Messages

1

17.1 Legacy Series / Re: Jails and privilege isolation

« on: July 25, 2017, 09:02:17 pm »

How would a jail work on the edge with an IDS/IPS? Jails are virtual instances which means your pulling away from bare metal. Nice in theory and practice on all the other services you mentioned but an IDS/IPS needs the absolute raw packet to be effect at filtering. Which is a tiny part of the reason checksums are disabled on the NIC you host the listening interface on. Running unprivileged would be amazing as IDS exploits while few and far between do exist it would be nice to have at least a simple first step. No idea how to even start when it requires control over network devices which is reserved most times for OS system level.

There are very small changes to some packets when running as a VM vs bare metal from a few test I've done over the years. Not a huge amount but the same exploit to both machines have tiny difference on some packets which has a potential to be used by people far smarter then me. Trust me a monkey with a rusty nail is pretty close comparison.

ZFS on  firewall... I love ZFS. Long live the ZFS NAS! I hate ZFS pre-req's. Last thing anyone wants is a small appliance with memory being taken up for storage when it should be used for session states and IDS/IPS rules. I don't know about you but having a small appliance or machine with 2GB ram is enough for 25 devices at home to all talk with no problems that's with torrents running. Now if the installer detects the device it's being added on has 32+GB ram you have my support. At that point reporting actually matters and you have a much larger user base behind to protect and worry about.

For the web interface part I'm all ears, can you make it happen? Hey smart dev's, OP needs to start write a little code don't you think :-).

2

17.1 Legacy Series / Re: 17.1 ISO Issues

« on: July 21, 2017, 07:58:01 pm »

Special note to self - Opnsense is not packaged the same as most OS deployments. I've gotten use to using the same ISO for a VM deployment as I would for a USB creation. 1 install the rule them all! Not so with Opnsense.

Wesut - 17.1.4 stable iso download. Tried several different download sources. At least the hash was the same on all of them.

Bartjsmit - holy smokes that's a post and a half. Nice find. If I use the disk image style it works you can even be lazy and use the point click method in windows if you so choose. Can't recall the name of the application but it's linked on the downloads page when you grab the OS for a Pie. I've always used the ISO's as more drives tend to be tucked in vs the smaller images at least for history sake it's been that way.

Franco - Think you missed it my bad for not being a little more clear on the subject. PFSense ISO + Rufus = Bootable USB. That's what I'm comparing. OpenBSD 10 + Rufus = Bootable USB. Change the boot to UEFI if your using a machine with it and magic happens. About every ISO for Linux/BSD in the past few years can be moved to a USB for boot.

Guess with OpnSense you need to use the IMG files and write to usb first. Means having two separate installers floating around.

// So the point outside of strange ISO build.

When selecting the drop down on version it would be nice to have a little blurb about how to create a bootable USB. Kind of goes against what some of us old farts are use to and doesn't match standard way of deployment a lot of are use to. 

""Select the image type. Available are Nano for embedded installs, CDROM (requires 90min CD or DVD), Serial (For installation on headless systems) and VGA. Both Serial and VGA are intended for installation using a USB memory stick.""

It isn't a bad explanation on the download site just cumbersome. Fact that a poor sucker like me and seems like a few others based the the link above had to resort to forums to load the OS is a sore spot. Anyone from the original project knows ISO will boot on everything and img is a bit more tailored. Each OS has it's quarks guess IMG only for Opnsense got it. Would love to see the ISO bootable like everything else hint hint devs...

3

17.1 Legacy Series / 17.1 ISO Issues

« on: July 20, 2017, 10:04:52 pm »

First I know this is a duplicate issue... Seems it get's dropped or ignored. I have looked at the forums for weeks and just now created an account. Coming from a long time pfsense guy making the final switch after reading the release notes on there future plans. Cloud managed agents seem to scare me a little... I'm ok with you knowing I installed your stuff and the hardware it's on. I'm not ok with them leaving the word "agent" in notes as that is an active 2 way in most cases communication. You control things with agents not cool. Cloud = Mainframe, Mainframe = Other anon admin touching my stuff...

But anyway the issue at hand.

Rufus, UNetbootin, Universal USB creator to name a few all fail to create a boot-able usb. The process when it dose run takes 45 minutes. Try win 10, Win 7, Mint, and a live Ubuntu for giggles.

Is there a preferred method and if so on the downloads page can "Use this link" to create the USB be added. Some people have had success but it's a pretty standard load out and should work with any of those.

From a purely 3rd party with very little experience with OPNsense a failed USB creation turns me off pretty quickly as being an unpolished product. I've used v16 before and it wasn't bad, I quickly bailed on it as UPnP wasn't controllable to the way I needed it.