packages were removed. This also means the plugin will be moved to the
|
||||
core for 24.1 along with Wireguard go plugin being removed completely
|
||||
since on FreeBSD 13.2 no external package is needed to enjoy WireGuard
|
||||
and the permanent existence of a kernel module renders the Go fallback
|
||||
defunct through wireguard-tools/wg-quick implementation quirks.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: fix missing config save when RRD data is supplied during backup import
|
||||
* system: defer config reload to SIGHUP in gateway watcher
|
||||
* system: handle "force_down" state correctly in gateway watcher
|
||||
* system: make Gateways class argument optional
|
||||
* interfaces: tweak UX of interface settings page
|
||||
* interfaces: further improve PPP MTU handling
|
||||
* interfaces: remove workaround to re-reload the routing during bootup for edge case that no longer exist
|
||||
* firewall: fix group priority handling regression
|
||||
* firewall: improve filter functionality to combine multiple network clauses in states page
|
||||
* dhcp: map interfaces to interface names instead of devices
|
||||
* dhcp: fix iaid_duid parsing in IPv6 lease page
|
||||
* intrusion detection: support "bypass" keyword in user-defined rules (contributed by Monviech)
|
||||
* openvpn: fix mismatch issue when pinning a CSO to a specific instance
|
||||
* openvpn: add advanced option for optional CA selection
|
||||
* unbound: fix concurrent session closing the handle while still writing data in Python module
|
||||
* web proxy: remove long deprecated "dns_v4_first" setting from GUI
|
||||
* mvc: extend PortField to optionally allow port type aliases
|
||||
* lang: update all languages and add Korean
|
||||
* plugins: os-firewall 1.4 adds port alias support
|
||||
* plugins: os-frr 1.35 `[1] <https://github.com/opnsense/plugins/blob/stable/23.7/net/frr/pkg-descr>`__
|
||||
* plugins: os-wireguard 2.0 `[2] <https://github.com/opnsense/plugins/blob/stable/23.7/net/wireguard/pkg-descr>`__
|
||||
* ports: filterlog fix to prevent crash on default rule number -1
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
23.7.2 (August 23, 2023)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Assorted improvements are being shipped with this release. Of special
|
||||
note is the proper monitoring of down gateways which allows the new
|
||||
gateway watcher to see the gateway come back online when plugging a
|
||||
cable. A Wazuh agent plugin was added and the ddclient plugin received
|
||||
new protocol support including AWS Route53 amongst others.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: improve monitoring of down gateways
|
||||
* system: clear all /var/run directories on bootup
|
||||
* system: put lock()/unlock() back for legacy plugin compatibility
|
||||
* interfaces: fix special device name chars used in shell variables
|
||||
* interfaces: prevent IPv6 mismatches when using compressed format in VIP
|
||||
* interfaces: remove descriptive name from newwanip logging
|
||||
* interfaces: typo in MRU handling for PPP
|
||||
* interfaces: improve PPPoE MTU handling
|
||||
* interfaces: switch rtsold to -A mode
|
||||
* firewall: missing interface group registration on group creation
|
||||
* dhcp: improve UX of the new MVC lease pages
|
||||
* firmware: remove defunct mirror "Dept. of CSE, Yuan Ze University"
|
||||
* intrusion detection: fix events originating from "int^" due to IPS mode use
|
||||
* ipsec: add colon to supported character list for pre-shared key IDs
|
||||
* ipsec: reqid should not stick when copying a phase 1
|
||||
* monit: fix empty timeout value (contributed by Michael Muenz)
|
||||
* openvpn: properly map user groups for authentication
|
||||
* openvpn: bring instances into server field
|
||||
* openvpn: fix separator for redirect-gateway attribute in instances and CSO
|
||||
* unbound: fixed configuration when custom blocks are used (contributed by Evgeny Grin)
|
||||
* plugins: os-ddclient 1.15 `[1] <https://github.com/opnsense/plugins/blob/stable/23.7/dns/ddclient/pkg-descr>`__
|
||||
* plugins: os-iperf adds rubygem-rexml dependency (contributed by Hannah Kiekens)
|
||||
* plugins: os-relayd 2.7 now supports newer upstream release of relayd
|
||||
* plugins: os-wazuh-agent 1.0 `[2] <https://docs.opnsense.org/manual/wazuh-agent.html>`__
|
||||
* src: remove if_wg from kernel modules to unbreak current wireguard-go use
|
||||
* src: axgbe: LED control for A30 platform
|
||||
* src: gif: revert in{,6}_gif_output() misalignment handling
|
||||
* src: igc: sync srrctl buffer sizing with e1000
|
||||
* src: ip_output: ensure that mbufs are mapped if ipsec is enabled
|
||||
* src: ixgbe: warn once for unsupported SFPs
|
||||
* src: ixgbe: add support for 82599 LS
|
||||
* src: ixl: add link state polling
|
||||
* src: ixl: port ice's atomic API to ixl
|
||||
* src: rss: set pin_default_swi to 0 by default
|
||||
* src: rtsol: introduce an 'always' script
|
||||
* ports: krb5 1.21.2 `[3] <https://web.mit.edu/kerberos/krb5-1.21/>`__
|
||||
* ports: openldap 2.6.6 `[4] <https://www.openldap.org/software/release/changes.html>`__
|
||||
* ports: openvpn 2.6.6 `[5] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.6>`__
|
||||
* ports: php 8.2.9 `[6] <https://www.php.net/ChangeLog-8.php#8.2.9>`__
|
||||
* ports: phalcon 5.3.0 `[7] <https://github.com/phalcon/cphalcon/releases/tag/v5.3.0>`__
|
||||
* ports: phpseclib 3.0.21 `[8] <https://github.com/phpseclib/phpseclib/releases/tag/3.0.21>`__
|
||||
* ports: py-dnspython 2.4.2
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
23.7.1 (August 08, 2023)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
23.7 looks pretty good so far but no reason not to make it better.
|
||||
The MVC changes for DHCP, firewall groups, OpenVPN and Unbound receive
|
||||
several required fixes and the latest FreeBSD security advisories were
|
||||
added as well.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: close boot file after probing to avoid lock inheritance
|
||||
* system: fix lock() inheriting the lock state
|
||||
* system: give more context in process kill error case since we operate PID numbers only
|
||||
* firewall: groups were not correctly parsed for menu post-migration
|
||||
* firewall: hide row command buttons for internal groups
|
||||
* firewall: add "ipv6-icmp" to protocol list in shaper
|
||||
* firewall: fix PHP warnings on the rules pages
|
||||
* dhcp: check if manufacturer exists for IPv4 lease page to prevent error
|
||||
* dhcp: use base16 for iaid_duid decode for IPv6 lease page to prevent error
|
||||
* dhcp: fix validation for static entry requirement
|
||||
* firmware: revoke 23.1 fingerprint
|
||||
* network time: support pool directive and maxclock (contributed by Kevin Fason)
|
||||
* openvpn: fix static key delete
|
||||
* openvpn: fix "mode" typo and push auth "digest" into export config
|
||||
* openvpn: fix race condition when using CRLs in instances
|
||||
* openvpn: remove arbitrary upper bounds on some integer values in instances
|
||||
* unbound: migration of empty nodes failed from 23.1.11 to 23.7
|
||||
* unbound: fix regression when disabling first domain override
|
||||
* mvc: fix empty item selection issue in BaseListField
|
||||
* plugins: os-ddclient 1.14 `[1] <https://github.com/opnsense/plugins/blob/stable/23.7/dns/ddclient/pkg-descr>`__
|
||||
* plugins: os-acme-client 3.19 `[2] <https://github.com/opnsense/plugins/blob/stable/23.7/security/acme-client/pkg-descr>`__
|
||||
* src: bhyve: fully reset the fwctl state machine if the guest requests a reset `[3] <FREEBSD:FreeBSD-SA-23:07.bhyve>`__
|
||||
* src: frag6: avoid a possible integer overflow in fragment handling `[4] <FREEBSD:FreeBSD-SA-23:06.ipv6>`__
|
||||
* src: amdtemp: Fix missing 49 degree offset on current EPYC CPUs
|
||||
* src: libpfctl: ensure the initial allocation is large enough
|
||||
* src: pf: handle multiple IPv6 fragment headers
|
||||
* ports: curl 8.2.1 `[5] <https://curl.se/changes.html#8_2_1>`__
|
||||
* ports: nss 3.92 `[6] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_92.html>`__
|
||||
* ports: openssl 1.1.1v `[7] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
|
||||
* ports: perl 5.34.1 `[8] <https://perldoc.perl.org/5.34.1/perldelta>`__
|
||||
* ports: py-dnspython 2.4.1
|
||||
* ports: strongswan 5.9.11 `[9] <https://github.com/strongswan/strongswan/releases/tag/5.9.11>`__
|
||||
* ports: syslog-ng 4.3.1 `[10] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.3.1>`__
|
||||
|
||||
A hotfix release was issued as 23.7.1_3:
|
||||
|
||||
* firewall: do not clone "associated-rule-id"
|
||||
* network time: fix "Soliciting pool server" regression (contributed by Allan Que)
|
||||
* dhcp: fix IPv4 lease removal
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
23.7 (July 31, 2023)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For more than 8 and a half years now, OPNsense is driving innovation
|
||||
through modularising and hardening the open source firewall, with simple
|
||||
and reliable firmware upgrades, multi-language support, fast adoption
|
||||
of upstream software updates as well as clear and stable 2-Clause BSD
|
||||
licensing.
|
||||
|
||||
23.7, nicknamed "Restless Roadrunner", features numerous MVC/API conversions
|
||||
including the new OpenVPN "instances" configuration option, OpenVPN group
|
||||
alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2
|
||||
plus much more.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/23.7/
|
||||
* US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.7/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.7/
|
||||
* South America: http://mirror.ueb.edu.ec/opnsense/releases/23.7/
|
||||
* East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.7/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
Here are the full patch notes against 23.1.11:
|
||||
|
||||
* system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirect
|
||||
* system: fix assorted PHP 8.2 deprecation notes
|
||||
* system: fix assorted permission-after-write problems
|
||||
* system: introduce a gateway watcher service and fix issue with unhandled "loss" trigger when "delay" is also reported
|
||||
* system: enabled web GUI compression (contributed by kulikov-a)
|
||||
* system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responses
|
||||
* system: allow "." DNS search domain override
|
||||
* system: on boot let template generation wait for configd socket for up to 10 seconds
|
||||
* system: do not allow state modification on GET for power off and reboot actions
|
||||
* system: better validation and escaping for cron commands
|
||||
* system: better validation for logging user input
|
||||
* system: improve configuration import when interfaces or console settings do not match
|
||||
* system: name unknown tunables as "environment" as they could still be supported by e.g. the boot loader
|
||||
* system: sanitize $act parameter in trust pages
|
||||
* system: add severity filter in system log widget (contributed by kulikov-a)
|
||||
* system: mute openssl errors pushed to stderr
|
||||
* system: add opnsense-crypt utility to encrypt/decrypt a config.xml
|
||||
* system: call opnsense-crypt from opnsense-import to deal with encrypted imports
|
||||
* interfaces: extend/modify IPv6 primary address behaviour
|
||||
* interfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)
|
||||
* interfaces: introduce a lock and DAD timer into newwanip for IPv6
|
||||
* interfaces: rewrite LAGG pages via MVC/API
|
||||
* interfaces: allow manual protocol selection for VLANs
|
||||
* interfaces: remove null_service toggle as empty service name in PPPoE works fine
|
||||
* interfaces: on forceful IPv6 reload do not lose the event handling
|
||||
* interfaces: allow primary address function to emit device used
|
||||
* firewall: move all automatic rules for interface connectivity to priority 1
|
||||
* firewall: rewrote group handling using MVC/API
|
||||
* firewall: clean up AliasField to use new getStaticChildren()
|
||||
* firewall: "kill states in selection" button was hidden when selecting only a rule for state search
|
||||
* firewall: cleanup port forward page and only show the associated filter rule for this entry
|
||||
* captive portal: safeguard template overlay distribution
|
||||
* dhcp: rewrote both IPv4 and IPv6 lease pages using MVC/API
|
||||
* dhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)
|
||||
* dhcp: align router advertisements VIP code and exclude /128
|
||||
* dhcp: allow "." for DNSSL in router advertisements
|
||||
* dhcp: print interface identifier and underlying device in "found no suitable address" warnings
|
||||
* firmware: opnsense-version: remove obsolete "-f" option stub
|
||||
* firmware: properly escape crash reports shown
|
||||
* firmware: fix a faulty JSON construction during partial upgrade check
|
||||
* firmware: fetch bogons/changelogs from amd64 ABI only
|
||||
* ipsec: add missing config section for HA sync
|
||||
* ipsec: add RADIUS server selection for "Connections" when RADIUS is not defined in legacy tunnel configuration
|
||||
* ipsec: only write /var/db/ipsecpinghosts if not empty
|
||||
* ipsec: check IPsec config exists before use (contributed by agh1467)
|
||||
* ipsec: fix RSA key pair generation with size other than 2048
|
||||
* ipsec: deprecating tunnel configuration in favour of new connections GUI
|
||||
* ipsec: clean up SPDField and VTIField types to use new getStaticChildren()
|
||||
* ipsec: add passthrough networks when specified to prevent overlapping "connections" missing them
|
||||
* monit: fix alert script includes
|
||||
* openvpn: rewrote OpenVPN configuration as "Instances" using MVC/API available as a separate configuration option `[2] <https://docs.opnsense.org/manual/vpnet.html>`__
|
||||
* openvpn: rewrote client specific overrides using MVC/API
|
||||
* unbound: rewrote general settings and ACL handling using MVC/API
|
||||
* unbound: add forward-tcp-upstream in advanced settings
|
||||
* unbound: move unbound-blocklists.conf to configuration location
|
||||
* unbound: add database import/export functions for when DuckDB version changes on upgrades
|
||||
* unbound: add cache-max-negative-ttl setting (contributed by hp197)
|
||||
* unbound: fix upgrade migration when database is not enabled
|
||||
* unbound: minor endpoint cleanups for DNS reporting page
|
||||
* wizard: restrict to validating only IPv4 addresses
|
||||
* backend: minor regression in deeper nested command structures in configd
|
||||
* mvc: fill missing keys when sorting in searchRecordsetBase()
|
||||
* mvc: properly support multi clause search phrases
|
||||
* mvc: allow legacy services to hook into ApiMutableServiceController
|
||||
* mvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ng
|
||||
* mvc: add generic static record definition for ArrayField
|
||||
* ui: introduce collapsible table headers for MVC forms
|
||||
* plugins: os-acme-client 3.18 `[3] <https://github.com/opnsense/plugins/blob/stable/23.7/security/acme-client/pkg-descr>`__
|
||||
* plugins: os-bind 1.27 `[4] <https://github.com/opnsense/plugins/blob/stable/23.7/dns/bind/pkg-descr>`__
|
||||
* plugins: os-dnscrypt-proxy 1.14 `[5] <https://github.com/opnsense/plugins/blob/stable/23.7/dns/dnscrypt-proxy/pkg-descr>`__
|
||||
* plugins: os-dyndns removed due to unmaintained code base
|
||||
* plugins: os-frr 1.34 `[6] <https://github.com/opnsense/plugins/blob/stable/23.7/net/frr/pkg-descr>`__
|
||||
* plugins: os-firewall 1.3 allows floating rules without interface set (contributed by Michael Muenz)
|
||||
* plugins: os-telegraf 1.12.8 `[7] <https://github.com/opnsense/plugins/blob/stable/23.7/net-mgmt/telegraf/pkg-descr>`__
|
||||
* plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoL
|
||||
* plugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoL
|
||||
* src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode
|
||||
* src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled
|
||||
* src: ipsec: add PMTUD support
|
||||
* src: FreeBSD 13.2-RELEASE `[8] <https://www.freebsd.org/releases/13.2R/relnotes/>`__
|
||||
* ports: krb 1.21.1 `[9] <https://web.mit.edu/kerberos/krb5-1.21/>`__
|
||||
* ports: nss 3.91 `[10] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_91.html>`__
|
||||
* ports: phalcon 5.2.3 `[11] <https://github.com/phalcon/cphalcon/releases/tag/v5.2.3>`__
|
||||
* ports: php 8.2.8 `[12] <https://www.php.net/ChangeLog-8.php#8.2.8>`__
|
||||
* ports: py-duckdb 0.8.1
|
||||
* ports: py-vici 5.9.11
|
||||
* ports: sudo 1.9.14p3 `[13] <https://www.sudo.ws/stable.html#1.9.14p3>`__
|
||||
* ports: suricata now enables Netmap V14 API
|
||||
|
||||
Migration notes, known issues and limitations:
|
||||
|
||||
* The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups -- especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.
|
||||
* Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility "monitor" still exists but is only provided for compatibility reasons with existing user scripts.
|
||||
* IPsec "tunnel settings" GUI is now deprecated and manual migration to the "connections" GUI is recommended. An appropriate EoL announcement will be made next year.
|
||||
* The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.
|
||||
* The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. We are aware of the EoL state of ddclient which was unfortunately announced only one year after we started working on the new plugin. We will try to add upstream fixes that have not been released yet and already offer our own ddclient-less Python backend in the same plugin as an alternative.
|
||||
|
||||
The public key for the 23.7 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu90d9OlhEEqfPTRC5tVp
|
||||
# XK1KAtvzKPVf2jvmTtWgFRFCB3fuYQcO7oNefXJoK0LaHNQgiOsBTvepVMicl2aI
|
||||
# zrehgdbljjNFmp6KzEM55x05zOfZV8Gi8AEaJzEbb3rkWLkiXHnANfhHGvtHOrGr
|
||||
# Hct84NMCcfCZZerwaQMqi+SAjgUzA+asmhAvjN0fbdH2SLx/ZMNzDcyPRFGtGiC7
|
||||
# RQCzgCGz39ppJP4qordzRSy5YiwCxNe/SL/4ZG04eMVti47BPTCtioBzuASHqALJ
|
||||
# BVOFzZpr1WZ89PT/T5W6xYzoyWemOyv9Rh+rhaTAhnq+OO4yudaytpPCAtXBULr/
|
||||
# VOlDOX//qaZR8qbQOC9y9kIETH8Iivis5tonBAQmYPIJiqcxfjM4/R7yP2Q7mEsr
|
||||
# PLNyP6HNe77JGoW1axNZlB/OL1XUI3r+Kksc2woIqTQ5sq95tHbddNqGIDg4cEOX
|
||||
# FM5Y7tdvVEwl/nutaAzP07sqEyF8uNScLGsQwpBxHwV/qGGc+PbGqmbmWg3+Kt+e
|
||||
# UeNcMvrgayhRt+lpVCAorVVjUTp0Y2+1x+V/IpukOaS2oldPIF0iXLZsQ90KYP3X
|
||||
# QtmuxbiC2Em+eGHB6nSg1UZgUEaAb3xP1fpuLbi9McoUPxMXxVdfihSfSfUFXJTH
|
||||
# SmqdO1BdG7VSwiQq9Ekbu5UCAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
Please let us know about your experience!
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-23.7-dvd-amd64.iso.bz2) = bf67374d04fb00a29d80f9870ac86491b0a87d5dd386c2bd97def0691547e263
|
||||
# SHA256 (OPNsense-23.7-nano-amd64.img.bz2) = 4adbbd69d0ce1766395555475ea29713f9043735a0c9067206d9945cb626200a
|
||||
# SHA256 (OPNsense-23.7-serial-amd64.img.bz2) = 03c774f53520414c73cdcaa4fe3b34c4165395963bef74c533c3878a07b80138
|
||||
# SHA256 (OPNsense-23.7-vga-amd64.img.bz2) = 8a235d2cba717b9b2ea4d5588028c087adc6ff472ae8efd381a26a9640298c67
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
23.7.r3 (July 26, 2023)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Quick release candidate update. Last one. Promise.
|
||||
|
||||
Still on track for the final release on July 31.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* interfaces: on forceful IPv6 reload do not lose the event handling
|
||||
* interfaces: allow primary address function to emit device used
|
||||
* dhcp: print interface identifier and underlying device in "found no suitable address" warnings
|
||||
* wizard: restrict to validating only IPv4 addresses
|
||||
|
||||
|
||||
Stay safe,
|
||||
Your OPNsense team
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
23.7.r2 (July 24, 2023)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Quick release candidate update. May or may not be the last one this
|
||||
week depending on the feedback we will receive. So far thanks to all
|
||||
the brave testers!
|
||||
|
||||
Still on track for the final release on July 31.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: mute openssl errors pushed to stderr
|
||||
* system: add opnsense-crypt utility to encrypt/decrypt a config.xml
|
||||
* system: call opnsense-crypt from opnsense-import to deal with encrypted imports
|
||||
* interfaces: rewrite LAGG pages via MVC/API
|
||||
* interfaces: allow manual protocol selection for VLANs
|
||||
* interfaces: remove null_service toggle as empty service name in PPPoE works fine
|
||||
* monit: fix alert script includes
|
||||
* ipsec: add passthrough networks when specified to prevent overlapping "connections" missing them
|
||||
* unbound: fix upgrade migration when database is not enabled
|
||||
* unbound: minor endpoint cleanups for DNS reporting page
|
||||
* firmware: fix a faulty JSON construction during partial upgrade check
|
||||
* ports: openssh 9.3p2 `[1] <https://www.openssh.com/txt/release-9.3p2>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
23.7.r1 (July 20, 2023)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For more than 8 and a half years now, OPNsense is driving innovation
|
||||
through modularising and hardening the open source firewall, with simple
|
||||
and reliable firmware upgrades, multi-language support, fast adoption
|
||||
of upstream software updates as well as clear and stable 2-Clause BSD
|
||||
licensing.
|
||||
|
||||
We thank all of you for helping test, shape and contribute to the project!
|
||||
We know it would not be the same without you. <3
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/23.7/
|
||||
* US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.7/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.7/
|
||||
* South America: http://mirror.ueb.edu.ec/opnsense/releases/23.7/
|
||||
* East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.7/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
Here are the full patch notes against 23.1.11:
|
||||
|
||||
* system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirect
|
||||
* system: fix assorted PHP 8.2 deprecation notes
|
||||
* system: fix assorted permission-after-write problems
|
||||
* system: introduce a gateway watcher service and fix issue with unhandled "loss" trigger when "delay" is also reported
|
||||
* system: enabled web GUI compression (contributed by kulikov-a)
|
||||
* system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responses
|
||||
* system: allow "." DNS search domain override
|
||||
* system: on boot let template generation wait for configd socket for up to 10 seconds
|
||||
* system: do not allow state modification on GET for power off and reboot actions
|
||||
* system: better validation and escaping for cron commands
|
||||
* system: better validation for logging user input
|
||||
* system: improve configuration import when interfaces or console settings do not match
|
||||
* system: name unknown tunables as "environment" as they could still be supported by e.g. the boot loader
|
||||
* system: sanitize $act parameter in trust pages
|
||||
* system: add severity filter in system log widget (contributed by kulikov-a)
|
||||
* interfaces: extend/modify IPv6 primary address behaviour
|
||||
* interfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)
|
||||
* interfaces: introduce a lock and DAD timer into newwanip for IPv6
|
||||
* firewall: move all automatic rules for interface connectivity to priority 1
|
||||
* firewall: rewrote group handling using MVC/API
|
||||
* firewall: clean up AliasField to use new getStaticChildren()
|
||||
* firewall: "kill states in selection" button was hidden when selecting only a rule for state search
|
||||
* firewall: cleanup port forward page and only show the associated filter rule for this entry
|
||||
* captive portal: safeguard template overlay distribution
|
||||
* dhcp: rewrote both IPv4 and IPv6 lease pages using MVC/API
|
||||
* dhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)
|
||||
* dhcp: align router advertisements VIP code and exclude /128
|
||||
* dhcp: allow "." for DNSSL in router advertisements
|
||||
* firmware: opnsense-version: remove obsolete "-f" option stub
|
||||
* firmware: properly escape crash reports shown
|
||||
* ipsec: add missing config section for HA sync
|
||||
* ipsec: add RADIUS server selection for "Connections" when RADIUS is not defined in legacy tunnel configuration
|
||||
* ipsec: only write /var/db/ipsecpinghosts if not empty
|
||||
* ipsec: check IPsec config exists before use (contributed by agh1467)
|
||||
* ipsec: fix RSA key pair generation with size other than 2048
|
||||
* ipsec: deprecating tunnel configuration in favour of new connections GUI
|
||||
* ipsec: clean up SPDField and VTIField types to use new getStaticChildren()
|
||||
* openvpn: rewrote OpenVPN configuration as "Instances" using MVC/API available as a separate configuration option `[2] <https://docs.opnsense.org/manual/vpnet.html>`__
|
||||
* openvpn: rewrote client specific overrides using MVC/API
|
||||
* unbound: rewrote general settings and ACL handling using MVC/API
|
||||
* unbound: add forward-tcp-upstream in advanced settings
|
||||
* unbound: move unbound-blocklists.conf to configuration location
|
||||
* unbound: add database import/export functions for when DuckDB version changes on upgrades
|
||||
* unbound: add cache-max-negative-ttl setting (contributed by hp197)
|
||||
* backend: minor regression in deeper nested command structures in configd
|
||||
* mvc: fill missing keys when sorting in searchRecordsetBase()
|
||||
* mvc: properly support multi clause search phrases
|
||||
* mvc: allow legacy services to hook into ApiMutableServiceController
|
||||
* mvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ng
|
||||
* mvc: add generic static record definition for ArrayField
|
||||
* ui: introduce collapsible table headers for MVC forms
|
||||
* plugins: os-acme-client 3.18 `[3] <https://github.com/opnsense/plugins/blob/stable/23.7/security/acme-client/pkg-descr>`__
|
||||
* plugins: os-dnscrypt-proxy 1.14 `[4] <https://github.com/opnsense/plugins/blob/stable/23.7/dns/dnscrypt-proxy/pkg-descr>`__
|
||||
* plugins: os-dyndns removed due to unmaintained code base
|
||||
* plugins: os-frr 1.34 `[5] <https://github.com/opnsense/plugins/blob/stable/23.7/net/frr/pkg-descr>`__
|
||||
* plugins: os-telegraf 1.12.8 `[6] <https://github.com/opnsense/plugins/blob/stable/23.7/net-mgmt/telegraf/pkg-descr>`__
|
||||
* plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoL
|
||||
* plugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoL
|
||||
* src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode
|
||||
* src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled
|
||||
* src: ipsec: add PMTUD support
|
||||
* src: FreeBSD 13.2-RELEASE `[7] <https://www.freebsd.org/releases/13.2R/relnotes/>`__
|
||||
* ports: krb 1.21.1 `[8] <https://web.mit.edu/kerberos/krb5-1.21/>`__
|
||||
* ports: nss 3.91 `[9] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_91.html>`__
|
||||
* ports: php 8.2.8 `[10] <https://www.php.net/ChangeLog-8.php#8.2.8>`__
|
||||
* ports: py-duckdb 0.8.1
|
||||
* ports: py-vici 5.9.11
|
||||
* ports: sudo 1.9.14p2 `[11] <https://www.sudo.ws/stable.html#1.9.14p2>`__
|
||||
* ports: suricata now enables Netmap V14 API
|
||||
|
||||
Migration notes, known issues and limitations:
|
||||
|
||||
* The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups -- especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.
|
||||
* Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility "monitor" still exists but is only provided for compatibility reasons with existing user scripts.
|
||||
* IPsec "tunnel settings" GUI is now deprecated and manual migration to the "connections" GUI is recommended. An appropriate EoL announcement will be made next year.
|
||||
* The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.
|
||||
* The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. We are aware of the EoL state of ddclient which was unfortunately announced only one year after we started working on the new plugin. We will try to add upstream fixes that have not been released yet and already offer our own ddclient-less Python backend in the same plugin as an alternative.
|
||||
|
||||
The public key for the 23.7 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu90d9OlhEEqfPTRC5tVp
|
||||
# XK1KAtvzKPVf2jvmTtWgFRFCB3fuYQcO7oNefXJoK0LaHNQgiOsBTvepVMicl2aI
|
||||
# zrehgdbljjNFmp6KzEM55x05zOfZV8Gi8AEaJzEbb3rkWLkiXHnANfhHGvtHOrGr
|
||||
# Hct84NMCcfCZZerwaQMqi+SAjgUzA+asmhAvjN0fbdH2SLx/ZMNzDcyPRFGtGiC7
|
||||
# RQCzgCGz39ppJP4qordzRSy5YiwCxNe/SL/4ZG04eMVti47BPTCtioBzuASHqALJ
|
||||
# BVOFzZpr1WZ89PT/T5W6xYzoyWemOyv9Rh+rhaTAhnq+OO4yudaytpPCAtXBULr/
|
||||
# VOlDOX//qaZR8qbQOC9y9kIETH8Iivis5tonBAQmYPIJiqcxfjM4/R7yP2Q7mEsr
|
||||
# PLNyP6HNe77JGoW1axNZlB/OL1XUI3r+Kksc2woIqTQ5sq95tHbddNqGIDg4cEOX
|
||||
# FM5Y7tdvVEwl/nutaAzP07sqEyF8uNScLGsQwpBxHwV/qGGc+PbGqmbmWg3+Kt+e
|
||||
# UeNcMvrgayhRt+lpVCAorVVjUTp0Y2+1x+V/IpukOaS2oldPIF0iXLZsQ90KYP3X
|
||||
# QtmuxbiC2Em+eGHB6nSg1UZgUEaAb3xP1fpuLbi9McoUPxMXxVdfihSfSfUFXJTH
|
||||
# SmqdO1BdG7VSwiQq9Ekbu5UCAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
Please let us know about your experience!
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-23.7.r1-dvd-amd64.iso.bz2) = ffc2fe24b16bf45b84223ccf78780e94715e695d6ef50bbb041dc1697dcd7862
|
||||
# SHA256 (OPNsense-23.7.r1-nano-amd64.img.bz2) = d2e3de7d7919b0aaafe80c92ec944b94ebb005220e46ed71d8f816236bf4feab
|
||||
# SHA256 (OPNsense-23.7.r1-serial-amd64.img.bz2) = 61b594799c1ab9c2daab9adcff93793bf54f875067a7ddec070ade1d67db3689
|
||||
# SHA256 (OPNsense-23.7.r1-vga-amd64.img.bz2) = 5e90b9fd076a206409474d3667ee11439ecb86f44dbcb1bc339e96b5a83c5a28
|