OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: Bluewind on December 18, 2017, 03:11:12 am
-
Seems like every week there is a new flaw in cheap residential routers used around the world. Worst problem is the flaws rarely get fixed.
I'd like to a feature called "the parents mode." This is a mode in which Opnsense automatically updates itself. I'd like to remove the cheap, plastic router from my parents house and replace it with an inexpensive, low energy PC running Opnsense. Just set it up with an auto update and an auto restart in case of failure mode. Millions of smart people would install this in their parents home.
Thanks.
-
Hi Bluewind,
You can already set an update cron job under System: Settings: Cron that will suit your requirement for minor updates and required reboots if necessary. There is also a parameter to do the same for major updates, but you will need to search the forum or GitHub as we would rather not encourage to run this because of not knowing which incompatibilities will arise over the next few years and we use the major updates to do "clean breaks" to get rid of those that may require manual intervention as stated in the supplied release notes.
Cheers,
Franco
-
I'd create that with a delay. I don't care what distro we are talking about, updates often crash a bunch of units. The problems get reported and a fix is released. Auto update would most likely lead to auto crash. My experience anyway. An exception may be if you were using exactly the same hardware that the opnsense team was developing and testing with.
-
Hi Bluewind,
Perhaps a compromise would be to install a VPN connection to your parents' router and ensure it has a configuration very close to your own.
That way you could test new updates and, once you're convinced they are trouble-free, upgrade their OPNsense.
Bart...
-
xinnan: something like this is planned, but still trying to wrap my head around it https://github.com/opnsense/core/issues/1798
-
I would feel very confident with auto update on hardware used and sold by opensense, assuming updates were tested on all the hardware sold in the last few years. This would be a case where I'd see an advantage in buying from the sponsor's store.
-
We cannot recommend auto-updates through major versions as we need a way to trickle breaking changes into the project to move forward on occasion. I'll gladly stress that point. :)
Cheers,
Franco
-
Yep - Be sure to let me know when support for 64 bit systems runs out and its 128 bit only.
You may need a Ouija Board or at least some smelling salts and a heater...
-
Appreciate the thoughts of all. Forget Opnsense for a minute. I'm a security guy. I manage risk for enterprises and now risk for my parents/family. No doubt updating systems whether it is an enterprise running Windows 7, gas utilities running an industrial control system that prevents explosions, or my parents "piece of garbage" router that has now been hijacked and is part of a botnet, are all problematic. In many breaches in the US (I'm most familiar with these), one of the reasons for the breach is that the system was not updated. The credit reporting agency, Equifax, which just had a huge breach is just one example. Wanna Cry malware is another example. Etc, etc.
So as a risk person, you know that not updating is likely to cause problems. The act of updating occasionally causes minor issues and in rare cases causes major issues. For me, I'll deal with the rare instance in which an update causes a problem (maybe I need to drive to Mom's house with a new USB image). In cybersecurity, the only way to eliminate risk is to disconnect from the Internet (and also not use USBs). Risk is inherent. Eliminate/mitigate smartly. I am much more concerned about likely issues which cause problems.
Build into the upgrade system safeguards. Microsoft has this same problem with millions of PCs. Occasionally upgrades break. Have a rollback capability. Wait a short period of time to hear positive results before flipping the "must upgrade switch." Only flip the switch when the problem is severe.
Not doing bad is not good enough.
Thanks.
-
Hi Bluewind,
So as a risk person, you know that not updating is likely to cause problems. The act of updating occasionally causes minor issues and in rare cases causes major issues. For me, I'll deal with the rare instance in which an update causes a problem (maybe I need to drive to Mom's house with a new USB image).
That's one of the smartest things I've seen in a while. People (myself included) tend to get lazy and forget updates because "it works" or they have everybody screaming at them for a dropped internet connection or mail flow.
That being said, the firmware update and a scheduled reboot does what you want, maybe we want to add an option to always reboot to make that mix more autonomic and avoid spurious reboots?
And for reference, the cron parameter for allowing major updates is:
ALLOW_RISKY_MAJOR_UPGRADE
Cheers,
Franco
-
Thanks for the compliment. As a developer you certainly get kicked when the occasional problem happens. No one is thanking you for the 99.999% of the time everything works right. So your perception of the issue gets affected by the undeserved grief you get. So thanks for getting it right almost every time :).
Let me present the issue in a different way...If your government said to you, what is the best way to protect our citizens from criminal/nation states/etc.? Choice 1: A cheap plastic router typically made in China [perhaps this is another issue to worry about] which is never touched by the consumer for the five years it sits in their residence and never updated by the manufacturer. Or choice 2: A router like Opnsense updated regularly [or even better, an Opnsense router? The answer would obviously be choice 2 except that today, choice 2 requires some degree of Internet knowledge.
My ultimate hope is that a version of Opnsense is developed similar to how the cheap plastic router works. There is a default installation that 99.99% use with one-click. For those who have the knowledge, they setup Opnsense just like they do today. Modify it, play, do whatever. The previously mentioned default install and the modified version both get updated with the default install automatically updated.
Go back to my question. Set it and forget it for me ultimately means I plug it in at my parent's house. Never touch it for five years. It updates automatically. It provides almost perfect security and that is bad than any other solution.
Think about all of the cheap plastic routers that are now hijacked and are part of botnets. Do you think any Opnsense router is in a botnet?
A default version of Opnsense that is updated automatically is 1,000% more secure than any cheap plastic router. So that is my vision of "Opnsense everywhere."
Thanks.