1
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
General Discussion / Re: Move to 14.1?
« on: Today at 11:33:31 am »
> FreeBSD 14.0 was released in November 2023.
FWIW, this is just a fact. If we act on release schedules by third parties we can't maintain our own schedules. If we don't look at quality of releases either we run the risk of complaints more than "why haven't you XYZ" as it ends up as "why have you XYZ" much more loudly
Also keep in mind that when comparing to other projects they tend to market everything they did better as sensational, but don't really tell you they avoided FreeBSD 13 with all of its benefits and haven't really put an effort into backporting their changes into this stable version either so nobody who uses FreeBSD 13 can benefit from it in the interrim... which would have been a more standard FreeBSD release engineering policy. But all of this is what it is and we will reach an acceptable goal for ourselves eventually.
> One may test FreeBSD 14 kernel in OPNSense after selecting the snapshot
> Code: [Select]
> opnsense-update -zkbr 14-STABLE -a FreeBSD:14:amd64
> "libcrypto.so.111" not found
> Test FreeBSD 14 kernel at your own risk!
Well to be frank you applied "-b" which breaks your userland. If you wanted to test the kernel just install the kernel... not the base
> EDIT 1: add missing -b switch in code. Solely updating kernel without base file will lead to messed-up routing.
I don't think that's true or much too broad a statement. I've been running fine with 14.1 kernels for a while now. Just don't tell others to break their installs. volatile/24.7 is a bit of an indication of what to expect and why we don't communicate it.
Cheers,
Franco
FWIW, this is just a fact. If we act on release schedules by third parties we can't maintain our own schedules. If we don't look at quality of releases either we run the risk of complaints more than "why haven't you XYZ" as it ends up as "why have you XYZ" much more loudly
Also keep in mind that when comparing to other projects they tend to market everything they did better as sensational, but don't really tell you they avoided FreeBSD 13 with all of its benefits and haven't really put an effort into backporting their changes into this stable version either so nobody who uses FreeBSD 13 can benefit from it in the interrim... which would have been a more standard FreeBSD release engineering policy. But all of this is what it is and we will reach an acceptable goal for ourselves eventually.
> One may test FreeBSD 14 kernel in OPNSense after selecting the snapshot
> Code: [Select]
> opnsense-update -zkbr 14-STABLE -a FreeBSD:14:amd64
> "libcrypto.so.111" not found
> Test FreeBSD 14 kernel at your own risk!
Well to be frank you applied "-b" which breaks your userland. If you wanted to test the kernel just install the kernel... not the base
> EDIT 1: add missing -b switch in code. Solely updating kernel without base file will lead to messed-up routing.
I don't think that's true or much too broad a statement. I've been running fine with 14.1 kernels for a while now. Just don't tell others to break their installs. volatile/24.7 is a bit of an indication of what to expect and why we don't communicate it.
Cheers,
Franco
3
Intrusion Detection and Prevention / Re: Hyperscan Proprietary Licensed Software
« on: May 12, 2024, 07:12:54 pm »
Use this one if you must... https://forum.opnsense.org/index.php?topic=40431.0
4
24.1 Production Series / Re: Intel killed Hyperscan
« on: May 12, 2024, 07:12:03 pm »
Ok great, let's do IIMB next.
Cheers,
Franco
Cheers,
Franco
5
Web Proxy Filtering and Caching / Re: Squid 6.9 has been released
« on: May 10, 2024, 09:25:05 am »
Yes, it's a trick I picked up a long time ago.
Cheers,
Franco
Cheers,
Franco
6
24.1 Production Series / Re: Unbound throwing sendto: invalid argument errors, Kea DHCP migration issues?
« on: May 10, 2024, 09:01:14 am »
All of this sounds like DNS woes, not DHCP in particular...
> 2024-05-09T01:06:46-06:00 Notice unbound [67860:2] notice: sendto failed: Invalid argument
It suggests you have pinned your outgoing interfaces in Unbound and it's trying to send something over an interface that is not there or not connected.
> Is Kea experimental beta right now?
It works fine for what it's trying to achieve now. It's not a full ISC DHCP replacement from the GUI yet. As I said it might just be a drift in configuration (which DNS servers are sent and where you bound Unbound to and how it's forwarding and perhaps even redirecting).
Cheers,
Franco
> 2024-05-09T01:06:46-06:00 Notice unbound [67860:2] notice: sendto failed: Invalid argument
It suggests you have pinned your outgoing interfaces in Unbound and it's trying to send something over an interface that is not there or not connected.
> Is Kea experimental beta right now?
It works fine for what it's trying to achieve now. It's not a full ISC DHCP replacement from the GUI yet. As I said it might just be a drift in configuration (which DNS servers are sent and where you bound Unbound to and how it's forwarding and perhaps even redirecting).
Cheers,
Franco
7
Web Proxy Filtering and Caching / Re: Squid 6.9 has been released
« on: May 10, 2024, 08:58:13 am »
Was a bit late yesterday.. here are the relevant commits:
https://github.com/opnsense/plugins/commit/70de22e0c
https://github.com/opnsense/plugins/commit/e1d58710d
Will be part of 24.1.7 and an eventual hotfix of the 24.4 release.
Cheers,
Franco
https://github.com/opnsense/plugins/commit/70de22e0c
https://github.com/opnsense/plugins/commit/e1d58710d
Will be part of 24.1.7 and an eventual hotfix of the 24.4 release.
Cheers,
Franco
8
Web Proxy Filtering and Caching / Re: Squid 6.9 has been released
« on: May 09, 2024, 07:22:17 pm »
Yes, that's why the committed fix is not that... I'm aware of the mess we are in here Python is another offender.
Cheers,
Franco
Cheers,
Franco
9
German - Deutsch / Re: pfSense Angriff auf Firewall, ist opnsense auch betroffen?
« on: May 08, 2024, 03:12:06 pm »
Ok der Admin bekommt also einen Link geschickt mit einer manipulierten URL die auf eine der Dateien zeigt und dann ist Session-Klau angesagt. Klingt das plausibel? Und wenn ja warum steht davon nichts im Report?
Grüsse
Franco
Grüsse
Franco
10
German - Deutsch / Re: pfSense Angriff auf Firewall, ist opnsense auch betroffen?
« on: May 08, 2024, 03:04:16 pm »
Ja ok wir haben die Dateien nicht aber... hä...
Im Dokument steht 22. April, das Commit is vom 16. Februar?
https://github.com/pfsense/pfsense/commit/4e8f6cedd9c4b32b24ac3619f84e33a9a4708a29
Also wie kommen wir von CSS und JS auf XSS beim Admin?
Im Dokument steht 22. April, das Commit is vom 16. Februar?
https://github.com/pfsense/pfsense/commit/4e8f6cedd9c4b32b24ac3619f84e33a9a4708a29
Also wie kommen wir von CSS und JS auf XSS beim Admin?
11
German - Deutsch / Re: pfSense Angriff auf Firewall, ist opnsense auch betroffen?
« on: May 08, 2024, 02:52:33 pm »
Ich würde gerne wieder in einer Welt leben in der man kein Cookie-Abo abschliessen muss für Copy+Paste Inhalte.
Welche CVE ist's denn?
Grüsse
Franco
Welche CVE ist's denn?
Grüsse
Franco
12
German - Deutsch / Re: OPNSense nicht erreichbar nach Firewall start pfctl: SIOCGIFGROUP: Device not co
« on: May 08, 2024, 07:47:25 am »
Hi Thorsten,
Habe den Fehler über die Jahre sporadisch gesehen, aber keine Ursache ausfindig machen können -- auch weil es nicht direkt zu reproduzieren war.
Es könnte sich um ein Problem mit Firewall Gruppen handeln -- vielleicht in Verbindung mit dynamischen Interfaces (z.b. OpenVPN)?
Grüsse
Franco
Habe den Fehler über die Jahre sporadisch gesehen, aber keine Ursache ausfindig machen können -- auch weil es nicht direkt zu reproduzieren war.
Es könnte sich um ein Problem mit Firewall Gruppen handeln -- vielleicht in Verbindung mit dynamischen Interfaces (z.b. OpenVPN)?
Grüsse
Franco
13
Web Proxy Filtering and Caching / Re: Squid 6.9 has been released
« on: May 08, 2024, 07:42:32 am »
A workaround is in place in the plugins for os-squid and os-OPNProxy and seems to work.
An interim solution is to edit /usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf
Change the following line from
legacy = legacy_sect
To
#legacy = legacy_sect
And execute:
# /usr/local/etc/rc.configure_firmware
A slightly better workaround that will require no user interaction will be shipped in 24.1.7
Cheers,
Franco
An interim solution is to edit /usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf
Change the following line from
legacy = legacy_sect
To
#legacy = legacy_sect
And execute:
# /usr/local/etc/rc.configure_firmware
A slightly better workaround that will require no user interaction will be shipped in 24.1.7
Cheers,
Franco
14
Web Proxy Filtering and Caching / Re: Squid 6.9 has been released
« on: May 07, 2024, 02:04:18 pm »
Ok so I guess that's it then... https://issues.redhat.com/browse/RHEL-6873
15
Web Proxy Filtering and Caching / Re: Squid 6.9 has been released
« on: May 07, 2024, 01:52:22 pm »
I think all later 6.x are affected. Come to think of it it may be an OpenSSL 3 incompatibility...
Cheers,
Franco
Cheers,
Franco