Topics

The custom builds I produce were based on the Dynfi build scripts. These scripts use Poudriere for building all the required OPNsense packages. One thing I would love to do is be able to provide various OPNsense plugins pre-installed in my custom image.

Poudriere supports a concept of a Ports overlay. Overlays are what they sound like: a repository that gets overlayed on top of an existing Ports repository base.

One problem I found was that the OPNsense plugins repository contains duplicated directories for existing ports entries. For example: databases/redis, dns/bind, security/tor. Trying to use the plugins repository as an overlay causes Poudriere to get confused.

I wonder if it would make sense long-term to structure the plugins repo to better support being an overlay on top of an existing ports repository. This would be a pretty major shift from how the plugins repo is handled currently. However, the plugins repository could likely be made more efficient by switching to being an overlay. The plugins repo would gain the full power of the ports framework. Long-term maintenance burden would likely be smaller since the ports framework could be relied upon.

I thought I'd pose the question here and see what people's thoughts are. Obviously someone has to put in the work, and I'd probably put myself on the volunteer list.

The script that populates the pf alias tables needs a particular environment variable defined. This commit defines it system-wide: https://git.hardenedbsd.org/hbsdfw/HardenedBSD/-/commit/c71238a6229bdc0aa8ada9f627a5a898dd7f9184

I'm not entirely sure this is the best workaround. A more proper fix would be to migrate to newer OpenSSL APIs. This workaround seems to get aliases usable, at least.

Hey all,

This patch fixes the build of opnsense/filterlog on FreeBSD/HardenedBSD 14: https://git.hardenedbsd.org/hbsdfw/ports/-/commit/7fb1a456593fece1fc0ea4320a34950e55d18ffc

Thanks!

Hey all,

I don't really use GitHub anymore, but I've patched pam_opnsense to compile with clang 15. This allows OPNsense to be build with HardenedBSD 13-STABLE.

Link to patch: https://git.hardenedbsd.org/hbsdfw/pam_opnsense/-/commit/8a82803fa4cc47b0d1cb909e7ecc7d7be2d636f4

Thanks!

I'm populating a UIBootgrid with some data where a column has embedded newline characters. I'd like to effectively turn them into "<br />" tags. What's the best way to do that?

I'm writing some enhancements to OPNsense and am somewhat stuck. I'm including two screenshots. I've modeled my "Interfaces" dropdown to be similar to that of the IDS "Interfaces" dropdown. For some reason, my dropdown isn't populating, except until I click the "Clear All" link. Upon clicking that link, the relevant interfaces appear.

I've hit my head against the wall for a couple days now and I can't figure out what's going on. I'm hoping someone has hit this similar issue and has some pointers. I also don't see any javascript errors nor network errors (all responses are HTTP 200 OK.)

In case the attached images fail to work here, I've uploaded the screenshots here: https://imgur.com/a/qNLseS7

(Apparently, the screenshots exceed the max allowed size, so please use that imgur link above.)

I've created a new script for rc.syshookd/early. It gets installed in my dev build, but with the wrong perms. Instead of being 755, it's 644. On my local filesystem, it's committed as 755. I'm unsure why the discrepancy exists.

Subject says it all. ;)

I'm working off of a private gitlab instance and would like to upstream some patches. How would OPNsense like to approach upstreaming patches where the downstream repo does not reside on GitHub?

It has been a while since I last did any development in core.git. I've made my initial DVD ISO image of a custom build of OPNsense 20.7. After building that initial DVD ISO, I made changes to core.git.

I tried running `make clean-dvd clean-core dvd` to try to pick up the changes I made to core.git (related to Suricata), but the newly-built DVD ISO didn't pick up the changes. Am I missing a step or doing something wrong?

Any non-XKCD pointers would be very much appreciated. Thanks! :)

I've started working on a C-based API library (libopnsenseapi). I've noticed that the API documentation ( https://docs.opnsense.org/development/api.html ) is lacking. I'm looking for a description of the JSON objects that get returned from each API endpoint.

For example, when I call `https://opnsense.local/api/core/firmware/getfirmwareconfig`, what is the JSON object that gets returned to me going to look like? I will need to parse the JSON object in a way that makes sense for that particular API endpoint.

It seems to me that right now, I'll need to enumerate each API endpoint to determine what gets returned. Since some of those endpoints cause config changes, I'm a bit weary of doing that.

edit[0]: accidentally hit the "Save" button before I finished writing this post.

Hey all,

How soon after hitting the "go" button to "order" the free ET Pro Telemetry Edition ruleset should I get the email with the token?

Attempting to install 19.1-rc1/amd64 on an APU4c4, the installer fails when it's trying to cpdup into /usr/local. Screenshots linked below:

https://photos.app.goo.gl/DhCeDMHXTV4yMTcm6

https://photos.app.goo.gl/31FJd2xEDonahhrW9

https://photos.app.goo.gl/2kUkd2uHbVHTe1Z9A

It is with pleasure that I announce the Call-For-Testing (CFT) for SafeStack in the OPNsense ports tree. While SafeStack is already deployed for the base operating system, it has not yet been applied to the ports tree (which contains third-party software). This CFT applies SafeStack to the ports tree.

SafeStack is an exploit mitigation developed by the clang/llvm folks. It helps mitigate stack-based buffer overflows. SafeStack depends on Address Space Layout Randomization (ASLR) in order to be effective. OPNsense fulfills that dependency by including HardenedBSD's ASLR implementation, which follows PaX's design. Without ASLR, SafeStack is ineffective as an attacker would know where the SafeStack lies in memory and could use that information to his/her advantage.

To help test, please follow these procedures. Please note that the SafeStack CFT package repo uses LibreSSL instead of OpenSSL as the default crypto library.

1. Login to the web GUI.
2. Click on the System tab.
3. Click on the Firmware subtab.
4. Click on the Settings subtab.
5. Change "Firmware Flavour" to "(other)" and type in "17.1/safestack" into the text field that will appear below. Remove the double-quotes.
6. Check for and apply updates
7 Reboot your OPNsense firewall.
8. Add a reply to this thread letting us know the status of your testing. Success stories are just as important as bug reports.

A sample screenshot with the firmware settings has been attached.

To relate the importance of SafeStack (and exploit mitigations in general), take a look at this article I wrote: https://github.com/lattera/articles/blob/master/infosec/Exploit%20Mitigations/General/2017-03-21-importance/article.md

I'm excited to see OPNsense be the first firewall distribution to ship with SafeStack.

I've now finished porting over HardenedBSD's ports PIE with RELRO + BIND_NOW support. If you make your own builds of OPNsense and you're feeling adventurous, give the hardening/pie ports feature branch a try: https://github.com/opnsense/ports/tree/hardening/pie

HardenedBSD is currently running a package build for their 12-CURRENT/LibreSSL/amd64 repo. Once that is done, I will do an experimental run (aka, exp-run) to make sure there aren't dragons lurking in corners. If the exp-run finishes successfully, I plan to merge the feature branch into master.

Over the past year, I have had the wonderful experience of working with the OPNsense core team in porting over HardenedBSD's robust ASLR implementation. It is with pleasure and humility that I have accepted their invitation to join the core team. My overarching goal will be to port the main features of HardenedBSD to OPNsense.

Address Space Layout Randomization, or ASLR for short, is an exploit mitigation technology that aims to make certain kinds of vulnerabilities harder to successfully exploit. In order to fully apply ASLR, applications must be compiled as a Position-Independent Executable (PIE). In the short term, my next goal is to enable PIE fully across OPNsense's ports tree. As this is a feature HardenedBSD also needs, I'm using HardenedBSD's ports tree and package building infrastructure as a test bed prior to importing into OPNsense.

OPNsense is investigating migrating to 11.0-RELEASE for its 17.1 release. The Virtual Memory (VM) subsystem has changed drastically between FreeBSD 10 and FreeBSD 11. Since ASLR deals with the VM subsystem, extreme care must be taken in the update of the codebase from FreeBSD 10.3 to 11.0. I will assist in those efforts by freshly porting over the ASLR implementation from HardenedBSD 11.0 to OPNsense's FreeBSD 11.0 codebase.

I look forward to being a part of the OPNsense core team. The coordination between HardenedBSD and OPNsense will bring a more solid foundation on which home users and enterprises alike can build secure and scalable networks.

Stay safe,

Shawn Webb, on behalf of the OPNsense team.

Hey All,

I've been thinking about this quite a bit for the past few weeks. My life is getting busier and busier and my available hobbyist time is diminishing. I've decided to scale back on a few items, including producing custom OPNsense builds based on HardenedBSD. Doing so takes a good chunk of my time from my main project (HardenedBSD). I will be focusing more of my efforts on HardenedBSD.

In talking with Franco, I'm happy to continue providing patches to OPNsense on behalf of HardenedBSD. My next goal is to help OPNsense implement PIE (and maybe with RELRO + BIND_NOW) across the board for both base and ports. I hope to have that both started and completed sometime in July. I feel I'll take more of a consulting role rather than the custom build producer role.

I'm excited for all the great things OPNsense is doing, especially with regards to security. If you have any questions, comments, or concerns, please let me know.

Editing this to comment: even though I'm scaling back right now doesn't mean that I won't resume doing HardenedBSD-based builds in the future. I've loved doing my own builds and seeing HardenedBSD running on my hardware firewall appliances. If my available hobbyist time increases in the future, I may pick up custom builds again.

Thanks,

Shawn Webb

I'm excited to announce yet another experimental OPNsense + HardenedBSD build! This build brings OpenSSL updates along with more HardenedBSD 11-CURRENT goodness. Also in the build is a brand spankin' new feature called Integriforce Whitelist.

Integriforce is a feature in which all executable files along with the shared objects they depend on in the filesystem are hashed. The hashes are loaded into the kernel and when it comes time to execute an application, the hash is checked. If the hash doesn't match, execution is forbidden. Where whitelisting comes into play is if an application or the shared objects it depends on is not in the list of hashes at all, execution is forbidden.

So, you get two things: data integrity of executables and application whitelisting. The NSA recently stated that application whitelisting along with exploit mitigations make their lives extremely difficult.

I haven't had the time to fix wireless (major changes involved), debug pfsync, or fix binary updates. So those usual caveats apply here. To update an existing installation: backup your config, reinstall, restore your config.

Download here

Hey All,

I've published a new build of OPNSense 16.1.1 with HardenedBSD 11-CURRENT! You can grab the build from here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-08-16.1/

Future things to work on:

• Wireless isn't working. This is likely due to the new 802.11 stack in FreeBSD 11-CURRENT causing issues with the network interface code in OPNSense. Part of the problem is that the raw wireless device is now hidden from `ifconfig`.
• binary updates are now not supported. I've yet to get time to work on binary updates. So, to update to a future version, you'll need to do the usual config backup, reinstall, config restore.
• pfsync is still disabled. I'm unsure as to why this causes a kernel panic. If you are a C developer with time on your hands and want to tackle this, that'd be freaking awesome and very much appreciated.

For item #1, I've started work on getting wireless working with this commit: https://github.com/HardenedBSD/opnsense-core/commit/7c4dd2a6178343fa37880810ea94cadc141c0c78. I need to ping Adrian Chadd to figure out how to get the MAC address and the other bits from ifconfig that are now hidden that the network interface code expects without having to do a temporary clone of the device.

For item #2, OPNSense recently revamped how they provide binary updates for base. HardenedBSD now has an official binary updating mechanism as well (thanks G2, Inc for sponsoring the work!). Instead of using OPNSense's updating mechanism, I'd rather eat my own dogfood and use hbsd-update. More info about hbsd-update can be found here: https://hardenedbsd.org/article/shawn-webb/2015-12-31/introducing-hardenedbsds-new-binary-updater

For item #3, I'll need help with this one. If I were to tackle this, I'd first redo the build, but with FreeBSD 11-CURRENT instead of HardenedBSD 11-CURRENT and see if the behavior matches. If it does, then it's not a problem with HardenedBSD. If it doesn't, then the behavior is specific to HardenedBSD. I currently don't have the time it would take to do these steps, but I'd certainly love to help someone debug this if they have the time.

If anyone wants to dig into the pfsync issue, here's the crash I got:

Code Select Expand


Fatal trap 9: general protection fault while in kernel mode
cpuid = 3; apic id = 06
instruction pointer     = 0x20:0xffffffff82c22050
stack pointer           = 0x28:0xfffffe024b62aa60
frame pointer           = 0x28:0xfffffe024b62aaf0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (swi1: pfsync)