OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of lattera »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - lattera

Pages: 1 ... 10 11 [12]
166
16.1 Legacy Series / Re: OPNSense 16.1.1 + HardenedBSD 11-CURRENT
« on: February 05, 2016, 02:21:03 am »
Quote from: interfaSys on February 05, 2016, 02:06:29 am
-
  • Wasn't able to use vidcontrol to set the resolution higher
  • Many on screen backtraces. I know it doesn't help without actually showing the issues, but I just wanted to let others know. I think one of them was about if_rw if that exists? Lots of them about unionfs.

Apart from that, I ran the same netmap packet test I ran on 10.2 and there is the same realtek driver issue where the card locks up and stops processing packets.

I'm not sure why vidcontrol wouldn't work. Since I only use OPNSense on physical appliances that only have a serial port, it's not something I've tested. Keep in mind that these builds are mostly for my own use. I publish them in the hopes that someone else might find them useful. ;-)

The backtraces you're getting are safe to ignore. They're there because the WITNESS option is enabled, causing the kernel to check for something called a "lock order reversal." They're more for developers eyes only. WITNESS is a good option to have enabled for security, but it does come at the cost of performance.

As far as your netmap issues are concerned, I have zero experience and knowledge in that area. If you experience it on official OPNSense builds, that means it's not an issue with HardenedBSD. But it's also good to know that it happens on both 11-CURRENT and 10.2-RELEASE.

167
16.1 Legacy Series / OPNSense 16.1.1 + HardenedBSD 11-CURRENT
« on: February 01, 2016, 11:15:54 pm »
Hey All,

I've published a new build of OPNSense 16.1.1 with HardenedBSD 11-CURRENT! You can grab the build from here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-08-16.1/

Future things to work on:

  • Wireless isn't working. This is likely due to the new 802.11 stack in FreeBSD 11-CURRENT causing issues with the network interface code in OPNSense. Part of the problem is that the raw wireless device is now hidden from `ifconfig`.
  • binary updates are now not supported. I've yet to get time to work on binary updates. So, to update to a future version, you'll need to do the usual config backup, reinstall, config restore.
  • pfsync is still disabled. I'm unsure as to why this causes a kernel panic. If you are a C developer with time on your hands and want to tackle this, that'd be freaking awesome and very much appreciated.

For item #1, I've started work on getting wireless working with this commit: https://github.com/HardenedBSD/opnsense-core/commit/7c4dd2a6178343fa37880810ea94cadc141c0c78. I need to ping Adrian Chadd to figure out how to get the MAC address and the other bits from ifconfig that are now hidden that the network interface code expects without having to do a temporary clone of the device.

For item #2, OPNSense recently revamped how they provide binary updates for base. HardenedBSD now has an official binary updating mechanism as well (thanks G2, Inc for sponsoring the work!). Instead of using OPNSense's updating mechanism, I'd rather eat my own dogfood and use hbsd-update. More info about hbsd-update can be found here: https://hardenedbsd.org/article/shawn-webb/2015-12-31/introducing-hardenedbsds-new-binary-updater

For item #3, I'll need help with this one. If I were to tackle this, I'd first redo the build, but with FreeBSD 11-CURRENT instead of HardenedBSD 11-CURRENT and see if the behavior matches. If it does, then it's not a problem with HardenedBSD. If it doesn't, then the behavior is specific to HardenedBSD. I currently don't have the time it would take to do these steps, but I'd certainly love to help someone debug this if they have the time.

If anyone wants to dig into the pfsync issue, here's the crash I got:

Code: [Select]
Fatal trap 9: general protection fault while in kernel mode
cpuid = 3; apic id = 06
instruction pointer     = 0x20:0xffffffff82c22050
stack pointer           = 0x28:0xfffffe024b62aa60
frame pointer           = 0x28:0xfffffe024b62aaf0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (swi1: pfsync)

168
16.1 Legacy Series / Re: 16.1 on HardenedBSD 10.2?
« on: January 31, 2016, 01:48:35 am »
And now Suricata compiled as a PIE and running in IPS mode.

It does create RWX mappings, though, so I need to double-check why. It doesn't on my HardenedBSD development laptop.

Code: [Select]
  PID              START                END PRT  RES PRES REF SHD FLAG TP PATH
19966      0x21b2d4b6000      0x21b2d6bb000 r-x  497  516   3   2 CN-- vn /usr/local/bin/suricata
19966      0x21b2d8ba000      0x21b2d8be000 r--    4    0   1   0 CN-- vn /usr/local/bin/suricata
19966      0x21b2d8be000      0x21b2d8c0000 rw-    2    0   1   0 C--- vn /usr/local/bin/suricata
19966      0x21b2d8c0000      0x21b2d8fa000 rw-   55   55   1   0 C--- df
19966      0x2846e3a9000      0x2846e3c8000 r-x   31   32  81  35 CN-- vn /libexec/ld-elf.so.1
19966      0x2846e3c8000      0x2846e3d0000 rw-    8    8   1   0 C--- df
19966      0x2846e3d0000      0x2846e3d1000 rw-    1    1   1   0 ---- df
19966      0x2846e3d1000      0x2846e3f5000 rw-   26   26   1   0 C--- df
19966      0x2846e3f5000      0x2846e5c5000 rwx  452  452   1   0 ---- df
19966      0x2846e5c7000      0x2846e5c8000 rw-    1    0   1   0 CN-- vn /libexec/ld-elf.so.1
19966      0x2846e5c8000      0x2846e5c9000 rw-    1    1   1   0 C--- df
19966      0x2846e5c9000      0x2846e5d6000 r-x   13   13   2   1 CN-- vn /usr/local/lib/libjansson.so.4.7.0
19966      0x2846e5d6000      0x2846e7d5000 ---    0    0   1   0 CN-- df
19966      0x2846e7d5000      0x2846e7d6000 rw-    1    0   1   0 C--- vn /usr/local/lib/libjansson.so.4.7.0
19966      0x2846e7d6000      0x2846e7ee000 r-x   24   25  20   7 CN-- vn /lib/libthr.so.3
19966      0x2846e7ee000      0x2846e9ee000 ---    0    0   1   0 CN-- df
19966      0x2846e9ee000      0x2846e9ef000 rw-    1    0   1   0 C--- vn /lib/libthr.so.3
19966      0x2846e9ef000      0x2846e9fb000 rw-   11   11   1   0 C--- df
19966      0x2846e9fb000      0x2846ea44000 r-x   57   59   4   2 CN-- vn /lib/libpcap.so.8
19966      0x2846ea44000      0x2846ec44000 ---    0    0   1   0 CN-- df
19966      0x2846ec44000      0x2846ec46000 rw-    2    0   1   0 CN-- vn /lib/libpcap.so.8
19966      0x2846ec46000      0x2846ec47000 rw-    0    0   0   0 ---- --
19966      0x2846ec47000      0x2846ecbc000 r-x  117  125  14   4 CN-- vn /usr/local/lib/libpcre.so.1.2.5
19966      0x2846ecbc000      0x2846eebb000 ---    0    0   1   0 CN-- df
19966      0x2846eebb000      0x2846eebc000 rw-    1    0   1   0 C--- vn /usr/local/lib/libpcre.so.1.2.5
19966      0x2846eebc000      0x2846f030000 r-x  372  390  81  35 CN-- vn /lib/libc.so.7
19966      0x2846f030000      0x2846f22f000 ---    0    0   1   0 CN-- df
19966      0x2846f22f000      0x2846f23a000 rw-   11    0   1   0 C--- vn /lib/libc.so.7
19966      0x2846f23a000      0x2846f253000 rw-   13   13   1   0 C--- df
19966      0x2846f253000      0x2846f271000 r-x   30   31   2   1 CN-- vn /usr/local/lib/libhtp-0.5.18.so.1.0.0
19966      0x2846f271000      0x2846f471000 ---    0    0   1   0 CN-- df
19966      0x2846f471000      0x2846f472000 rw-    1    0   1   0 C--- vn /usr/local/lib/libhtp-0.5.18.so.1.0.0
19966      0x2846f472000      0x2846f48f000 r-x   29   29   2   1 CN-- vn /usr/local/lib/libyaml-0.so.2.0.4
19966      0x2846f48f000      0x2846f68e000 ---    0    0   1   0 CN-- df
19966      0x2846f68e000      0x2846f68f000 rw-    1    0   1   0 CN-- vn /usr/local/lib/libyaml-0.so.2.0.4
19966      0x2846f68f000      0x2846f6ad000 r-x   30   31   2   1 CN-- vn /usr/lib/libmagic.so.4
19966      0x2846f6ad000      0x2846f8ac000 ---    0    0   1   0 CN-- df
19966      0x2846f8ac000      0x2846f8ae000 rw-    2    0   1   0 C--- vn /usr/lib/libmagic.so.4
19966      0x2846f8ae000      0x2846f8c3000 r-x   21   22   2   1 CN-- vn /usr/local/lib/libnet11/libnet.so.1.7.0
19966      0x2846f8c3000      0x2846fac3000 ---    0    0   1   0 CN-- df
19966      0x2846fac3000      0x2846fac4000 rw-    1    0   1   0 CN-- vn /usr/local/lib/libnet11/libnet.so.1.7.0
19966      0x2846fac4000      0x2846fac6000 rw-    0    0   0   0 ---- --
19966      0x2846fac6000      0x2846fbbf000 r-x   32   42   2   1 CN-- vn /usr/local/lib/libiconv.so.2.5.1
19966      0x2846fbbf000      0x2846fdbf000 ---    0    0   1   0 CN-- df
19966      0x2846fdbf000      0x2846fdc1000 rw-    2    0   1   0 CN-- vn /usr/local/lib/libiconv.so.2.5.1
19966      0x2846fdc1000      0x2846fdd7000 r-x   22   23  16   5 CN-- vn /lib/libz.so.6
19966      0x2846fdd7000      0x2846ffd7000 ---    0    0   1   0 CN-- df
19966      0x2846ffd7000      0x2846ffd8000 rw-    1    0   1   0 C--- vn /lib/libz.so.6
19966      0x2846ffd8000      0x2846fff8000 rwx   32   32   1   0 ---- df
19966      0x28470000000      0x28472000000 rw- 7678 7678   1   0 C--- df
19966      0x28472000000      0x28473a00000 rw- 6654 6654   1   0 --S- df
19966      0x28473a00000      0x28473db4000 rw-  144  152   1   0 CN-- vn /usr/share/misc/magic.mgc
19966      0x28473db4000      0x28473df4000 rwx   64   64   1   0 ---- df
19966      0x28473e00000      0x28474e00000 rw- 4094 73627  16   0 --S- df
19966      0x28474e00000      0x28474e30000 rwx   48 73627  16   0 ---- df
19966      0x28474e30000      0x28475000000 rwx  445  445   1   0 ---- df
19966      0x28475000000      0x28475e00000 rw- 3584 73627  16   0 --S- df
19966      0x28475e00000      0x28475e10000 rwx   16 73627  16   0 ---- df
19966      0x28475e10000      0x28476000000 rwx  489  489   1   0 ---- df
19966      0x28476000000      0x28477800000 rw- 6144 73627  16   0 --S- df
19966      0x28477800000      0x28477810000 rwx   16 73627  16   0 ---- df
19966      0x28477810000      0x28477a00000 rwx  496  496   1   0 ---- df
19966      0x28477a00000      0x28478600000 rw- 3072 73627  16   0 --S- df
19966      0x28478600000      0x28478640000 rwx   64 73627  16   0 ---- df
19966      0x28478640000      0x28478800000 rwx  448  448   1   0 ---- df
19966      0x28478800000      0x28479200000 rw- 2560 73627  16   0 --S- df
19966      0x28479200000      0x28479220000 rwx   32 73627  16   0 ---- df
19966      0x28479220000      0x28479400000 rwx  480  480   1   0 ---- df
19966      0x28479400000      0x28479e00000 rw- 2560 73627  16   0 --S- df
19966      0x28479e00000      0x28479e20000 rwx   26 73627  16   0 ---- df
19966      0x2847a000000      0x28482000000 rw- 32723 73627  16   0 --S- df
19966      0x28482000000      0x28482400000 rw- 1024 1024   1   0 --S- df
19966      0x28482400000      0x28482e00000 rw- 2560 73627  16   0 --S- df
19966      0x28482e00000      0x28484000000 rw- 4608 4608   1   0 --S- df
19966      0x28484000000      0x28484800000 rw- 1792 73627  16   0 --S- df
19966      0x28484800000      0x28485200000 rw- 2560 12800   2   0 --S- df
19966      0x28485200000      0x28486400000 rw- 2628 2628   1   0 ---- df
19966      0x28487800000      0x2848a000000 rw- 10240 12800   2   0 --S- df
19966      0x2848a800000      0x2848e000000 rw- 14336 73627  16   0 --S- df
19966      0x2848e000000      0x284a2721000 rw- 2586 2586   1   0 ---- dv
19966     0x7ad66f713000     0x7ad66f733000 rw-    3    3   1   0 ---D df
19966     0x7ad66f914000     0x7ad66f934000 rw-    1    1   1   0 ---D df
19966     0x7ad66fb15000     0x7ad66fb35000 rw-    2    2   1   0 ---D df
19966     0x7ad66fd16000     0x7ad66fd36000 rw-    3    3   1   0 ---D df
19966     0x7ad66ff17000     0x7ad66ff37000 rw-    5    5   1   0 ---D df
19966     0x7ad670118000     0x7ad670138000 rw-   10   10   1   0 ---D df
19966     0x7ad670138000     0x7ad670139000 ---    0    0   0   0 ---- --
19966     0x7ad6b00d9000     0x7ad6b0119000 rw-   37   37   1   0 C--D df
19966     0x7ad6b0119000     0x7ad6b0139000 rw-   32   32   1   0 C--- df
19966     0x7fa588f4b000     0x7fa588f4c000 r-x    1    1  49   0 ---- ph

http://imgur.com/2ne88hd

169
16.1 Legacy Series / Re: 16.1 on HardenedBSD 10.2?
« on: January 30, 2016, 09:28:37 pm »
Here's a little teaser. There's a couple things I gotta do to cleanup, then I'll update to 16.1.1 when that comes out for OpenSSL SA goodness. Then I'll publish the build.

http://imgur.com/1kZLoXZ

170
16.1 Legacy Series / Re: 16.1 on HardenedBSD 10.2?
« on: January 30, 2016, 02:20:29 am »
It's official: I've started work on the HardenedBSD + OPNSense 16.1. I'll hopefully have a build I myself will test this weekend and push out for general availability by the end of next week.

171
16.1 Legacy Series / Re: 16.1 on HardenedBSD 10.2?
« on: January 18, 2016, 05:09:51 pm »
FreeBSD / HardenedBSD 10-STABLE is great to use. However, there are certain enhancements from FreeBSD 11-CURRENT (which HardenedBSD syncs from every six hours) that I myself need (mainly, the updates to the ath(4) driver). Though I publish these builds for others to use, they're primarily for my own usage. I just publish them in the hope that others find them useful.

So, I will be basing my OPNSense + HardenedBSD builds based on 11-CURRENT (and, when 11.0 comes out, 11-STABLE). The biggest problem is the changes to the 802.11 stack that remove the raw wireless devices from  ifconfig output. That throws a wrench into OPNSense (and I'll assume pfSense as well, though since I have no way to produce my own builds, I can't verify). I'm very slowly working to resolve that issue. My next builds will be published regardless of the status of the fix.

My time is extremely limited these days. I'm holding off doing new builds until 16.1 is published. Once that's published, I need to forward-port my custom patches to our forked OPNSense code. I probably won't release any builds until 16.1.1 (it'll probably take around a week after 16.1 is published to finish the forward port).

With all that said, there's nothing stoping anyone from doing their own builds based on HardenedBSD 10-STABLE (or 10.2-RELEASE). I've even included instructions on how I do builds on my personal blog: http://0xfeedface.org/2015/11/07/hbsd-opnsense.html

Let me know if you have any questions, comments, or concerns.

172
15.7 Legacy Series / Re: HardenedBSD experimental builds
« on: December 04, 2015, 06:07:52 pm »
Cool! Thanks! It'll be another couple weeks before I can work further on the wireless issues. I've got a patch to core.git that I've yet to commit to hbsd's fork that starts the port. I need to get back with Adrian Chadd to see if the wireless issues I'm having on 11-CURRENT with hostap mode are specific to me or if he can reproduce. I'll be celebrating five years of marriage with my wife next week, so it'll be a while before I can finish this up.

173
15.7 Legacy Series / Re: HardenedBSD experimental builds
« on: November 30, 2015, 02:04:14 pm »
Yup. Both of these issues are caused by changes upstream (FreeBSD). Neither are caused by OPNSense.

174
15.7 Legacy Series / Re: HardenedBSD experimental builds
« on: November 28, 2015, 04:27:22 pm »
Here's a little status update and a sneak peek:

I have an 11-CURRENT build that I'm testing out. However, there are two issues:
  • pfsync kernel panic: I've disabled pfsync for now, so no HA setups.
  • Wireless non-functional: The wireless stack on FreeBSD 11-CURRENT has changed quite drastically. Wireless is broken. I've filed a bug report here: https://github.com/opnsense/core/issues/480.

I've also now figured out how to build for the Netgate APU4. My next builds will contain images for: generic, netgate rcc-ve 4860, and the netgate apu4. Please be aware that this build will require a full reinstallation, but backing up and restoring your config ought to work like normal. Going forward, I'll only be using -CURRENT.

Screenshot of a working test installation on my Netgate RCC-VE 4860: http://imgur.com/XVHcZV7

175
15.7 Legacy Series / Re: HardenedBSD experimental builds
« on: November 12, 2015, 05:56:59 pm »
I just documented my build setup: http://0xfeedface.org/2015/11/07/hbsd-opnsense.html

So I realize I just said that my latest build supports binary upgrades, but due to some issues with going from 15.7.16 to 15.7.18, I'm going to say that it's not possible to do a binary upgrade. There's also a few more changes I should make to the UI (like removing all the mirrors in one of the drop downs). I'm expecting to work on a new build any time within the next 30 days. I'm slightly on the busy side these days with work and a cute wife.

Thanks for all those who are helping test this!

176
15.7 Legacy Series / Re: HardenedBSD experimental builds
« on: October 03, 2015, 06:27:02 pm »
It ought to work once I get the right bits pushed to the web server. I've got a few high-priority things going on and will hopefully take care of that part by the end of October.

177
15.7 Legacy Series / Re: HardenedBSD experimental builds
« on: September 30, 2015, 07:29:09 pm »
New experimental builds posted! You can find them here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-06-15.7/

I still need to populate the package repo on our web server, but this build itself now supports binary updates.

178
15.7 Legacy Series / Re: HardenedBSD experimental builds
« on: September 30, 2015, 04:56:52 pm »
I can't speak for the OPNSense crew, but I'll be continuously providing builds based on HardenedBSD. I'm doing a new build now based on 15.7.15. :-) And I have all the bits in place to support binary updates along with managed secadm rule updates. Build seven will likely also include Integriforce rules for all of userland. :-)

179
15.7 Legacy Series / Re: HardenedBSD experimental builds
« on: September 02, 2015, 04:17:58 pm »
Shawn Webb here. Yeah, the HardenedBSD experimental builds support the same hardware as OPNSense. Build number six was going to happen yesterday, but will be delayed until next week at the earliest and October at the latest.

Please note that build five doesn't support binary updates, but build six will. So going from three to five (four is intentionally missing) or five to six you'll have to backup your config, reinstall, then restore your config. Versions six and onward will have the same binary upgrade capabilities you currently enjoy with OPNSense.

180
15.7 Legacy Series / Re: 15.7.6: transparent proxy, package mirror/flavour selection, ...
« on: August 03, 2015, 04:39:31 pm »
Great work. I'll look into this in a bit more detail as I get time. I'm hoping to create an OPNSense build that acts simply as a Tor transparent proxy.

Pages: 1 ... 10 11 [12]
OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2