OPNsense Forum
Archive => 15.7 Legacy Series => Topic started by: franco on August 28, 2015, 12:20:07 pm
-
Hi everyone,
courtesy of Shawn Webb, here are the latest images for OPNsense on HardenedBSD. Note that upgrading does not work on these, they show the integration progress, which is: it works. :)
https://pkg.opnsense.org/snapshots/hbsd-exp-05/
Making HardenedBSD additions available by default in OPNsense is what we are aiming at for 16.1. More on this soon. Please also note Shawn's announcement over at HardenedBSD:
https://hardenedbsd.org/article/shawn-webb/2015-06-10/first-official-opnsense-images-hardenedbsd
Build number 6 is going to come out soon.
Cheers,
Franco
-
Are you moving away from FreeBSD?
-
Long answer: HardenedBSD is security goodness on top of FreeBSD, in some regards more than what OpenBSD offers without being OpenBSD underneath, some parts even better than that. HardenedBSD patches are going upstream to FreeBSD eventually. We try to adapt these patches earlier and can keep it fully compatible with FreeBSD at the same time. Bottom line is the patches make sense and work great already, so why not use them for the benefit of our users.
Short answer: No. :)
-
Thanks man! Very appreciated! ;)
-
I cant wait! security is good!
-
security is always a good thing.
having opnsense on top of hardenedBSD is even better considering we dont
have to deal with OpenBSD... they annoy me with there attitudes. (dont ask me
how i know).
im considering rebuilding a Huge server farm (>100 servers) with HardenedBSD (currently on stock FreeBSD now)
-
Will these builds still support the same hardware they 10.2 currently does?
-
Shawn Webb here. Yeah, the HardenedBSD experimental builds support the same hardware as OPNSense. Build number six was going to happen yesterday, but will be delayed until next week at the earliest and October at the latest.
Please note that build five doesn't support binary updates, but build six will. So going from three to five (four is intentionally missing) or five to six you'll have to backup your config, reinstall, then restore your config. Versions six and onward will have the same binary upgrade capabilities you currently enjoy with OPNSense.
-
Shawn Webb here. Yeah, the HardenedBSD experimental builds support the same hardware as OPNSense. Build number six was going to happen yesterday, but will be delayed until next week at the earliest and October at the latest.
Please note that build five doesn't support binary updates, but build six will. So going from three to five (four is intentionally missing) or five to six you'll have to backup your config, reinstall, then restore your config. Versions six and onward will have the same binary upgrade capabilities you currently enjoy with OPNSense.
Thank you very much for this information and your continued hard work!
-
Just a quick question sorry for the double post. Are there plans to move exclusively to hardened BSD as our core or have side by side releases on the same version number and opnsense build? I am very interested in getting on board with this.
-
I can't speak for the OPNSense crew, but I'll be continuously providing builds based on HardenedBSD. I'm doing a new build now based on 15.7.15. :-) And I have all the bits in place to support binary updates along with managed secadm rule updates. Build seven will likely also include Integriforce rules for all of userland. :-)
-
New experimental builds posted! You can find them here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-06-15.7/
I still need to populate the package repo on our web server, but this build itself now supports binary updates.
-
great news thank you!
-
Shawn, put them on the mirror as well: https://pkg.opnsense.org/snapshots/hbsd-exp-06/
-
I'm using the new build and love it! Quick question though, the update feature isn't working in the latest build, do you plan to add an update server/option to the list so we can simply upgrade just as the primary releases do?
-
It ought to work once I get the right bits pushed to the web server. I've got a few high-priority things going on and will hopefully take care of that part by the end of October.
-
I just documented my build setup: http://0xfeedface.org/2015/11/07/hbsd-opnsense.html
So I realize I just said that my latest build supports binary upgrades, but due to some issues with going from 15.7.16 to 15.7.18, I'm going to say that it's not possible to do a binary upgrade. There's also a few more changes I should make to the UI (like removing all the mirrors in one of the drop downs). I'm expecting to work on a new build any time within the next 30 days. I'm slightly on the busy side these days with work and a cute wife.
Thanks for all those who are helping test this!
-
I really look forward to 11-CURRENT. :)
-
This is exciting!
-
Here's a little status update and a sneak peek:
I have an 11-CURRENT build that I'm testing out. However, there are two issues:
- pfsync kernel panic: I've disabled pfsync for now, so no HA setups.
- Wireless non-functional: The wireless stack on FreeBSD 11-CURRENT has changed quite drastically. Wireless is broken. I've filed a bug report here: https://github.com/opnsense/core/issues/480.
I've also now figured out how to build for the Netgate APU4. My next builds will contain images for: generic, netgate rcc-ve 4860, and the netgate apu4. Please be aware that this build will require a full reinstallation, but backing up and restoring your config ought to work like normal. Going forward, I'll only be using -CURRENT.
Screenshot of a working test installation on my Netgate RCC-VE 4860: http://imgur.com/XVHcZV7
-
11 on hardened will be a great step forward with the new improvements to suricata on the dev opnsense builds I simply cant wait to try them.
-
pfsync kernel panic: I've disabled pfsync for now, so no HA setups.
Shawn, we have zero modifications in this area, can you report this upstream?
Wireless non-functional: The wireless stack on FreeBSD 11-CURRENT has changed quite drastically. Wireless is broken. I've filed a bug report here: https://github.com/opnsense/core/issues/480.
One could argue that upstream broke it. ;)
My next builds will contain images for: generic, netgate rcc-ve 4860, and the netgate apu4.
A little off-topic, but curious: what's the difference between generic and netgate apu4?
-
Yup. Both of these issues are caused by changes upstream (FreeBSD). Neither are caused by OPNSense.
-
Shawn, I still have the syslog port update in my queue. Will be done soon. :)
-
Cool! Thanks! It'll be another couple weeks before I can work further on the wireless issues. I've got a patch to core.git that I've yet to commit to hbsd's fork that starts the port. I need to get back with Adrian Chadd to see if the wireless issues I'm having on 11-CURRENT with hostap mode are specific to me or if he can reproduce. I'll be celebrating five years of marriage with my wife next week, so it'll be a while before I can finish this up.
-
Btw, the link in the wiki (https://wiki.opnsense.org/index.php/Software_setup#Installation_and_Initial_Configuration) to the HardenedBSD images is broken