Messages

Ok, the 25.7.8 update looks good.

The only way I can think of for it not to write the log is when "pkg upgrade" was used verbatim. But there would still be a pkg log:

# opnsense-log pkg

Maybe it gives a few clues.


Thanks,
Franco

> The console option 12 also writes a log. I don't understand why it should be missing?

I just tested this and it logs just fine.


Cheers,
Franco

The console option 12 also writes a log. I don't understand why it should be missing?

> All packages came from OPNsense repository, no FreeBSD repo was involved.

Well, if you installed a package from somwhere that is NOT OPNsense repo we simply don't know how the package manager reacts on unresolvable conflicts is my main point here.

And no modified log snippets please, it hides crucial information.


Cheers,
Franco

> Any plans on how to proceed there?

Nope. I've asked FreeBSD committers, core team and even foundation for help on improving cooperation over the years. The ball was always in their court.

Not sure if it's really appropriate to kick me instead of the ball, but it is what it is. Someone clever will figure something out I guess.  ;)


Cheers,
Franco

Since you installed something from FreeBSD repo it's already in a state that is impossible to reproduce from our end.

If you still have the update log we can try to figure out what is going on. It probably did a partial upgrade and aborted while also uninstalling a vital package. It's the same old story with the package manager.  ;)

With this command you can get the last update log:

# opnsense-update -g


Cheers,
Franco

Intended. The IP is still searchable. It may not be in the tooltip yet, but it was also suggested so it might still be done.

This was done to save a lot of space in an already wide table.


Cheers,
Franco

Later today, yes.


Cheers,
Franco

I'm an old school guy from the times of "static html"  .. where the browser adjusted the windows real state space in a smart way when rendering or adjusting size.
Now everything of course is dynamic, and refreshing live and columns moving and adjusting width each refresh won't be a good user experience.
So I suppose you have to make a trade off. I'm not complaining.

I don't take it as complaining, yet I do want to point out that you can simply uncheck the auto-refresh here.

The raw source/destination IP column is now hidden when hostnames are resolved to save some space, but it's still searchable via filter. You can also select up to 10000 results now, which also is best used without auto-refresh.  ;)


Cheers,
Franco

Don't worry about it. We'll sort it out together. I'll try to get to it tomorrow.


Cheers,
Franco

always :D

Hi guys,

Thanks for the replies!  I got access back later that same day I posted this.  Quite the coincidence.  :)

I have confirmation now this is more about particular egos than technical matters and in my opinion I've always demonstrated a willingness to compromise even if it doesn't make sense technically.  In my view making decisions solely based on group dynamics will leave FreeBSD in a place where it deprives itself of technical know how, contributions and users, but we all have to make our decisions at the end of the day.

I've asked for my Bugzilla account to be removed.  I really don't see the need for it anymore.

> Will OPNsense fork BSD so that they can add in the work that's important (and being ignored)

Essentially, we have a soft fork and have had it for 10 years. It works very well. Release quality is better than any FreeBSD release out there because we fix a lot of things beyond mere errata or security advisories for our users.

> or will they continue using the main branch?

We're not using the main branch. We've always believed that actual releases are a far better starting point, also because it's cheap and easy to make these verbatim releases a lot better with a modern backport strategy. It does not appear to be compatible with the way FreeBSD wants to handle releases and user bug reports.

> Are any of the current forks worth moving towards for OPNsense?

You mean other BSDs? No, all have their ups and down. DragonFlyBSD might be the best match, but the downside is a small developer group, slower driver support, etc.

Linux is also out of the question.  You can take the frontend and build a new firewall, but I reckon it's not a lot of fun in the first year or so while you slowly work towards something that looks great but is barely usable.  ;)


Cheers,
Franco

Yeah, 25.7.10 is out now.


Cheers,
Franco

Yep, https://forum.opnsense.org/index.php?topic=50138.0


Cheers,
Franco

Howdy,

This update is released mainly due to the fact that FreeBSD-SA-25:12.rtsold[2]
has impact on WAN-facing DHCPv6 connectivity being used, but also offers a
mid-size batch of improvements like CARP VHID awareness for DHCRelay and
a thorough cleanup and improvement pass over the Suricata integration we
have been discussing during Suricon in November.

Of special note is that the captive portal accounting moves back to ipfw(4)
from pf(4) because in larger deployments accounting rules are much faster
this way and the use case of Ethernet-less captive portals such as on top
of WireGuard now work properly again.  The hook for pluggable pf(4) "ether"
rules remains for now but will be removed in 26.1 as we do not intend to
advocate its use.

Also, Python has reported security issues of which a DoS in http.client could
potentially affect existing installations given that an HTTP server sends
a malicious response which "can consume a large amount of memory and CPU time
and cause swapping".  Python has not released an update for version 3.11 at
this point in time.

Here are the full patch notes:

o system: clean up and normalise the sample config.xml
o system: replace "realif" variables with "device" in gateway code
o system: replace exec() in live banner SSH probe
o interfaces: scan pltime/vltime in "ifconfig -L" mode
o firewall: live log: allow column modifications and combine hostname columns
o firewall: live log: add bigger table size options and simplify table update
o firewall: minor simplification in filter sync script
o reporting: health: add CPU temperature y-axis label (contributed by NOYB)
o dhcrelay: add CARP VHID tracking option to relays
o dhcrelay: use the new mwexecf() $format support
o firmware: opnsense-update: remove architecture pinning for -X option
o captive portal: re-introduce ipfw for accounting purposes only
o dnsmasq: add DHCP logging flags toinfluence log verbosity
o intrusion detection: refactor query scripts and deprecate params.py
o intrusion detection: increase maintainability of suricata.yaml file
o intrusion detection: add support for /usr/local/etc/suricata/conf.d directory
o intrusion detection: clean up views and controllers
o openvpn: openvpn: add AES-256-CBC cipher for legacy compat (contributed by Fabian Franz)
o openvpn: add support for verify-x509-name option (contributed by laozhoubuluo)
o openvpn: replace exec() in MVC code
o unbound: deprecate Blocklist.site blocklists (contributed by Drumba08)
o unbound: clean up blocklists update marker and size file handling
o mvc: ApiMutableModelControllerBase: add invalidateModel() method
o mvc: Config: use is_int()/array_key_first() in toArray() and fromArray()
o mvc: Config: mvc: use LIBXML_NOBLANKS when loading config files
o mvc: FilterBaseController: move shared automation rule logic here
o mvc: get translated services description from API (contributed by Tobias Degen)
o mvc: BaseField: provide asInt() method
o rc: bootstrap /var/lib/php/tests for upcoming test case use
o plugins: os-ndp-proxy-go 1.2[1]
o plugins: os-theme-rebellion 1.9.4 (contributed by Team Rebellion)
o src: e1000: do not enable ASPM L1 without L0s
o src: e1000: bump 82574/82583 PBA to 32K
o src: if_ovpn: use IFT_TUNNEL
o src: ifconfig: bring back -L for netlink
o src: igb: fix VLAN support on VFs
o src: irdma: fix potential memory leak on qhash cqp operation
o src: ix: add support for debug dump for E610 adapters
o src: netmap: fix error handling in nm_os_extmem_create()
o src: pf: reading rules with a read lock on ioctl
o src: pf: relax sctp v_tag verification
o src: pf: handle divert packets
o src: pfsync: fix incorrect unlock during destroy
o src: rtsold: remote code execution via ND6 router advertisements[2]
o ports: dpinger 3.4[3]
o ports: libucl 0.9.3
o ports: nss 3.119.1[4]
o ports: phpseclib 3.0.48


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc
[3] https://github.com/dennypage/dpinger/releases/tag/v3.4
[4] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_119_1.html
[5] https://github.com/phpseclib/phpseclib/releases/tag/3.0.48

Maybe, you haven't said which version you have.