Messages

17731

15.1 Legacy Series / Re: ssl problem

« on: January 30, 2015, 05:01:44 pm »

On the box in the shell type:

cp /etc/ssl/openssl.cnf /usr/local/openssl/openssl.cnf

This is a regression that I introduced while switching to OpenSSL port 1.0.1l. A fix was already committed a few days ago and will be part of 15.1.4. Sorry for the trouble.

17732

Hardware and Performance / Re: Hardware support for Watchguard?

« on: January 24, 2015, 08:21:13 pm »

The hardware specs look pretty low, but it is generally supported. We do not have the minimalist-embedded approach so it might not fit on a small memory card. Work will be done to make embedded setups more viable in 15.7. I couldn't possibly say more other than try it if you have the time, or wait a while till we tackle the embedded setups cleanly. Hope that helps.

17733

Announcements / OPNsense 15.1.3 released

« on: January 24, 2015, 06:14:59 pm »

Hello everyone,

this week we took PHP’s stable update(1) as a subtle hint to release another stable cut. Here are the most prominent changes:

• notable package upgrades: php 5.6.5 and friends, pkg 1.4.7
• added a dropdown searchbox for interfaces in rules screen
• fixed the missing theme issue when importing older configurations
• fixed a bug with the user manager
• firmware upgrades stabilisation pass
• various bootstrap enhancements

Firmware upgrade via the GUI is feasible, images can be found here as well: https://sourceforge.net/projects/opnsense/files/

We are actively looking for feedback of your upgrade experiences. Thank you and have fun--responsibly of course.

(1) http://php.net/ChangeLog-5.php#5.6.5

17734

Development and Code Review / Re: is opnsense based on standard FreeBSD

« on: January 21, 2015, 08:23:02 pm »

Eventually, all custom patches should either go away and be replaced with a more standards-compliant way of doing things, or patches must be polished and pushed to FreeBSD. We are not there yet, but this is an important issue we do pursue.

Especially tricky is ABI issues between userland and the kernel, which is the real trouble of the legacy way as opposed to the FreeBSD way. The userland may differ on top of a unified ABI, and I think all of the work we do will live in ports and packages by then.

17735

15.1 Legacy Series / Re: cloud images

« on: January 21, 2015, 08:16:01 pm »

FreeBSD has recently added support for a few platforms... azure, gce and openstack. We ought to talk a little bit more about specifics as each deployment differs subtly, but won't work well without these modifications at all.

17736

Announcements / OPNsense 15.1.2 released

« on: January 18, 2015, 08:08:39 pm »

Hi folks,

some of you have been wondering; now wonder no more: the next stable release is here. From the changelog:

* firmware upgrade experience improvements
* FreeBSD SA-15:01 with multiple OpenSSL fixes
* OpenSSL from ports now brings you the latest and greatest 1.0.1l
* pkg 1.4.6 hot off the press

The images can be found here: https://sourceforge.net/projects/opnsense/files/

This is mostly motivated by the latest OpenSSL issues, although I must say we work on giving libressl a chance soon and make a final decision about the library that we are going to stick to from 15.7 on. Any help here is appreciated.

Recommended ways of upgrade:

(1) Upgrade via the GUI, make sure you restart the box so that no service will run on vulnerable binaries. The base OpenSSL will *not* be updated at this point, so if you don't fully trust the port just yet try (2).

(2) Take your favourite image, boot up the device or VM with the new install image. In the installer, choose "Import Configuration" and if all is well, continue with the Easy/Quick install. This way makes sure all of the base system is replaced.

17737

General Discussion / Re: ZFS / Boot Environments and Jails

« on: January 18, 2015, 07:05:49 pm »

bsdinstall is not bsdinstaller. That was the previous installer that DragonFly still uses and I think at some point also FreeBSD (but not entirely sure--at least it has always been the case for pfSense). So it's a wee bit harder, but you are right, the workflow and code is there, it needs to be integrated in a sensible and easy way.

Building a jail for OPNsense is easy, running it in a vanilla FreeBSD is not since we inherited a couple of custom patches that don't match. I also don't know which parts won't work due to jail restrictions--some of them can't be circumvented. It's certainly something others could help to test and contribute patches to make this work eventually.

I can provide you with a jail tarball to play around with, drop me an email at franco@ (our website) and I will send you a link...

17738

Development and Code Review / Re: OPNsense installer

« on: January 18, 2015, 06:59:36 pm »

Ha, good question! I took the liberty of refactoring the scattered installer glue and bundle it into a native port under ports.git/opnsense/bsdinstaller. The rc install launcher bit is under core.git/src/etc/rc.installer. Hope that helps!

17739

15.1 Legacy Series / Re: cloud images

« on: January 18, 2015, 08:45:07 am »

Oh, and the IRC channel is #opnsense on Freenode.

17740

General Discussion / Re: ZFS / Boot Environments and Jails

« on: January 18, 2015, 08:44:17 am »

There are no immediate plans to support ZFS, but the installer will be extended to handle this at some point (without help this won't happen before 15.7 is released). How far we'll take this is unclear, maybe PC-BSD's system is too much work for a small incremental improvement on top of ZFS.

Jail isolation for programs on the box? Chrooting and jails are certainly a possibility for the services we provide on a default install; some are already working in this way (or were once designed to eventually work that way).

If you mean jails as in OPNsense jails on a FreeBSD box--it is trivial to add a script to assemble such an image. Let me know if that is something you would be interested in.

17741

15.1 Legacy Series / Re: cloud images

« on: January 18, 2015, 08:28:50 am »

Prebuilt images are available here: https://sourceforge.net/projects/opnsense/files/?source=navbar

Or are you missing a particular format? Please let me know.

17742

15.1 Legacy Series / Re: FreeBSD-SA-15:01.openssl

« on: January 17, 2015, 12:50:31 pm »

BTW, we do not support upgrades using freebsd-update.

17743

15.1 Legacy Series / Re: FreeBSD-SA-15:01.openssl

« on: January 17, 2015, 12:49:47 pm »

The source code is all there with the necessary patches, so if you feel uneasy about waiting for 15.1.2 you could  build it on your own. This is one of our project's goals so you don't have to wait or trust us to provide the proper binary images. We provide you with all the help and documentation you may need. If that's not the case please let us know.

Right now we are evaluating libressl in the ports system. It has shown that it's almost ready for deployment, but some patches for ports are currently being discussed, reviewed and tested. It is most likely that 15.1.2 will include a newer OpenSSL from ports as opposed to the now vulnerable base version. The switch to libressl will happen in a later stable release once the patches have been accepted by FreeBSD.

We also look into how hard it is to remove OpenSSL from base so we never run into twilight issues with two installed OpenSSL versions where one is always more vulnerable than the other. All of these things take time and proper testing. Expect all of this to be rock stable in 15.7 so we can move on to improve other things.

Right now it's just me working on this in my free time, so I hope that explains why things don't seem to move "as fast as they should".

17744

15.1 Legacy Series / Re: Add-Ons/Plugins/Packages

« on: January 16, 2015, 10:38:10 am »

We typically use ports.git/opnsense/xyz for custom ports. For plugins, we may want a little prefix for the package like "opns-" to indicate "doesn't work without the other thingy". Other than that you are right: add ports dependencies to third party tools you want to run, and the custom code to drop into the GUI base. It'll get a little harder when there is an API server, but security issues are more important than ease of integration in the long run. I don't think you need a specific dependency on the "opnsense" package. If the code is not there, then nothing bad happens. The main package is also not in the ports tree so asking for that dependency is asking for trouble maybe. I don't know yet.

If you have useful plugins that don't bloat the default image we can consider cutting out the plugin foo and move then directly to the core. We are cool with that if you are. Plugins are coming back mid-term anyway though. It would be a way to bridge the gap like we do for IPS and proxy.

17745

General Discussion / Re: PFSense config import?

« on: January 12, 2015, 06:19:15 pm »

I have a report that such a 2.1.5 config does not work well on import, basically rendering the GUI unresponsive. I am looking into this at the moment. Expect some things to change for 15.7 with regard to config handling and import behaviour. If you can help out with configs that do not seem to work send us an email with the anonymised config. Thanks!