Messages

Thanks for that, very useful.

I've noticed that stack protection has been added to some opnsense packages, like Suricata, that would have been the first thing I would have added.

Where are the cflags stored? They're not in the make.conf nor in the makefile.

Thanks. I'll need to do some tests. Last time I investigated there were some issues when compiling from source:
https://github.com/freebsd/pkg/issues/1000

I just saw that locking feature. What is it using underneath to protect the packages?

All good here as well on 15.7.99

16.1 is still scheduled for January 28 (hence "development series"), see https://opnsense.org/about/road-map/

I know, but it's really soon and people should be testing the new kernel as well, no?

We're not yet ready to provide reliable test kernels for development releases

OK, then, no, we don't want to test it if it crashes too often ;)

as well as having to build multiple package mirrors for different OS versions. Too much strain for our project at the moment to handle.

I understand, so it's quite risky to update to a fresh image then as packages will not have been well tested outside of your team. I guess that's when the beta phase starts.

Thanks!

and FreeBSD 10.2 underneath will help newer hardware to run more smoothly

uname tells me I'm still on 10.1. Is 10.2 coming later?

OK. I think it would be good to update the wiki for 16.1, to at least explain the way releases work.

Hopefully, newer packages are automatically downloaded before starting the configuration process, like on some Linux distros.

[So how are we supposed to install OPNsense?]

I'm looking for images of 15.7.24 and 16.1

On this page:
https://wiki.opnsense.org/index.php/Software_setup

* SourceForge is down (not your problem)
* US mirror 1 redirects to /releases which only contains 15.7.11 and 15.7.18
* US mirror 2 is down
* EU mirror 1 lands in / and in /releases, there are the same releases as the other mirrors
* EU mirror 2 redirects to /releases which only contains 15.7.11 and 15.7.18
* https://pkg.opnsense.org lands in / and there are no latest image
* Nothing on Github afaict
* https://opnsense.org/download contains 15.7.18

It may be that we need to install 15.7.18 and update, but there is no indication of that anywhere in the documentation.

So how are we supposed to install OPNsense?

On the same page, there is also a note about LibreSSL 15.1.9, but I'm guessing we're way past that and it can be removed.

The link to the HardenedBSD snapshots is 404

Since OPNsense can be simply enabled on top of FreeBSD, does that mean, that I can simply fetch the list of packages and manually compile them using something like portmaster, using my custom make.conf containing security enabled cflags?

Thanks!

The problem with 11-CURRENT is that it can break too easily and with all the different configs out there, you can't be sure that a specific snapshot doesn't break something for someone.

I'm happy with backported patches in base.

Just wondering if we're going to have to wait for 16.7 to be able to use HardenedBSD and if that will be based on 11-current or if there is something available now, based on 10.2?

OK, thanks :)

Thank you very much for the clarification. It was just something which got lost in translation. I read it like you planned on fixing the problem in a few months rather than "it's been fixed for months" :)

I have a suggestion for your release notes. I know it's painful to identify every change as a bug fix (-) or a new feature (+) and it's best to spend your time coding ;), but could you at least mention if a fix was security related? Something like

Code Select Expand

* [security] ports: ntp 4.2.8p5[7]

* ports: suricata 2.0.11[2], dhcp6 20080615_5[3], lighttpd 1.4.39[4]
* ports: syslogd 10.2, mpd 5.8[5], ca_root_nss 3.21, dnsmasq 2.75_1[6]
* ports: php 5.6.17[8], python 2.7.11_1[9]
* ports: miniupnpd 1.9.20151212, openvpn 2.3.10[10]
* opnsense-update: add opnsense-verify and opnsense-sign
* opnsense-update: improve verification of signatures of kernel and base upgrades
* menu: bring back dashboard entry due to popular demand
...

I think it would make it easier to quickly assess the risk of running the current version.

Btw, the link in the wiki to the HardenedBSD images is broken

I'm confused by this:

improved overall security of the code e.g. by fixing https://www.exploit-db.com/exploits/39038/ a few months earlier than announced

There is an exploit in the wild and the current release version hasn't been patched, but the dev version has? And the original plan was to wait a few months?

I'm new to the project and trying to understand how I would patch our instance against 0days.