Messages

151

General Discussion / Re: Compile ports from source

« on: January 17, 2016, 08:25:48 pm »

Thanks for that, very useful.

I've noticed that stack protection has been added to some opnsense packages, like Suricata, that would have been the first thing I would have added.

Where are the cflags stored? They're not in the make.conf nor in the makefile.

152

Documentation and Translation / Re: Can't find the latest images

« on: January 17, 2016, 08:12:54 pm »

Thanks. I'll need to do some tests. Last time I investigated there were some issues when compiling from source:
https://github.com/freebsd/pkg/issues/1000

153

Documentation and Translation / Re: Can't find the latest images

« on: January 15, 2016, 11:04:04 pm »

I just saw that locking feature. What is it using underneath to protect the packages?

154

15.7 Legacy Series / Re: [CALL FOR TESTING] FreeBSD advisories/errata and update response times

« on: January 15, 2016, 10:49:02 pm »

All good here as well on 15.7.99

155

16.1 Legacy Series / Re: 16.1 Development Milestones

« on: January 15, 2016, 10:40:38 pm »

16.1 is still scheduled for January 28 (hence "development series"), see https://opnsense.org/about/road-map/

I know, but it's really soon and people should be testing the new kernel as well, no?

We're not yet ready to provide reliable test kernels for development releases

OK, then, no, we don't want to test it if it crashes too often

as well as having to build multiple package mirrors for different OS versions. Too much strain for our project at the moment to handle.

I understand, so it's quite risky to update to a fresh image then as packages will not have been well tested outside of your team. I guess that's when the beta phase starts.

Thanks!

156

16.1 Legacy Series / Re: 16.1 Development Milestones

« on: January 15, 2016, 08:03:46 pm »

and FreeBSD 10.2 underneath will help newer hardware to run more smoothly

uname tells me I'm still on 10.1. Is 10.2 coming later?

157

Documentation and Translation / Re: Can't find the latest images

« on: January 15, 2016, 07:48:05 pm »

OK. I think it would be good to update the wiki for 16.1, to at least explain the way releases work.

Hopefully, newer packages are automatically downloaded before starting the configuration process, like on some Linux distros.

158

Documentation and Translation / Can't find the latest images

« on: January 15, 2016, 02:35:02 pm »

I'm looking for images of 15.7.24 and 16.1

On this page:
https://wiki.opnsense.org/index.php/Software_setup

* SourceForge is down (not your problem)
* US mirror 1 redirects to /releases which only contains 15.7.11 and 15.7.18
* US mirror 2 is down
* EU mirror 1 lands in / and in /releases, there are the same releases as the other mirrors
* EU mirror 2 redirects to /releases which only contains 15.7.11 and 15.7.18
* https://pkg.opnsense.org lands in / and there are no latest image
* Nothing on Github afaict
* https://opnsense.org/download contains 15.7.18

It may be that we need to install 15.7.18 and update, but there is no indication of that anywhere in the documentation.

So how are we supposed to install OPNsense?

On the same page, there is also a note about LibreSSL 15.1.9, but I'm guessing we're way past that and it can be removed.

The link to the HardenedBSD snapshots is 404

159

General Discussion / [SOLVED] Compile ports from source

« on: January 15, 2016, 02:08:19 pm »

Since OPNsense can be simply enabled on top of FreeBSD, does that mean, that I can simply fetch the list of packages and manually compile them using something like portmaster, using my custom make.conf containing security enabled cflags?

160

16.1 Legacy Series / Re: 16.1 on HardenedBSD 10.2?

« on: January 15, 2016, 01:51:58 pm »

Thanks!

The problem with 11-CURRENT is that it can break too easily and with all the different configs out there, you can't be sure that a specific snapshot doesn't break something for someone.

I'm happy with backported patches in base.

161

16.1 Legacy Series / 16.1 on HardenedBSD 10.2?

« on: January 14, 2016, 08:35:37 pm »

Just wondering if we're going to have to wait for 16.7 to be able to use HardenedBSD and if that will be based on 11-current or if there is something available now, based on 10.2?

162

16.1 Legacy Series / Re: 16.1 Development Milestones

« on: January 13, 2016, 02:11:23 pm »

OK, thanks

163

16.1 Legacy Series / Re: 16.1 Development Milestones

« on: January 12, 2016, 10:51:14 pm »

Thank you very much for the clarification. It was just something which got lost in translation. I read it like you planned on fixing the problem in a few months rather than "it's been fixed for months"

I have a suggestion for your release notes. I know it's painful to identify every change as a bug fix (-) or a new feature (+) and it's best to spend your time coding , but could you at least mention if a fix was security related? Something like

Code: [Select]

* [security] ports: ntp 4.2.8p5[7]

* ports: suricata 2.0.11[2], dhcp6 20080615_5[3], lighttpd 1.4.39[4]
* ports: syslogd 10.2, mpd 5.8[5], ca_root_nss 3.21, dnsmasq 2.75_1[6]
* ports: php 5.6.17[8], python 2.7.11_1[9]
* ports: miniupnpd 1.9.20151212, openvpn 2.3.10[10]
* opnsense-update: add opnsense-verify and opnsense-sign
* opnsense-update: improve verification of signatures of kernel and base upgrades
* menu: bring back dashboard entry due to popular demand
...
I think it would make it easier to quickly assess the risk of running the current version.

164

15.7 Legacy Series / Re: HardenedBSD experimental builds

« on: January 12, 2016, 02:08:09 pm »

Btw, the link in the wiki to the HardenedBSD images is broken

165

16.1 Legacy Series / Re: 16.1 Development Milestones

« on: January 11, 2016, 11:58:42 pm »

I'm confused by this:

improved overall security of the code e.g. by fixing https://www.exploit-db.com/exploits/39038/ a few months earlier than announced

There is an exploit in the wild and the current release version hasn't been patched, but the dev version has? And the original plan was to wait a few months?

I'm new to the project and trying to understand how I would patch our instance against 0days.