-
Notifications
You must be signed in to change notification settings - Fork 730
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PARTIALLY SOLVED] Can't downgrade to 24.1.1 from 24.1.2_1 using opnsense-revert: opnsense has a missing dependency: suricata-stable/WAN Flapping due to Suricata 7.0.3 change in default behavier #7276
Comments
@fichtner There is no way to revert back to 24.1.1 because the incorrect package is in the repository. The package that is actually in |
I don’t want to discuss release engineering quirks like this because it wasn’t done to annoy anyone and it can’t be undone either. |
@fichtner Fair enough.....Is there any way to fix it temporarily? |
Turn off IPS mode? |
@fichtner Well....there is that....and it works but effectively disables Suricata. There is a better solution over in the forums.....after you refused to look further into this to at least help provide a solution. Anyway, for anyone else looking for something that actually works while not disabling Suricata and killing their network security. Here is what I have tested and seems to work. The forum links to support this comment are: The links above describe that Suricata 7 has moved for a default of "drop(Close)" instead of "ignore(Open)". This causes exceptions in Suricata causing the packets to be dropped. What worked for me was editing the file shown at the path below with the code following that. Be sure to have Suricata disabled in the WebUI before applying this fix. Once the file has been edited then re-enable Suricata in the WebUI and test the network. The logs will show the same NUMA errors so that is useless. OISF stated that they are moving the NUMA messages to the infromational channel in logging as it's not supposed to affect functionality. IMPORTANT: According to the documentation this effectively turns the "applayer" into IDS mode (Off) in the cases of exceptions. They also discuss more about how Suricata will act more like a firewall in this way from version 7 on. More information about this can be found here. File to edit: Code to add at the end of the file:
|
Frankly, I’m not very fond of throwing ad-hominem around. |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
After update to 24.1.2_1 from 24.1.2 all my NAT configurations are still not working.
Traffic is being Dropped due to WAN flapping
Rules that only need firewall rules works as exepected: openVPN.
Suricata commit to fix this issue was issued 3 days ago:
OISF/suricata@4b0704d
Suricata Logs Show:
I wanted to revert to 24.1.1 but the downgrade fails: see below.
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce
I've just updated to 24.1.2_1 - nothing less, nothing more.
Expected behavior
A clear and concise description of what you expected to happen.
Describe alternatives you considered
Tried downgrading but it fail with the following:
Software version used and hardware type if relevant, e.g.:
OPNsense 24.1.2_1-amd64
FreeBSD 13.2-RELEASE-p10
OpenSSL 3.0.13
The text was updated successfully, but these errors were encountered: