Messages

Thanks guys, that's highly appreciated.

i386 variant will hit the mirror tonight or tomorrow morning.

We have `opnsense-update`, which is new since 15.1.6.1. It is supposed to be a little bit easier to handle than freebsd-update, but it is currently experimental due to its young age and need for further development until we finally wrap it up into the GUI as a single shiny button.

We have vim-lite in our mirror. I also think that bash gets built, but not pushed into the mirror because it is a build-only dependency. Upon further reflection, there is not much we can do other than "opening up" the prebuilt ports more and more.

Let's just say we are completely arrogant about not being arrogant. ;)

But seriously, what is a project--especially an open source project--without a community to listen to and build upon?

Sure, we have put in a bit of effort to get this project bootstrapped, but now that we've been here for just over 50 days, it really matters that we've had the privilege of a kind user base who is willing to help test and let this project progress beyond what we could have achieved alone. There are endorsements like Manuel's, countless bug reports, feature requests and proactive mentions of the work that we have done all around the web. We have plans for the next year, but they mean nothing in the face of what our community looks like in 6 months or maybe less. We'll have to shift and adapt while maintaining just a couple of core principles: open, easy, fast, secure *and* fun. We believe these values are not exclusive.

All I can say is there is more to learn and grow and hopefully we have shown how we want to do it. :)


Franco

It is a general security thing. OpenSSL is used for crypto and hashing in a wide range of software. Here is what happens when you try to delete libressl from the release:

Code Select Expand

# pkg delete -n libressl
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 28 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
libressl-2.1.3
libevent2-2.0.22_1
curl-7.40.0
voucher-0.1_4
strongswan-5.2.2
relayd-5.5.20140810_1
python27-2.7.9_1
php56-openssl-5.6.6
openvpn-2.3.6_1
openssh-portable-6.7.p1_1,1
ntp-4.2.8p1
mpd5-5.7_1
mpd4-4.4.1_2
miniupnpd-1.9_1,1
lighttpd-1.4.35_5
ipmitool-1.8.14_1
bind99-9.9.6P2
openldap-client-2.4.40_1
nettle-2.7.1
libssh2-1.4.3_5,2
git-2.3.0
check_reload_status-0.0.3_1
ifstated-5.1,3
php56-curl-5.6.6
opnsense-15.1.6.1_1
php56-ldap-5.6.6
dnsmasq-2.72,1
pecl-ssh2-0.12

With a total of 131 packages that's over 20% of dependencies.

Hello again,

with the bulk load of 15.1.6.1 out of the way, it's time to bikeshed about our favourite topic: security. We have now have images and packages built against LibreSSL on amd64 (i386 possible if there are requests—speak up). They are fully compatible with the standard images and you will be able switch back and forth with a wee bit of command line trickery as new stable versions get released. So far we've had no visible issues although we would love to know if you run into any issues.

The images can be found here:

https://pkg.opnsense.org/snapshots/

To upgrade your existing amd64 installation (hopefully 15.1.6.1) you need to drop to the command line and install your favourite editor(s):

Code Select Expand

# pkg install vim-lite joe nano

Edit /usr/local/etc/pkg/repos/OPNsense.conf and replace "latest" with "libressl". Save and exit.

In the GUI, run the firmware upgrade. It should upgrade you to opnsense 15.1.6.1_1 (no, that's not a joke). If you upgraded from below 15.1.6, please update the base system afterwards using:

Code Select Expand

# opnsense-update && reboot

Switching back to OpenSSL is done by reediting the OPNsense.conf file, but you might be stuck since the OpenSSL version is "older". The following might work after editing the file:

Code Select Expand

# pkg upgrade -fy
# pkg autoremove
# reboot

Please write in with your feedback, both bad and good.


Until then,
Franco

Hi there,

documentation is one of our weak spots and must be improved. The wiki is one way to start collaboration on this (wiki write rights are given out on request). We have more in the pipe, but need to put in a lot more effort before we can share this info.

I have done persistent DHCP for reboot and reinstalls (typically system upgrades) for a client before. That's something I can push. Not sure if that is enough to retain voucher info, but we can certainly work something out there as well if not. :)

https://github.com/opnsense/core/issues/56 -- one step at a time! keep those reports coming please.


Cheers,
Franco

Now that you mention gpt, there is a custom option for bsdlabel -- maybe try that instead.... that helped fix such a boot after install issue for a client.

Certainly an interesting addition of the packages in 15.7. I would hope somebody is willing to contribute in this regard to speed up development. With the resources we do have it is not on the roadmap, though:

https://opnsense.org/about/road-map/


Cheers,
Franco

Hi there,

(1) IKEv1 has been fixed with 15.1.6.1 -- we'd appreciate a heads-up if there are remaining issues: https://forum.opnsense.org/index.php?topic=77.0

(2) I'll get back on that soon, but there should be a way to pull it off. Most likely through the config.xml itself.


Thank you for your feedback :)

Franco

There is a heap of issues with UEFI on FreeBSD. I remember countless mailing list reports, and I guess it's working for most now, but boot loader mods are not FreeBSD's strength. Too few Forth people around to review patches or do cleanups...

I'm inclined to say try a stable 15.1 if you can, but 15.7 is certainly a good idea for production systems. Cheers. :)

Maybe UEFI-only boot? For 10.1 there are images AFAIK.

Hi there,

thanks, glad to hear the initial setup went fine. :)

The pfSense guide is really good reference: https://doc.pfsense.org/index.php/Interface_Bridges

Hopefully somebody else can step in and help with he.net IPv6 setup.

Yes, a m0n0wall importer is something we have been discussing. It'll take a while to materialise, but what we want to do is pick up all the m0n0wall config migration code and then write an importer based on the latest m0n0wall version. This will be a long work in progress as we need to add support feature by feature following the long drift of config handling between us and m0n0wall. Any help here is highly appreciated.


Cheers,
Franco

Hi Ray,

it's alright to be shy. We're here to deliver progress, but who knows which direction this turns out to be 6 months from now. It's been 50 days and look what happened here following e.g. m0n0wall's announcement.

(1) Yes, apinger is a constant pain. Frankly, I would just ditch it from the code base completely, but there's two main reasons for having it as is: lots of people like using it as is and reworking this takes more time than it is worth looking at the bigger picture (FreeBSD 10.1, security updates, ports, network-related bugfixes). I am not sure what a sensible course of action is in this regard. Any help here is appreciated.

(2) We want to bring package support back in a revamped style: easier, more flexible and hopefully secure. This is an item for 15.7, so after July. I don't think tinc will be a default package for the images we release, but it is certainly a good addition to the toolbox.

Hope that helps,
Franco

I could not find recent information on this and I have never set it up myself. Bumping this question in the hopes that others know something?