Topics

1

Development and Code Review / Long-term idea: Convert plugins repo to FreeBSD ports overlay

« on: November 21, 2023, 05:18:15 pm »

The custom builds I produce were based on the Dynfi build scripts. These scripts use Poudriere for building all the required OPNsense packages. One thing I would love to do is be able to provide various OPNsense plugins pre-installed in my custom image.

Poudriere supports a concept of a Ports overlay. Overlays are what they sound like: a repository that gets overlayed on top of an existing Ports repository base.

One problem I found was that the OPNsense plugins repository contains duplicated directories for existing ports entries. For example: databases/redis, dns/bind, security/tor. Trying to use the plugins repository as an overlay causes Poudriere to get confused.

I wonder if it would make sense long-term to structure the plugins repo to better support being an overlay on top of an existing ports repository. This would be a pretty major shift from how the plugins repo is handled currently. However, the plugins repository could likely be made more efficient by switching to being an overlay. The plugins repo would gain the full power of the ports framework. Long-term maintenance burden would likely be smaller since the ports framework could be relied upon.

I thought I'd pose the question here and see what people's thoughts are. Obviously someone has to put in the work, and I'd probably put myself on the volunteer list.

2

Development and Code Review / Workaround for OpenSSL 3 support

« on: November 19, 2023, 10:55:20 pm »

The script that populates the pf alias tables needs a particular environment variable defined. This commit defines it system-wide: https://git.hardenedbsd.org/hbsdfw/HardenedBSD/-/commit/c71238a6229bdc0aa8ada9f627a5a898dd7f9184

I'm not entirely sure this is the best workaround. A more proper fix would be to migrate to newer OpenSSL APIs. This workaround seems to get aliases usable, at least.

3

Development and Code Review / Patch to fix opnsense/filterlog on FreeBSD/HardenedBSD 14

« on: November 15, 2023, 04:42:01 pm »

Hey all,

This patch fixes the build of opnsense/filterlog on FreeBSD/HardenedBSD 14: https://git.hardenedbsd.org/hbsdfw/ports/-/commit/7fb1a456593fece1fc0ea4320a34950e55d18ffc

Thanks!

4

Development and Code Review / pam_opnsense: fix compilation with clang 15

« on: May 02, 2023, 05:16:01 pm »

Hey all,

I don't really use GitHub anymore, but I've patched pam_opnsense to compile with clang 15. This allows OPNsense to be build with HardenedBSD 13-STABLE.

Link to patch: https://git.hardenedbsd.org/hbsdfw/pam_opnsense/-/commit/8a82803fa4cc47b0d1cb909e7ecc7d7be2d636f4

Thanks!

5

Development and Code Review / UIBootgrid and newlines

« on: July 31, 2020, 08:56:42 pm »

I'm populating a UIBootgrid with some data where a column has embedded newline characters. I'd like to effectively turn them into "<br />" tags. What's the best way to do that?

6

Development and Code Review / Confused about InterfaceField select_multiple dropdowns

« on: June 08, 2020, 11:10:34 pm »

I'm writing some enhancements to OPNsense and am somewhat stuck. I'm including two screenshots. I've modeled my "Interfaces" dropdown to be similar to that of the IDS "Interfaces" dropdown. For some reason, my dropdown isn't populating, except until I click the "Clear All" link. Upon clicking that link, the relevant interfaces appear.

I've hit my head against the wall for a couple days now and I can't figure out what's going on. I'm hoping someone has hit this similar issue and has some pointers. I also don't see any javascript errors nor network errors (all responses are HTTP 200 OK.)

In case the attached images fail to work here, I've uploaded the screenshots here: https://imgur.com/a/qNLseS7

(Apparently, the screenshots exceed the max allowed size, so please use that imgur link above.)

7

Development and Code Review / Adding a rc.syshook.d/early script

« on: May 27, 2020, 05:10:33 pm »

I've created a new script for rc.syshookd/early. It gets installed in my dev build, but with the wrong perms. Instead of being 755, it's 644. On my local filesystem, it's committed as 755. I'm unsure why the discrepancy exists.

8

Development and Code Review / Upstreaming patches without github

« on: May 21, 2020, 09:26:33 pm »

Subject says it all.

I'm working off of a private gitlab instance and would like to upstream some patches. How would OPNsense like to approach upstreaming patches where the downstream repo does not reside on GitHub?

9

Development and Code Review / Making iterative changes to core.git

« on: May 18, 2020, 06:47:49 pm »

It has been a while since I last did any development in core.git. I've made my initial DVD ISO image of a custom build of OPNsense 20.7. After building that initial DVD ISO, I made changes to core.git.

I tried running `make clean-dvd clean-core dvd` to try to pick up the changes I made to core.git (related to Suricata), but the newly-built DVD ISO didn't pick up the changes. Am I missing a step or doing something wrong?

Any non-XKCD pointers would be very much appreciated. Thanks!

10

Development and Code Review / API Response Objects

« on: May 03, 2020, 08:45:56 pm »

I've started working on a C-based API library (libopnsenseapi). I've noticed that the API documentation ( https://docs.opnsense.org/development/api.html ) is lacking. I'm looking for a description of the JSON objects that get returned from each API endpoint.

For example, when I call `https://opnsense.local/api/core/firmware/getfirmwareconfig`, what is the JSON object that gets returned to me going to look like? I will need to parse the JSON object in a way that makes sense for that particular API endpoint.

It seems to me that right now, I'll need to enumerate each API endpoint to determine what gets returned. Since some of those endpoints cause config changes, I'm a bit weary of doing that.

edit[0]: accidentally hit the "Save" button before I finished writing this post.

11

Intrusion Detection and Prevention / [SOLVED] ET Pro Telemetry Edition token

« on: February 11, 2019, 07:16:51 pm »

Hey all,

How soon after hitting the "go" button to "order" the free ET Pro Telemetry Edition ruleset should I get the email with the token?

12

19.1 Legacy Series / cpdup failure in 19.1-rc1 installer

« on: January 21, 2019, 08:59:30 pm »

Attempting to install 19.1-rc1/amd64 on an APU4c4, the installer fails when it's trying to cpdup into /usr/local. Screenshots linked below:

https://photos.app.goo.gl/DhCeDMHXTV4yMTcm6

https://photos.app.goo.gl/31FJd2xEDonahhrW9

https://photos.app.goo.gl/2kUkd2uHbVHTe1Z9A

13

17.1 Legacy Series / [Merged into 17.1.8] SafeStack in Ports

« on: May 18, 2017, 08:37:54 pm »

It is with pleasure that I announce the Call-For-Testing (CFT) for SafeStack in the OPNsense ports tree. While SafeStack is already deployed for the base operating system, it has not yet been applied to the ports tree (which contains third-party software). This CFT applies SafeStack to the ports tree.

SafeStack is an exploit mitigation developed by the clang/llvm folks. It helps mitigate stack-based buffer overflows. SafeStack depends on Address Space Layout Randomization (ASLR) in order to be effective. OPNsense fulfills that dependency by including HardenedBSD's ASLR implementation, which follows PaX's design. Without ASLR, SafeStack is ineffective as an attacker would know where the SafeStack lies in memory and could use that information to his/her advantage.

To help test, please follow these procedures. Please note that the SafeStack CFT package repo uses LibreSSL instead of OpenSSL as the default crypto library.

1. Login to the web GUI.
2. Click on the System tab.
3. Click on the Firmware subtab.
4. Click on the Settings subtab.
5. Change "Firmware Flavour" to "(other)" and type in "17.1/safestack" into the text field that will appear below. Remove the double-quotes.
6. Check for and apply updates
7 Reboot your OPNsense firewall.
8. Add a reply to this thread letting us know the status of your testing. Success stories are just as important as bug reports.

A sample screenshot with the firmware settings has been attached.

To relate the importance of SafeStack (and exploit mitigations in general), take a look at this article I wrote: https://github.com/lattera/articles/blob/master/infosec/Exploit%20Mitigations/General/2017-03-21-importance/article.md

I'm excited to see OPNsense be the first firewall distribution to ship with SafeStack.

14

Development and Code Review / CFT: Ports PIE, RELRO + BIND_NOW

« on: August 17, 2016, 01:46:11 am »

I've now finished porting over HardenedBSD's ports PIE with RELRO + BIND_NOW support. If you make your own builds of OPNsense and you're feeling adventurous, give the hardening/pie ports feature branch a try: https://github.com/opnsense/ports/tree/hardening/pie

HardenedBSD is currently running a package build for their 12-CURRENT/LibreSSL/amd64 repo. Once that is done, I will do an experimental run (aka, exp-run) to make sure there aren't dragons lurking in corners. If the exp-run finishes successfully, I plan to merge the feature branch into master.

15

Announcements / New Core Team Member - HardenedBSD's Shawn Webb

« on: August 15, 2016, 03:15:43 pm »

Over the past year, I have had the wonderful experience of working with the OPNsense core team in porting over HardenedBSD’s robust ASLR implementation. It is with pleasure and humility that I have accepted their invitation to join the core team. My overarching goal will be to port the main features of HardenedBSD to OPNsense.

Address Space Layout Randomization, or ASLR for short, is an exploit mitigation technology that aims to make certain kinds of vulnerabilities harder to successfully exploit. In order to fully apply ASLR, applications must be compiled as a Position-Independent Executable (PIE). In the short term, my next goal is to enable PIE fully across OPNsense’s ports tree. As this is a feature HardenedBSD also needs, I’m using HardenedBSD’s ports tree and package building infrastructure as a test bed prior to importing into OPNsense.

OPNsense is investigating migrating to 11.0-RELEASE for its 17.1 release. The Virtual Memory (VM) subsystem has changed drastically between FreeBSD 10 and FreeBSD 11. Since ASLR deals with the VM subsystem, extreme care must be taken in the update of the codebase from FreeBSD 10.3 to 11.0. I will assist in those efforts by freshly porting over the ASLR implementation from HardenedBSD 11.0 to OPNsense’s FreeBSD 11.0 codebase.

I look forward to being a part of the OPNsense core team. The coordination between HardenedBSD and OPNsense will bring a more solid foundation on which home users and enterprises alike can build secure and scalable networks.

Stay safe,

Shawn Webb, on behalf of the OPNsense team.