Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - interfaSys

#151
General Discussion / Re: Compile ports from source
January 17, 2016, 08:25:48 PM
Thanks for that, very useful.

I've noticed that stack protection has been added to some opnsense packages, like Suricata, that would have been the first thing I would have added.

Where are the cflags stored? They're not in the make.conf nor in the makefile.
#152
Thanks. I'll need to do some tests. Last time I investigated there were some issues when compiling from source:
https://github.com/freebsd/pkg/issues/1000

#153
I just saw that locking feature. What is it using underneath to protect the packages?
#154
All good here as well on 15.7.99
#155
16.1 Legacy Series / Re: 16.1 Development Milestones
January 15, 2016, 10:40:38 PM
Quote16.1 is still scheduled for January 28 (hence "development series"), see https://opnsense.org/about/road-map/

I know, but it's really soon and people should be testing the new kernel as well, no?

QuoteWe're not yet ready to provide reliable test kernels for development releases

OK, then, no, we don't want to test it if it crashes too often ;)

Quote
as well as having to build multiple package mirrors for different OS versions. Too much strain for our project at the moment to handle.

I understand, so it's quite risky to update to a fresh image then as packages will not have been well tested outside of your team. I guess that's when the beta phase starts.

Thanks!

#156
16.1 Legacy Series / Re: 16.1 Development Milestones
January 15, 2016, 08:03:46 PM
Quoteand FreeBSD 10.2 underneath will help newer hardware to run more smoothly
uname tells me I'm still on 10.1. Is 10.2 coming later?

#157
OK. I think it would be good to update the wiki for 16.1, to at least explain the way releases work.

Hopefully, newer packages are automatically downloaded before starting the configuration process, like on some Linux distros.
#158
I'm looking for images of 15.7.24 and 16.1

On this page:
https://wiki.opnsense.org/index.php/Software_setup

* SourceForge is down (not your problem)
* US mirror 1 redirects to /releases which only contains 15.7.11 and 15.7.18
* US mirror 2 is down
* EU mirror 1 lands in / and in /releases, there are the same releases as the other mirrors
* EU mirror 2 redirects to /releases which only contains 15.7.11 and 15.7.18
* https://pkg.opnsense.org lands in / and there are no latest image
* Nothing on Github afaict
* https://opnsense.org/download contains 15.7.18

It may be that we need to install 15.7.18 and update, but there is no indication of that anywhere in the documentation.

So how are we supposed to install OPNsense?

On the same page, there is also a note about LibreSSL 15.1.9, but I'm guessing we're way past that and it can be removed.

The link to the HardenedBSD snapshots is 404
#159
General Discussion / [SOLVED] Compile ports from source
January 15, 2016, 02:08:19 PM
Since OPNsense can be simply enabled on top of FreeBSD, does that mean, that I can simply fetch the list of packages and manually compile them using something like portmaster, using my custom make.conf containing security enabled cflags?
#160
16.1 Legacy Series / Re: 16.1 on HardenedBSD 10.2?
January 15, 2016, 01:51:58 PM
Thanks!

The problem with 11-CURRENT is that it can break too easily and with all the different configs out there, you can't be sure that a specific snapshot doesn't break something for someone.

I'm happy with backported patches in base.
#161
16.1 Legacy Series / 16.1 on HardenedBSD 10.2?
January 14, 2016, 08:35:37 PM
Just wondering if we're going to have to wait for 16.7 to be able to use HardenedBSD and if that will be based on 11-current or if there is something available now, based on 10.2?
#162
16.1 Legacy Series / Re: 16.1 Development Milestones
January 13, 2016, 02:11:23 PM
OK, thanks :)
#163
16.1 Legacy Series / Re: 16.1 Development Milestones
January 12, 2016, 10:51:14 PM
Thank you very much for the clarification. It was just something which got lost in translation. I read it like you planned on fixing the problem in a few months rather than "it's been fixed for months" :)

I have a suggestion for your release notes. I know it's painful to identify every change as a bug fix (-) or a new feature (+) and it's best to spend your time coding ;), but could you at least mention if a fix was security related? Something like

* [security] ports: ntp 4.2.8p5[7]

* ports: suricata 2.0.11[2], dhcp6 20080615_5[3], lighttpd 1.4.39[4]
* ports: syslogd 10.2, mpd 5.8[5], ca_root_nss 3.21, dnsmasq 2.75_1[6]
* ports: php 5.6.17[8], python 2.7.11_1[9]
* ports: miniupnpd 1.9.20151212, openvpn 2.3.10[10]
* opnsense-update: add opnsense-verify and opnsense-sign
* opnsense-update: improve verification of signatures of kernel and base upgrades
* menu: bring back dashboard entry due to popular demand
...


I think it would make it easier to quickly assess the risk of running the current version.

#164
Btw, the link in the wiki to the HardenedBSD images is broken
#165
16.1 Legacy Series / Re: 16.1 Development Milestones
January 11, 2016, 11:58:42 PM
I'm confused by this:

Quoteimproved overall security of the code e.g. by fixing https://www.exploit-db.com/exploits/39038/ a few months earlier than announced

There is an exploit in the wild and the current release version hasn't been patched, but the dev version has? And the original plan was to wait a few months?

I'm new to the project and trying to understand how I would patch our instance against 0days.