Messages

Is there any desire to move towards removing the need for the LEGACY option?

I ended up switching our ports tree back to OpenSSL 1.1.1. I'm wondering if the OPNsense dev team already knows what needs to be updated for proper OpenSSL 3 support . Perhaps we in the community can send some patches to you. :-)

To start with, I know OPNsense's use of Unbound does not work with OpenSSL 3. But I'm unsure why (the DNSBL Python scripts need to be updated, perhaps?)

The custom builds I produce were based on the Dynfi build scripts. These scripts use Poudriere for building all the required OPNsense packages. One thing I would love to do is be able to provide various OPNsense plugins pre-installed in my custom image.

Poudriere supports a concept of a Ports overlay. Overlays are what they sound like: a repository that gets overlayed on top of an existing Ports repository base.

One problem I found was that the OPNsense plugins repository contains duplicated directories for existing ports entries. For example: databases/redis, dns/bind, security/tor. Trying to use the plugins repository as an overlay causes Poudriere to get confused.

I wonder if it would make sense long-term to structure the plugins repo to better support being an overlay on top of an existing ports repository. This would be a pretty major shift from how the plugins repo is handled currently. However, the plugins repository could likely be made more efficient by switching to being an overlay. The plugins repo would gain the full power of the ports framework. Long-term maintenance burden would likely be smaller since the ports framework could be relied upon.

I thought I'd pose the question here and see what people's thoughts are. Obviously someone has to put in the work, and I'd probably put myself on the volunteer list.

I'll give that a shot in m y next build. We just bought a new home and take possession of it this week, so life is about to get REAL busy. :-)

I'll report back when I have info to report. Thanks!

The script that populates the pf alias tables needs a particular environment variable defined. This commit defines it system-wide: https://git.hardenedbsd.org/hbsdfw/HardenedBSD/-/commit/c71238a6229bdc0aa8ada9f627a5a898dd7f9184

I'm not entirely sure this is the best workaround. A more proper fix would be to migrate to newer OpenSSL APIs. This workaround seems to get aliases usable, at least.

Hey all,

This patch fixes the build of opnsense/filterlog on FreeBSD/HardenedBSD 14: https://git.hardenedbsd.org/hbsdfw/ports/-/commit/7fb1a456593fece1fc0ea4320a34950e55d18ffc

Thanks!

Hey all,

I don't really use GitHub anymore, but I've patched pam_opnsense to compile with clang 15. This allows OPNsense to be build with HardenedBSD 13-STABLE.

Link to patch: https://git.hardenedbsd.org/hbsdfw/pam_opnsense/-/commit/8a82803fa4cc47b0d1cb909e7ecc7d7be2d636f4

Thanks!

I've experienced this issue, too.

I'm populating a UIBootgrid with some data where a column has embedded newline characters. I'd like to effectively turn them into "<br />" tags. What's the best way to do that?

I would suggest a custom formatter which can be passed in at the constructor.

Yup! Thanks for the hint!

I'm populating a UIBootgrid with some data where a column has embedded newline characters. I'd like to effectively turn them into "<br />" tags. What's the best way to do that?

The Linuxulator exists on HardenedBSD, but is not enabled by default. For 32-bit Linux binaries, a custom kernel and userland would need to be compiled/installed. 64-bit Linux binaries should run fine if linux64.ko is loaded. You will need to disable ASLR for that particular Linux binary (use hbsdcontrol for that).

As far as the linux* packages are concerned, OPNsense only ships with the packages it needs. Since OPNsense doesn't rely on anything that needs the linux* packages, they aren't built and are not in OPNsense's package repo. You'd want to enable the FreeBSD package repo and get the linux* packages from there.

syslog-ng core dump is the same as 20.1: during service stop it clashes against HBSD and crashes rather than exiting. Since 20.1 syslog-ng is becoming the core syslog daemon so it is even active in local scenarios. Documentation and GUI representation will change accordingly in the coming months.

Hey Franco,

Has a bug report been filed in HardenedBSD's self-hosted git instance? I'd be happy to take a look at the issue, especially if reproduction steps can be provided.

Can you boot with vm.pmap.pti set to 0 in the boot loader?

I got it working in a weird way. I had to add:

Code Select Expand


<style>tokenize</style>


to the setting in question in the core.git/src/opnsense/mvc/app/controllers/OPNsense/product/forms/generalSettings.xml

I've attached a screenshot.

A few days later, I'm still just as puzzled. Does anyone have any ideas?