HardenedBSD experimental builds

[franco]

Hi everyone,

courtesy of Shawn Webb, here are the latest images for OPNsense on HardenedBSD. Note that upgrading does not work on these, they show the integration progress, which is: it works.

https://pkg.opnsense.org/snapshots/hbsd-exp-05/

Making HardenedBSD additions available by default in OPNsense is what we are aiming at for 16.1. More on this soon. Please also note Shawn's announcement over at HardenedBSD:

https://hardenedbsd.org/article/shawn-webb/2015-06-10/first-official-opnsense-images-hardenedbsd

Build number 6 is going to come out soon.


Cheers,
Franco

[Supermule]

Are you moving away from FreeBSD?

[franco]

Long answer: HardenedBSD is security goodness on top of FreeBSD, in some regards more than what OpenBSD offers without being OpenBSD underneath, some parts even better than that. HardenedBSD patches are going upstream to FreeBSD eventually. We try to adapt these patches earlier and can keep it fully compatible with FreeBSD at the same time. Bottom line is the patches make sense and work great already, so why not use them for the benefit of our users.

Short answer: No.

[Supermule]

Thanks man! Very appreciated! 

[Solaris17]

I cant wait! security is good!

[HuntingDMouse]

security is always a good thing.

having opnsense on top of hardenedBSD is even better considering we dont
have to deal with OpenBSD... they annoy me with there attitudes. (dont ask me
how i know).

im considering rebuilding a Huge server farm (>100 servers) with HardenedBSD (currently on stock FreeBSD now)

[Solaris17]

Will these builds still support the same hardware they 10.2 currently does?

[lattera]

Shawn Webb here. Yeah, the HardenedBSD experimental builds support the same hardware as OPNSense. Build number six was going to happen yesterday, but will be delayed until next week at the earliest and October at the latest.

Please note that build five doesn't support binary updates, but build six will. So going from three to five (four is intentionally missing) or five to six you'll have to backup your config, reinstall, then restore your config. Versions six and onward will have the same binary upgrade capabilities you currently enjoy with OPNSense.

[Solaris17]

Shawn Webb here. Yeah, the HardenedBSD experimental builds support the same hardware as OPNSense. Build number six was going to happen yesterday, but will be delayed until next week at the earliest and October at the latest.

Please note that build five doesn't support binary updates, but build six will. So going from three to five (four is intentionally missing) or five to six you'll have to backup your config, reinstall, then restore your config. Versions six and onward will have the same binary upgrade capabilities you currently enjoy with OPNSense.

Thank you very much for this information and your continued hard work!

[Solaris17]

Just a quick question sorry for the double post. Are there plans to move exclusively to hardened BSD as our core or have side by side releases on the same version number and opnsense build? I am very interested in getting on board with this.

[lattera]

I can't speak for the OPNSense crew, but I'll be continuously providing builds based on HardenedBSD. I'm doing a new build now based on 15.7.15. :-) And I have all the bits in place to support binary updates along with managed secadm rule updates. Build seven will likely also include Integriforce rules for all of userland. :-)

[lattera]

New experimental builds posted! You can find them here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-06-15.7/

I still need to populate the package repo on our web server, but this build itself now supports binary updates.

[Solaris17]

great news thank you!

[franco]

Shawn, put them on the mirror as well: https://pkg.opnsense.org/snapshots/hbsd-exp-06/

[LuckyURE]

I'm using the new build and love it!  Quick question though, the update feature isn't working in the latest build, do you plan to add an update server/option to the list so we can simply upgrade just as the primary releases do?