| 12 Jul 2024 |
 RoyalTiger | In reply to @toxicpublic:matrix.org
Hello Everyone. Am I becoming crazy or did something happen that blocked ssh access on my opnSense installs untill I upgraded ? I know there was a critical vuln published recently regarding openssh, but I wasn't expecting my firewalls from locking me out... OPNsense is BSD-based and BSD should be save since 2001(?) regarding RegreSSHion. ("OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability." - https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server) | 13:33:41 |
| RoyalTiger | In reply to @royaltiger:matrix.org
OPNsense is BSD-based and BSD should be save since 2001(?) regarding RegreSSHion. ("OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability." - https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server) If OPNsense do so that shouldn't be related to RegreSSHion, but using Keys is nevertheless best practice. | 13:35:05 |
 toxic | thanks RoyalTiger so wasn't related to RegreSSHion I trust you ;)
Very strange though that my 3 firewalls in carp failover all got their ssh blocked and came back only after upgrade&restart of the service :( | 14:27:33 |
| RoyalTiger | Hm, wierd. Maybe related to this? But seems more a DNS resolution issue...
https://github.com/opnsense/core/issues/7426
For real: Could be anything. | 14:45:37 |
| 16 Jul 2024 |
|  aber joined the room. | 18:56:40 |
| 17 Jul 2024 |
|  Gish changed their display name from gish to Gish. | 00:32:02 |
| RoyalTiger | 
Download Firmware System.png | 01:12:58 |
| RoyalTiger | In reply to @toxicpublic:matrix.org
thanks RoyalTiger so wasn't related to RegreSSHion I trust you ;)
Very strange though that my 3 firewalls in carp failover all got their ssh blocked and came back only after upgrade&restart of the service :( You not somehow updated your OpenSSH seperatly? | 01:13:21 |
| 19 Jul 2024 |
|  giacomo_c joined the room. | 20:27:08 |
| giacomo_c | Hello | 20:34:32 |
| giacomo_c | I've got a new opnsense VM install and I'm trying to access the webgui via an opt1 interface that is connected to a network with a linux box. I have confirmed layer3 as I can ping the linux box from the opnsense box, but not vice versa. The opnsense is not allowing webgui or ssh access via that opt1 interface, and the linux box sees relevant TCP ports closed/non-responsive. this is my first foray into the opnsense world. Does the default install allow connections on non lan/wan interfaces? | 20:39:01 |
| RoyalTiger | Hm, let me think. If I remember it right the normal anti-lockout-rule for SSH and WebGUI should just refer to the setup-LAN while installing. I'm also not sure if normal pinging is forbidden by default. | 20:53:19 |
| giacomo_c | you know what, i could just try to re-assign the interfaces so that the "LAN" is connected to the network with the linux box and give it another go | 20:54:27 |
| RoyalTiger | * Hm, let me think. If I remember it right the normal anti-lockout-rule for SSH and WebGUI should just refer to the setup-LAN installed/configured first. I'm also not sure if normal pinging is forbidden by default. | 20:54:29 |
| RoyalTiger | Yeah, that should work. | 20:54:42 |
| RoyalTiger | https://www.reddit.com/r/OPNsenseFirewall/comments/lex7l2/moving_antilockout_to_a_different_lan_interface/
This should apply till today. | 20:57:12 |
| giacomo_c | re-assigning did the trick | 20:58:31 |
| giacomo_c | ahhh, opt1 has no pass rules by default | 21:05:48 |
| giacomo_c | it will listen on all interfaces | 21:05:57 |
| giacomo_c | but without a pass rule, its not gonna let anything through lol | 21:06:05 |
| RoyalTiger | Yep, that's what the default anti-lockout-rule is for, so you aren't able to kill your access with a fw rule by mistake. | 21:09:20 |
| giacomo_c | there was probably a way to setup a temp any any rule from the shell, but i was having trouble finding docs on that | 21:10:08 |
| RoyalTiger | But this just applies to the default LAN-interface, because you maybe don't want that other subnets are able to access "MGMT". | 21:10:22 |
| giacomo_c | true | 21:10:29 |
| giacomo_c | so if i swap these interface assignments around in the webgui, will it still have the same IP assignments to the interface names? | 21:12:18 |
| giacomo_c | right now eth1 = opt 1 and vteth = lan. i set a rule for opt 1 to allow from any to any ipv4. | 21:13:13 |
| giacomo_c | if i switch vtnet = opt1 and eth1 = lan, will all that keep? | 21:13:28 |
| giacomo_c | ohh, the ips | 21:14:27 |
| giacomo_c | lol | 21:14:30 |
| RoyalTiger | Uh, good question. As you just change the interface assignment to the added device, all settings in the configuration should still be the same. | 21:15:51 |
