Messages

1

24.7 Production Series / Re: What is present advice about OpenSSH/SSH/SSHD cve-2024-6387

« on: July 03, 2024, 05:58:09 pm »

I also do not understand why people become angry so easy.

Because they dont understand that using opnsense is a privilege. The fact that opnsense offers so much for free is not enough for them. No. They want opnsense developers to respond to their emails or posts right away and fix bugs or implement features that they want immediately because product X or product Y already has those features. They literally act like a entitled spoiled brats. If their wishes are not fulfilled in timely matter, they either start bashing developers for being lazy and irresponsible or they "threat" that they will switch to alternative solution X or Y.

God forbid they make a donation or buy Deciso hardware when opnsense is working as expected.

When the community version support is not enough for one, go bui a business licence and escalate this on the support side.

Exactly. Or go use something else.

There are a lot of others that enjoy OPNsense and its high frequency patch releases and community.

Exactly. Im thankful for this wonderful piece of free software.

Who's getting angry? The only person in this discussion insulting others is @alex303.

Im getting angry. However, im not insulting anyone. Im sorry if you somehow recognized yourself in what i wrote.

2

24.7 Production Series / Re: What is present advice about OpenSSH/SSH/SSHD cve-2024-6387

« on: July 03, 2024, 03:43:13 pm »

Well. By that logic, lets not use computers at all. Lets get back to stone age.

Can we please go back, my life would be SO much more simple!

On a serious note, people have become so spoiled, nitpicky and entitled. They are impossible to please because "everything is broken and everything can be exploited". Sometimes when i read forums i wish opnsense team goes fully closed source and switch to subscription model only with hefty prices.

3

24.7 Production Series / Re: What is present advice about OpenSSH/SSH/SSHD cve-2024-6387

« on: July 02, 2024, 11:40:45 pm »

Layers <3

https://forum.opnsense.org/index.php?topic=40654.msg199395#msg199395

But Layers mean nothing if the most front facing technology can be exploited to give remote code execution with root access.

Leave the IT space and go do something else. 

4

24.7 Production Series / Re: What is present advice about OpenSSH/SSH/SSHD cve-2024-6387

« on: July 02, 2024, 10:29:00 pm »

A VPN might expose a root RCE with more or less the same probability as SSH.

It might. World war 3 might happen tomorrow. See where im going with this ? This whole thing is so blown out of proportions its ridiculous.

5

24.7 Production Series / Re: What is present advice about OpenSSH/SSH/SSHD cve-2024-6387

« on: July 02, 2024, 10:10:11 pm »

And suddenly your VPN protocol has a CVE. And then people are like "Oh no you are not supposed to open a VPN to the outside." xD

Anything exposed can be potentially attacked. And if the attack surface is known, it will be mitigated.

E.G.:
https://en.m.wikipedia.org/wiki/Anti-replay

Well. By that logic, lets not use computers at all. Lets get back to stone age.

VPN is not fundamentally more secure than SSH. It's one of the most secure protocols and products existing.

Its about layers of protection not X vs Y.

6

24.7 Production Series / Re: What is present advice about OpenSSH/SSH/SSHD cve-2024-6387

« on: July 02, 2024, 08:59:18 pm »

If you have SSH open from outside, you're doing something wrong.

Exactly. SSH from outside should always be accessed via VPN. In fact, everything from outside should go through VPN.

7

24.7 Production Series / Re: Development versions: Alpha, Beta and Release Candidate explained

« on: June 24, 2024, 01:36:11 pm »

I dont understand this freebsd vs linux craze lately. People dont seem to understand how much work is required to do something like that. Not to mention security implications that linux kernel introduces. There is a reason why both opnsense and pfsense are running freebsd under the hood. If you want linux based firewall, go use openwrt, untangle, vyos... or whatever. Im not ready to sacrifice security just to get better hardware support.

8

24.7 Production Series / Re: New Dashboard

« on: June 15, 2024, 08:57:51 pm »

We are considering the addition of a default dark theme in order to avoid theme developers playing catch-up with the changes, but not before all of 24.7 is out.

Cheers,
Franco

Please do it.

9

24.1 Legacy Series / Re: New install, cannot access web gui or ping lan interface

« on: April 14, 2024, 03:11:19 pm »

Your OPNSense device or LAN card on your PC are faulty.

10

24.1 Legacy Series / Re: CPU Temp Monitoring - OPNSense & ProxMox

« on: April 02, 2024, 07:03:18 pm »

On newer systems with support for UEFI and IOMMU, you can do ACPI Thermal Sensor pass through directly into your VM. This will allow OPNSense to read your CPU thermal diode directly and allow you to see your temperatures. On old system like yours, as Patrick said, you read your CPU temps from your hypervisor.

11

24.1 Legacy Series / Re: Leveraging the 24.1.3 release

« on: March 14, 2024, 12:52:53 am »

If you are stuck on OpenWRT, then you might as well buy a computer that can hold several network cards and build your own software defined LAN.

Stuck on what ? What are you talking about ? Im using OPNSense on my servers just like everyone in here. I am not running OpenWRT on my switch nor im advising anyone to do so. My post was directed to Patrick M. Hausen as a proof of how open D-Link enterprise switches are. You dont care about opensource, but we do.

I have a couple Mikrotik CRS level of switches, they are decent and cheap. I'm not bothered by open source or die. I also have several old Cisco 2960s and some new Extreme 5420 and 1 Netgear M4250. Pick your battles based on what you need to do or what you can afford. Work gets expensive stuff, home lab gets what I can find on ebay. All of it works within the limits of it's software at the time of purchase, some gets regular updates.

You make this post about you and what you use rather than helping TS make a right choice. Nobody cares about your proprietary overpriced closed source Cisco, Netgear and MikroTik garbage. But i do agree with your statement that you should get what you can afford. With that said...

If you dont need PoE, go get D-Link DGS-1210-10 for 99$
If you need PoE, go get D-Link DGS-1210-10P for 160 $

Stick to the topic.

12

24.1 Legacy Series / Re: Leveraging the 24.1.3 release

« on: March 13, 2024, 11:25:50 am »

MikroTik is not open source.

But D-Link is?

Yes.

You can even run OpenWRT on it.

https://openwrt.org/toh/d-link/dgs-1210

13

24.1 Legacy Series / Re: Leveraging the 24.1.3 release

« on: March 12, 2024, 11:44:02 pm »

MikroTik is not open source.

14

24.1 Legacy Series / Re: Leveraging the 24.1.3 release

« on: March 12, 2024, 06:41:07 pm »

D-Link DGS-1210-08P

15

24.1 Legacy Series / Re: Upgraders beware

« on: February 13, 2024, 05:26:34 pm »

I too borked two systems.

Me too. But, if im unable to resolve the issue, i wont come to this forum and create a thread with subject "Upgraders beware". Title like that is suggesting that there is something very wrong with opnsense and that you should not upgrade.

just because your particular configuration is fine, doesn't mean a different setup is.

That statement goes both ways.