Messages

106

19.1 Legacy Series / Re: 19.1 development milestones

« on: November 28, 2018, 06:32:22 pm »

That is indeed interesting.

I'll take a look this weekend. HardenedBSD hasn't made any changes to the CAM layer or SDHCI drivers. Regardless, I'll see if I can figure out what's going on. It'll be difficult with me not being able to reproduce, but I'll give it a shot.

107

19.1 Legacy Series / Re: 19.1 development milestones

« on: November 28, 2018, 03:24:45 pm »

Couple questions:

At what point does the system fail to boot?

What happens when you set vm.pmap.pti=0 in the loader?

108

General Discussion / Re: OPNsense under bhyve

« on: November 13, 2018, 03:59:43 pm »

Did you put OPNsense in serial mode?

109

General Discussion / Re: CVE-2018-17156 Ping vulnerability? Is Opnsense affected?

« on: November 10, 2018, 01:03:30 am »

I should clarify that OPNsense is not affected by the ICMP issue when the net.inet.icmp.quotelen sysctl node is kept at its default value of 8.

Details are scarce regarding the net.inet.ip.maxfragsperpacket sysctl node and the code that uses it. It would be good to see a security audit of these older networking bits of code.

In HardenedBSD 13-CURRENT, I've defaulted both those sysctl nodes to the values recommended in that Reddit post: https://github.com/HardenedBSD/hardenedBSD/commit/d60f241d77eb286179aa25bc58a99b55833b2d10

110

General Discussion / Re: CVE-2018-17156 Ping vulnerability? Is Opnsense affected?

« on: November 09, 2018, 10:17:23 pm »

FreeBSD 11.1, which OPNsense is currently based on, is not affected when the sysctl nodes have been left to their default values.

The soon-to-be-released FreeBSD 12.0 was affected (along with 13-CURRENT). I'm paying attention to how this folds out and will keep you updated should anything change.

111

General Discussion / Re: Whats wrong with Bhyve ??

« on: May 01, 2018, 04:09:29 pm »

You might try the freebsd-virtualization mailing list on freebsd.org. Even though OPNsense is based on FreeBSD with HardenedBSD additions, the OPNsense Forums is the wrong place to ask about bhyve.

112

18.1 Legacy Series / Re: [CALL FOR TESTING] Speculative Execution Kernel Patch for amd64

« on: March 19, 2018, 02:54:50 pm »

Is there a way to incorporate the Meltdown tools in OPNsense?
https://github.com/dag-erling/meltdown

I'll try my luck at creating a port for that in HardenedBSD's ports tree, which OPNsense uses. Good idea!

113

General Discussion / Re: How are OPNSense Firewalls affected by Meltdown and Spectre?

« on: March 07, 2018, 09:45:49 pm »

Here's a sneak peak!

If the attached screenshot didn't show properly, then here's a link to it: https://photos.app.goo.gl/NgaICZGUo8QjIf7u1

114

General Discussion / Re: How are OPNSense Firewalls affected by Meltdown and Spectre?

« on: March 06, 2018, 10:04:48 pm »

I spy with my little eye a feature branch to test PTI + IBRS: https://github.com/opnsense/src/tree/hardened/master/pti_ibrs

I'll enable PTI by default in this branch, just like we do in HardenedBSD.

115

General Discussion / Re: How are OPNSense Firewalls affected by Meltdown and Spectre?

« on: March 06, 2018, 05:55:56 pm »

Hot off the press: FreeBSD just released a Call For Testing (CFT) of PTI and IBRS for 11.1-RELEASE: https://lists.freebsd.org/pipermail/freebsd-stable/2018-March/088526.html

Over the next couple weeks, I'll work to import the patch into a feature branch in OPNsense's src repo. I'll discuss with the OPNsense Core Team how we can go forward with publishing a testable version of OPNsense with the patch applied. Stay tuned for more info.

116

General Discussion / Re: How are OPNSense Firewalls affected by Meltdown and Spectre?

« on: March 06, 2018, 05:31:32 pm »

Yup. When FreeBSD 12.0-RELEASE happens and HardenedBSD creates the proper release engineering branch (hardened/releng/12.0), OPNsense will start work on switching to HardenedBSD as the upstream. Note that OPNsense already switched its ports tree (aka, third party packages) to HardenedBSD's ports tree. So we're already half way there. We just need the other half (the operating system itself) to be switched over.

117

General Discussion / Re: How are OPNSense Firewalls affected by Meltdown and Spectre?

« on: March 06, 2018, 02:20:10 pm »

I believe FreeBSD is actively working on merging PTI and IBRS support into 11.1-RELEASE. There is an experimental patch floating around that applies to 11.1-RELEASE, but there has been no status update since that experimental patch was released.

IBRS helps address one of the Spectre variants on Intel Skylake and above. However, it needs to be combined with Retpoline for full effectiveness (and, Retpoline requires IBRS on Intel Skylake and above for full effectiveness; they depend on each other.)

Retpoline requires both compiler and linker support. FreeBSD 11.1-RELEASE uses clang as the compiler, but GNU ld as the linker on amd64. In order to effectively use Retpoline, lld needs to be the linker. When OPNsense switches to HardenedBSD, it will gain lld as the default linker for the entire ecosystem on amd64.

So, there's a long road ahead. With all that said, keep in mind that Meltdown and Spectre are local attacks. The only time when Meltdown and Spectre become issues outside of local access is multi-tenant hosting. However, virtualizing your firewall with other untrusted VMs isn't a good idea, anyways.

118

17.7 Legacy Series / Re: Transparent TOR

« on: February 02, 2018, 05:40:37 pm »

I don't know if you can combine both Tor and Squid on the same instance, but yes, you can configure Tor as a transparent proxy in OPNsense. I've done it before. I should write up a little tutorial on how to do it.

119

17.7 Legacy Series / Re: Be careful with ClamAV

« on: January 27, 2018, 03:20:39 pm »

Keep in mind that because the OPNsense Core Team has intelligently put security first by incorporating ASLR and SafeStack from HardenedBSD that attackers will likely have an extremely difficult time exploiting these vulnerabilities. Patching is still important (I'd say critical), but HardenedBSD's enhancements drive up the economic cost for attackers and help prevent successful exploitation.

120

General Discussion / Re: https://meltdownattack.com/

« on: January 23, 2018, 04:31:21 pm »

Update: PTI is now enabled by default on HardenedBSD 12-CURRENT/amd64. The retpoline patch has landed in both upstream llvm (https://reviews.llvm.org/D41723) HEAD and HardenedBSD 12-CURRENT/amd64. Packages are building with retpoline applied to the entire package repo.

HardenedBSD will likely be the first OS to ship with retpoline applied to the entirety of the operating system, spanning not only world and kernel, but also third-party applications in its package repository.