1
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
24.1 Production Series / Re: Duplicate and growing number of entries in Universal Plug and Play: Status
« on: May 29, 2024, 07:25:35 pm »
Yes, opnsense-revert will give you the latest snapshot in this case. One caveat applies: your firmware mirror needs to sync the latest snapshots or use the main mirror as a workaround.
Cheers,
Franco
Cheers,
Franco
3
24.1 Production Series / Re: Duplicate and growing number of entries in Universal Plug and Play: Status
« on: May 29, 2024, 05:59:26 pm »
# opnsense-revert -z miniupnpd
Final confirmation would be good. Obviously thanks to all involved in making this happen.
Final confirmation would be good. Obviously thanks to all involved in making this happen.
4
24.1 Production Series / Re: Duplicate and growing number of entries in Universal Plug and Play: Status
« on: May 29, 2024, 05:07:12 pm »
It has been committed to FreeBSD ports now.
Cheers,
Franco
Cheers,
Franco
5
24.1 Production Series / Re: Duplicate and growing number of entries in Universal Plug and Play: Status
« on: May 29, 2024, 05:02:10 pm »
Fair enough. Doesn't help to rectify the situation of the past 3 months though.
6
24.1 Production Series / Re: Duplicate and growing number of entries in Universal Plug and Play: Status
« on: May 29, 2024, 03:58:43 pm »
Ok so it was actually November 2023 when this was introduced:
https://github.com/freebsd/freebsd-ports/commit/81e8bb983432251
libpfctl use was added via custom patches not found in upstream.
So now when we try to update to upstream 2.3.6 we have to deal with breakage in that custom scripting and I don't see why anyone else than the author should deal with this.
You can also see nobody cared to add 2.3.4 and 2.3.5 in the meantime.
Now the FreeBSD bug report exists since February 2024. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277226
The maintainer of libpfctl has not cared to work on it most likely because the report comes from OPNsense and as per his view we should fix our own problems.
Now in May 2024 this was also reported to pfSense proving that is not an OPNsense issue. It's a FreeBSD issue. https://redmine.pfsense.org/issues/15470
It was fixed within two days with the patch here https://github.com/pfsense/FreeBSD-ports/commit/6e7d96166c051
Apparently that is the same author from November who said we should work on our own issues... updating miniupnpd and adjusting the libpfctl code accordingly.
But that code never went to FreeBSD ports where it belongs. Incidentally the author is on CC in the February issue raised in FreeBSD.
I have appended his patch to the FreeBSD ticket. The standard procedure is that someone with a commit bit will bring it into the tree. I can't do more than this.
I also believe that I shouldn't have to chase an issue for a couple of months only to find out the author doesn't even want to bring his patch to FreeBSD ports and/or isn't interested in maintaining miniupnpd after making it unmaintainable for 99% of the contributors by adding libpfctl custom patches instead of working with upstream to integrate them.
I've fixed several libpfctl issues in FreeBSD base in the past that have negatively impacted our production releases because they were added to FreeBSD 13 stable branch hastily.
I know some people don't see it this way but intentionally harming OPNsense and effectively also FreeBSD with a power play over who can do what commit in FreeBSD is not a good idea.
In closing: the ball is in the court of FreeBSD now. A bug report was raised and a seemingly appropriate patch was posted. Somebody with a commit bit needs to commit it. It's the standard procedure, but it should (and could) have been taking care of weeks ago in my opinion.
Cheers,
Franco
https://github.com/freebsd/freebsd-ports/commit/81e8bb983432251
libpfctl use was added via custom patches not found in upstream.
So now when we try to update to upstream 2.3.6 we have to deal with breakage in that custom scripting and I don't see why anyone else than the author should deal with this.
You can also see nobody cared to add 2.3.4 and 2.3.5 in the meantime.
Now the FreeBSD bug report exists since February 2024. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277226
The maintainer of libpfctl has not cared to work on it most likely because the report comes from OPNsense and as per his view we should fix our own problems.
Now in May 2024 this was also reported to pfSense proving that is not an OPNsense issue. It's a FreeBSD issue. https://redmine.pfsense.org/issues/15470
It was fixed within two days with the patch here https://github.com/pfsense/FreeBSD-ports/commit/6e7d96166c051
Apparently that is the same author from November who said we should work on our own issues... updating miniupnpd and adjusting the libpfctl code accordingly.
But that code never went to FreeBSD ports where it belongs. Incidentally the author is on CC in the February issue raised in FreeBSD.
I have appended his patch to the FreeBSD ticket. The standard procedure is that someone with a commit bit will bring it into the tree. I can't do more than this.
I also believe that I shouldn't have to chase an issue for a couple of months only to find out the author doesn't even want to bring his patch to FreeBSD ports and/or isn't interested in maintaining miniupnpd after making it unmaintainable for 99% of the contributors by adding libpfctl custom patches instead of working with upstream to integrate them.
I've fixed several libpfctl issues in FreeBSD base in the past that have negatively impacted our production releases because they were added to FreeBSD 13 stable branch hastily.
I know some people don't see it this way but intentionally harming OPNsense and effectively also FreeBSD with a power play over who can do what commit in FreeBSD is not a good idea.
In closing: the ball is in the court of FreeBSD now. A bug report was raised and a seemingly appropriate patch was posted. Somebody with a commit bit needs to commit it. It's the standard procedure, but it should (and could) have been taking care of weeks ago in my opinion.
Cheers,
Franco
7
24.1 Production Series / Re: [SOLVED] rsync not working: missing libcrypto.so.11
« on: May 29, 2024, 01:23:30 pm »
I don't know why they wouldn't show up when:
# pkg info ntp
For example this yields the expected result of pkg telling you about the installed ntp package instead of throwing an error.
Cheers,
Franco
# pkg info ntp
For example this yields the expected result of pkg telling you about the installed ntp package instead of throwing an error.
Cheers,
Franco
8
General Discussion / Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
« on: May 29, 2024, 01:21:03 pm »9
Announcements / OPNsense 24.1.8 released
« on: May 29, 2024, 12:48:40 pm »
Hello, hello,
The endless loop packet read in the new dhcrelay daemon has been fixed.
A new kernel is included in this release bringing the latest stable/13
state in the relevant networking areas. A number of small changes have
also been made. Thanks for all the reports and support!
To spread the news... 24.7 will be based on FreeBSD 14.1. Stay tuned.
Here are the full patch notes:
o system: fix regression in gateways migration causing far gateway option to be set incorrectly
o system: work around fatal password_hash() change in PHP 8.2.18
o system: move net.inet.icmp.drop_redirect sysctl to automatic mode
o system: add Google Drive configuration as an XMLRPC sync target
o interfaces: detect and ignore "detached" state for IPv6
o interfaces: remove unused imports from sockstat list
o firewall: use the new $.replaceInputWithSelector() for source/destination networks in MVC filter pages
o firewall: fix empty rule label rendered as "null" on sessions page
o ipsec: fix faulty "-" usage in URIs
o isc-dhcp: take into account that multple ia-pd can be delegated
o kea-dhcp: simplified the controller code
o unbound: change blocklist processing in _blocklist_reader()
o unbound: allow RFC 2181 compatible names in query forwarding
o mvc: silence spurious validation message when explicitly asked to ignore them
o ui: prevent vertical modal overflows and instead present a scrollbar
o ui: add $.replaceInputWithSelector() action
o ui: handle static page CSRF without Phalcon
o plugins: os-caddy 1.5.6[1]
o src: pfsync: fix use of invalidated stack variable
o src: pfsync: cope with multiple pending plus messages
o src: ipfw: skip to the start of the loop when following a keep-state rule
o src: bridge: use IF_MINMTU
o src: bridge: change MTU for new members
o src: ethernet: support ARP for 802 networks
o src: ethernet: fix logging of frame length
o src: debugnet: fix logging of frame length
o src: wg: use ENETUNREACH when transmitting to a non-existent peer
o src: fib_algo: lower level of algorithm switching messages to LOG_INFO
o src: libpfctl: fix incorrect pcounters array size
o src: pf: always mark states as unlinked before detaching them
o src: vxlan: add checking for loops and nesting of tunnels
o src: igc: increase default per-queue interrupt rate to 20000
o ports: dhcrelay 0.5 fixes endless loop on packet read
o ports: hyperscan 5.4.2[2]
o ports: libxml 2.11.8[3]
o ports: ntp 4.2.8p18[4]
o ports: openssl fix for CVE-2024-4603
o ports: phalcon 5.7.0[5]
o ports: py-duckdb 0.10.3[6]
Stay safe,
Your OPNsense team
--
[1] https://github.com/opnsense/plugins/blob/stable/24.1/www/caddy/pkg-descr
[2] https://github.com/intel/hyperscan/releases/tag/v5.4.2
[3] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[4] https://www.ntp.org/support/securitynotice/4_2_8-series-changelog/#428p18
[5] https://github.com/phalcon/cphalcon/releases/tag/v5.7.0
[6] https://github.com/duckdb/duckdb/releases/tag/v0.10.3
The endless loop packet read in the new dhcrelay daemon has been fixed.
A new kernel is included in this release bringing the latest stable/13
state in the relevant networking areas. A number of small changes have
also been made. Thanks for all the reports and support!
To spread the news... 24.7 will be based on FreeBSD 14.1. Stay tuned.
Here are the full patch notes:
o system: fix regression in gateways migration causing far gateway option to be set incorrectly
o system: work around fatal password_hash() change in PHP 8.2.18
o system: move net.inet.icmp.drop_redirect sysctl to automatic mode
o system: add Google Drive configuration as an XMLRPC sync target
o interfaces: detect and ignore "detached" state for IPv6
o interfaces: remove unused imports from sockstat list
o firewall: use the new $.replaceInputWithSelector() for source/destination networks in MVC filter pages
o firewall: fix empty rule label rendered as "null" on sessions page
o ipsec: fix faulty "-" usage in URIs
o isc-dhcp: take into account that multple ia-pd can be delegated
o kea-dhcp: simplified the controller code
o unbound: change blocklist processing in _blocklist_reader()
o unbound: allow RFC 2181 compatible names in query forwarding
o mvc: silence spurious validation message when explicitly asked to ignore them
o ui: prevent vertical modal overflows and instead present a scrollbar
o ui: add $.replaceInputWithSelector() action
o ui: handle static page CSRF without Phalcon
o plugins: os-caddy 1.5.6[1]
o src: pfsync: fix use of invalidated stack variable
o src: pfsync: cope with multiple pending plus messages
o src: ipfw: skip to the start of the loop when following a keep-state rule
o src: bridge: use IF_MINMTU
o src: bridge: change MTU for new members
o src: ethernet: support ARP for 802 networks
o src: ethernet: fix logging of frame length
o src: debugnet: fix logging of frame length
o src: wg: use ENETUNREACH when transmitting to a non-existent peer
o src: fib_algo: lower level of algorithm switching messages to LOG_INFO
o src: libpfctl: fix incorrect pcounters array size
o src: pf: always mark states as unlinked before detaching them
o src: vxlan: add checking for loops and nesting of tunnels
o src: igc: increase default per-queue interrupt rate to 20000
o ports: dhcrelay 0.5 fixes endless loop on packet read
o ports: hyperscan 5.4.2[2]
o ports: libxml 2.11.8[3]
o ports: ntp 4.2.8p18[4]
o ports: openssl fix for CVE-2024-4603
o ports: phalcon 5.7.0[5]
o ports: py-duckdb 0.10.3[6]
Stay safe,
Your OPNsense team
--
[1] https://github.com/opnsense/plugins/blob/stable/24.1/www/caddy/pkg-descr
[2] https://github.com/intel/hyperscan/releases/tag/v5.4.2
[3] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[4] https://www.ntp.org/support/securitynotice/4_2_8-series-changelog/#428p18
[5] https://github.com/phalcon/cphalcon/releases/tag/v5.7.0
[6] https://github.com/duckdb/duckdb/releases/tag/v0.10.3
10
24.1 Production Series / Re: [SOLVED] rsync not working: missing libcrypto.so.11
« on: May 29, 2024, 12:27:39 pm »
Only by reinstalling all installed packages. The information cannot be re-gathered from the system state.
Generally most of it can be recovered as described here, but that only works for the core system and not manually added packages.
https://forum.opnsense.org/index.php?topic=40597.0
Cheers,
Franco
Generally most of it can be recovered as described here, but that only works for the core system and not manually added packages.
https://forum.opnsense.org/index.php?topic=40597.0
Cheers,
Franco
11
24.1 Production Series / Re: Duplicate and growing number of entries in Universal Plug and Play: Status
« on: May 29, 2024, 12:25:58 pm »
No, I'm not going to touch this mess. libctl was introduced to the FreeBSD port in October last year. If the maintainer of libpfctl wants to maintain it he can, but so far he doesn't seem to be interested. I'm not going to spend more time on it than I already have.
Cheers,
Franco
Cheers,
Franco
12
General Discussion / Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
« on: May 29, 2024, 11:02:44 am »
NAXSI is built into the nginx binary package and to my knowledge the nginx plugin will also handle a bit of that.
Cheers,
Franco
Cheers,
Franco
13
24.1 Production Series / Re: DHCP relay stops working in 24.1.6
« on: May 29, 2024, 10:45:12 am »
You were the one on GitHub with the iptables workaround?
In any case I'm not sure the older client handled this differently and or which behaviour is the correct one.
We will probably chase down one or two more problems in the mid-term so any data point is appreciated.
Cheers,
Franco
In any case I'm not sure the older client handled this differently and or which behaviour is the correct one.
We will probably chase down one or two more problems in the mid-term so any data point is appreciated.
Cheers,
Franco
14
General Discussion / Re: Seeking Guidance on Integrating OWASP Principles into OPNsense Firewall
« on: May 29, 2024, 09:33:26 am »
True, yet to be fair here a WAF allows you to mitigate these problems when you have no direct control over the application / updates / vendor being lazy.
Cheers,
Franco
Cheers,
Franco
15
24.1 Production Series / Re: [SOLVED] rsync not working: missing libcrypto.so.11
« on: May 29, 2024, 09:30:55 am »
The GUI lists the same as as pkg-info, but this only works for *registered* packages. So either manually installing a binary from a source repo or losing the package database due to corruption can end up with what you are seeing.
There is no way to list binaries installed not known to the package system. I mean there would be ways to script this but the amount of work vs. the point in having it is difficult to reason...
Maybe as a piece of info for you or others. You can list list packages able to be installed from the binary repository as such:
# pkg search rsync
librsync-2.3.4 Library for delta compression of streams
rsync-3.3.0 Network file distribution/synchronization utility
Or list all the remote packages available:
# pkg rquery "%n %dv %c"
Cheers,
Franco
There is no way to list binaries installed not known to the package system. I mean there would be ways to script this but the amount of work vs. the point in having it is difficult to reason...
Maybe as a piece of info for you or others. You can list list packages able to be installed from the binary repository as such:
# pkg search rsync
librsync-2.3.4 Library for delta compression of streams
rsync-3.3.0 Network file distribution/synchronization utility
Or list all the remote packages available:
# pkg rquery "%n %dv %c"
Cheers,
Franco