sonertari / UTMFW

UTM Firewall on OpenBSD
GNU General Public License v3.0
146 stars 30 forks source link

Client-Side BEV_EVENT_ERROR #16

Open bmjakobsen opened 2 years ago

bmjakobsen commented 2 years ago

HTTP/S Traffic doesnt work, i always get a BEV_EVENT_ERROR in the logs of the SSL-Proxy.

sonertari commented 2 years ago

That happens for more than a couple of reasons. But the most probably one is that your web browser may be rejecting the certificates forged by SSLproxy. If that's the case, you should download the CA certificate used by SSLproxy and install it to your browser. If you are using your smartphone, then it may be more difficult, and you may need to bypass SSLproxy by adding one or more SSLproxy rules.

bmjakobsen commented 2 years ago

Thanks for your reply, the certificate is installed. I am using a windows 10 and debian machine. In Firefox and Edge i get the error ERR_EMPTY_RESPONSE.

It once worked, but it suddenly stopped working, i couldnt find the cause or difference in configuration. In pf the package gets through.

sonertari commented 2 years ago

I cannot recall the reason if/when I get ERR_EMPTY_RESPONSE on the browser. But most probably, in my case, it was either because the system time of UTMFW was off by a large margin (so certificates were being rejected), or an issue with user authentication.

Normally, I would enable debug logging in SSLproxy and inspect verbose logs. But you need to recompile sslproxy (on OpenBSD) for that and start it on the command line with the -D4 option.

It's hard to guess without further info.

bmjakobsen commented 2 years ago

How would i recompile it? And is there something like a startup skript where utmfw starts the sslproxy?

bmjakobsen commented 2 years ago

If it helps, When i try to open a website i get these 3 lines in the logs:

289 | Mar 14 | 10:12:59 | sslproxy | ERROR | Client-side BEV_EVENT_ERROR 290 | Mar 14 | 10:12:59 | sslproxy | ERROR | Error from bufferevent: 60:Operation timed out 0:0:-:0:-:0:- 291 | Mar 14 | 10:12:59 | sslproxy | WARNING | Closing on ssl error without filter match: 10.156.200.101:52532, 18.66.139.69:443, -, -, firefox.settings.services.mozilla.com, firefox.settings.services.mozilla.com/firefox.settings.services.mozilla.com

sonertari commented 2 years ago

Looking at the logs you have provided, I think that the server side of UTMFW is not connected to the Internet. Can you make sure the external interface is up and configured properly, and can reach the Internet? Also, make sure E2Guardian Web Filter and Snort IPS are also running? Any networking or routing changes on the server side? (If you have modified any configuration which may cause this but you don't remember, perhaps it would be easier to install UTMFW again to rule it out.)

Btw, first you need to install an OpenBSD 7 machine to compile sslproxy, then copy it to your UTMFW, and run it on the command line. (This may be too much to ask from ordinary users.) But if my guess above is correct, you probably don't need it anyway.

bmjakobsen commented 2 years ago

I can reach the outside using ping, and i just added two pass rules for www and https to bypass filtering, and it works now. So it seems that the sslproxy or firewall is the problem.

bmjakobsen commented 2 years ago

Could it be that i destroyed something by updating using pkg_add -u?

bmjakobsen commented 2 years ago

Why would i need to recompile for log level 4? I can activate it in the sslproxy config. I activated it and i still got the same 3 lines from above

sonertari commented 2 years ago

If adding some pf rules to bypass sslproxy solves the problem, I also think that either sslproxy, e2guardian, or snort is the problem. Or pf rules are broken (the traffic is diverted to those UTM software using pf rules).

You were not supposed to try to update the packages like that, because I build UTMFW from scratch, make release and everything, and UTMFW uses its own signify key pairs. And UTMFW does not support updating or upgrading, but just install. But I don't think you broke anything by doing that.

Log level 4 is very verbose, more than those 3 lines, and you can enable it in Mk/main.mk and recompile.

bmjakobsen commented 2 years ago

The pf rules work, http/s are diverted to 8081 and 8443. Pf logs also say that they passed traffic into the sslproxy. I will look into recompiling and verbose logging later.

sonertari commented 2 years ago

Can you check the software versions and build dates of E2Guardian and Snort? You can find them on their Info pages on the WUI, or you can use the command line.

bmjakobsen commented 2 years ago

i currently cant because i have decided to reinstall, but i have the image saved and will look at it later.