Messages

If the HardenedBSD version of OPNsense can't be binary upgraded, then should anyone really be using it? Are there any plans to make binary upgrades work?

Yup. I've got it on my list of things to do. However, ENOTIME. Remember that I make the OPNsense + HardenedBSD builds solely for my own purposes, but publish the builds in case anyone finds them useful. The way to upgrade right now is: backup config, reinstall, restore config. It'll be that way for some time until either someone hands me patches + an infrastructure or I get to it myself. With me buying my first home while working 80-110 hours a week while still running and maintaining HardenedBSD, you'll probably understand my lack of time.

FreeBSD has been going to town on code correctness, including fixing memory leaks in various places. Whether this fixes your specific memory leak is another issue. I'm unsure where your memory leak is coming from as it stands. However, I've got this build installed on multiple appliances and am keeping an eye on it.

New builds have been published. Usual caveats apply. To upgrade: backup your config, reinstall, restore config. This build includes the OpenSSL fixes and application of PIE + RELRO + BIND_NOW to more programs. You'll notice that I'm also not doing any Netgate builds and that I now support PC-Engines APU2.

Download here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-11-16.7/

Also, Weust, FreeBSD made changes to HYPERV thingies. Can you let me know if you upgrade and if it succeeds/fails?

I've now published a new build that has the pfSense and OPNsense vulnerability fixes, along with PIEified base and base compiled with RELRO + BIND_NOW (brand spankin' new features hot off the press from HardenedBSD). The usual caveats apply (no wireless, no pfsync, no binary updates) due to ENOTIME. Integriforce in whitelisting mode is still active and working flawlessly.

Download here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-10-16.7/

I'm running it with Suricata in IPS mode and OpenVPN client enabled at home. Let me know if you have any issues.

Im using the 16.7 alpha and the HBSD kernel. Im trying to get my intel wifi card to work as wifi. I have an AP which works great actually, I'm just trying to get experience configuring them, because you never know. Unfortunately while I can see my NIC enabling it is a different beast entirely, I cannot set it to access point mode. It seems only capable of finding other networks.

Hey Solaris17,

If you're using the HardenedBSD-based build, wireless is broken. FreeBSD 11-CURRENT switched to a new wireless networking stack that prevents OPNsense's UI from working right with regards to wireless. Fixing this is on my list of things to do, but ENOTIME.

If you're looking for wireless capabilities, I'd suggest you run vanilla OPNsense.

But looking at the smooth run it's merge time soon if Shawn agrees.

I tried finding a meme for "But of course!" but I couldn't really find one that fit my groove. So: YES! And yay!

I'd first like to say thank you to Franco and the rest of the OPNsense team for working with me on this. Their continual focus on security and community development never ceases to impresses me. They have been a delight to work with.

The ASLR patch that OPNsense imported came directly from HardenedBSD. Last week, I took a few hours to backport our patch from 11-CURRENT to a format that OPNsense could import into 10-STABLE and 10.2-RELEASE. Franco was extremely kind to help in testing the backported patch. I'd like to thank him for his efforts and contributions.

There has recently become available a patch for FreeBSD for their own ASLR implementation. Being a fresh effort, it will require more work and peer review until it is going to be included in FreeBSD. And it is actually ASR, not ASLR. Due to being ASR, it has the potential to fragment the virtual address space. If the virtual address space is fragmented enough ASR could be disabled. FreeBSD's implementation also provides an API for non-root users to disable ASR for their own processes. HardenedBSD's implementation provides no such API and does not cause address space fragmentation issues. FreeBSD's patch under review can be found here: https://reviews.freebsd.org/D5603

No matter the architecture (amd64 vs i386 vs arm vs arm64, etc.), the HardenedBSD ASLR patch provides a performance impact so small that the authors of the patch (Oliver Pinter and myself) do not know how to accurately measure the impact.

As of this writing, OPNsense does not support building applications as Position-Independent Executables (PIEs). That will come soon. Compiling an application as a PIE allows that application to take full advantage of ASLR.

On amd64, compiling the application as a PIE incurs zero overhead. On i386, the performance impact could be as large as 12%. It's important to note that the overhead on i386 is _NOT_ due to HardenedBSD's ASLR implementation, but due to the i386 architecture. PIE on i386 places additional requirements that cause performance degradation.

HardenedBSD's ASLR implementation has proven to be rock solid over the multiple-year span it has been developed. It performs extremely well and, of all the BSD ASLR implementations, introduces the most entropy into the process' address space. I know of no other ASLR implementation that introduces 41 bits of entropy into the stack on amd64.

We're switching to FreeBSD 10.3 in 16.7 (or some time in the 16.1.x series depending on how smoothly that transition is). I will provide test builds as soon as 10.3 is officially out (end of this month). Hopefully, this will have driver updates you seek.

The problem is still in 10.3. It should be mostly resolved in 11-CURRENT with the new wireless networking stack. However, the new wireless networking stack breaks OPNsense. Fixing that is on my ever-growing list of things to do. I've started on it, but I need to get some spare cycles to finish it.

One way to help alleviate the problem on FreeBSD 10.x (but not fix it entirely) is to build with a non-SMP kernel. That has obvious drawbacks, though.

(Sorry to be a downer! Point is: there will be a solution for 11-CURRENT, but it'll take time.)

Thanks a lot, Franco! I appreciate it!

As before I will try out the installation on Hyper-V.
Hopefully the network adapter is detected this time.

Thanks! There have been a lot of Hyper-V related commits by upstream FreeBSD, especially related to networking.

Downloading has to wait a bit longer it seems.
The site it quite unresponsive atm. Getting time outs.

Hey Franco, think you could mirror the files? ;)

I'm excited to announce yet another experimental OPNsense + HardenedBSD build! This build brings OpenSSL updates along with more HardenedBSD 11-CURRENT goodness. Also in the build is a brand spankin' new feature called Integriforce Whitelist.

Integriforce is a feature in which all executable files along with the shared objects they depend on in the filesystem are hashed. The hashes are loaded into the kernel and when it comes time to execute an application, the hash is checked. If the hash doesn't match, execution is forbidden. Where whitelisting comes into play is if an application or the shared objects it depends on is not in the list of hashes at all, execution is forbidden.

So, you get two things: data integrity of executables and application whitelisting. The NSA recently stated that application whitelisting along with exploit mitigations make their lives extremely difficult.

I haven't had the time to fix wireless (major changes involved), debug pfsync, or fix binary updates. So those usual caveats apply here. To update an existing installation: backup your config, reinstall, restore your config.

Download here

-

• Wasn't able to use vidcontrol to set the resolution higher
• Many on screen backtraces. I know it doesn't help without actually showing the issues, but I just wanted to let others know. I think one of them was about if_rw if that exists? Lots of them about unionfs.
  

Apart from that, I ran the same netmap packet test I ran on 10.2 and there is the same realtek driver issue where the card locks up and stops processing packets.

I'm not sure why vidcontrol wouldn't work. Since I only use OPNSense on physical appliances that only have a serial port, it's not something I've tested. Keep in mind that these builds are mostly for my own use. I publish them in the hopes that someone else might find them useful. ;-)

The backtraces you're getting are safe to ignore. They're there because the WITNESS option is enabled, causing the kernel to check for something called a "lock order reversal." They're more for developers eyes only. WITNESS is a good option to have enabled for security, but it does come at the cost of performance.

As far as your netmap issues are concerned, I have zero experience and knowledge in that area. If you experience it on official OPNSense builds, that means it's not an issue with HardenedBSD. But it's also good to know that it happens on both 11-CURRENT and 10.2-RELEASE.

Hey All,

I've published a new build of OPNSense 16.1.1 with HardenedBSD 11-CURRENT! You can grab the build from here: https://hardenedbsd.org/~shawn/opnsense/hbsd-exp-08-16.1/

Future things to work on:

• Wireless isn't working. This is likely due to the new 802.11 stack in FreeBSD 11-CURRENT causing issues with the network interface code in OPNSense. Part of the problem is that the raw wireless device is now hidden from `ifconfig`.
• binary updates are now not supported. I've yet to get time to work on binary updates. So, to update to a future version, you'll need to do the usual config backup, reinstall, config restore.
• pfsync is still disabled. I'm unsure as to why this causes a kernel panic. If you are a C developer with time on your hands and want to tackle this, that'd be freaking awesome and very much appreciated.

For item #1, I've started work on getting wireless working with this commit: https://github.com/HardenedBSD/opnsense-core/commit/7c4dd2a6178343fa37880810ea94cadc141c0c78. I need to ping Adrian Chadd to figure out how to get the MAC address and the other bits from ifconfig that are now hidden that the network interface code expects without having to do a temporary clone of the device.

For item #2, OPNSense recently revamped how they provide binary updates for base. HardenedBSD now has an official binary updating mechanism as well (thanks G2, Inc for sponsoring the work!). Instead of using OPNSense's updating mechanism, I'd rather eat my own dogfood and use hbsd-update. More info about hbsd-update can be found here: https://hardenedbsd.org/article/shawn-webb/2015-12-31/introducing-hardenedbsds-new-binary-updater

For item #3, I'll need help with this one. If I were to tackle this, I'd first redo the build, but with FreeBSD 11-CURRENT instead of HardenedBSD 11-CURRENT and see if the behavior matches. If it does, then it's not a problem with HardenedBSD. If it doesn't, then the behavior is specific to HardenedBSD. I currently don't have the time it would take to do these steps, but I'd certainly love to help someone debug this if they have the time.

If anyone wants to dig into the pfsync issue, here's the crash I got:

Code Select Expand


Fatal trap 9: general protection fault while in kernel mode
cpuid = 3; apic id = 06
instruction pointer     = 0x20:0xffffffff82c22050
stack pointer           = 0x28:0xfffffe024b62aa60
frame pointer           = 0x28:0xfffffe024b62aaf0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (swi1: pfsync)


And now Suricata compiled as a PIE and running in IPS mode.

It does create RWX mappings, though, so I need to double-check why. It doesn't on my HardenedBSD development laptop.

Code Select Expand


  PID              START                END PRT  RES PRES REF SHD FLAG TP PATH
19966      0x21b2d4b6000      0x21b2d6bb000 r-x  497  516   3   2 CN-- vn /usr/local/bin/suricata
19966      0x21b2d8ba000      0x21b2d8be000 r--    4    0   1   0 CN-- vn /usr/local/bin/suricata
19966      0x21b2d8be000      0x21b2d8c0000 rw-    2    0   1   0 C--- vn /usr/local/bin/suricata
19966      0x21b2d8c0000      0x21b2d8fa000 rw-   55   55   1   0 C--- df
19966      0x2846e3a9000      0x2846e3c8000 r-x   31   32  81  35 CN-- vn /libexec/ld-elf.so.1
19966      0x2846e3c8000      0x2846e3d0000 rw-    8    8   1   0 C--- df
19966      0x2846e3d0000      0x2846e3d1000 rw-    1    1   1   0 ---- df
19966      0x2846e3d1000      0x2846e3f5000 rw-   26   26   1   0 C--- df
19966      0x2846e3f5000      0x2846e5c5000 rwx  452  452   1   0 ---- df
19966      0x2846e5c7000      0x2846e5c8000 rw-    1    0   1   0 CN-- vn /libexec/ld-elf.so.1
19966      0x2846e5c8000      0x2846e5c9000 rw-    1    1   1   0 C--- df
19966      0x2846e5c9000      0x2846e5d6000 r-x   13   13   2   1 CN-- vn /usr/local/lib/libjansson.so.4.7.0
19966      0x2846e5d6000      0x2846e7d5000 ---    0    0   1   0 CN-- df
19966      0x2846e7d5000      0x2846e7d6000 rw-    1    0   1   0 C--- vn /usr/local/lib/libjansson.so.4.7.0
19966      0x2846e7d6000      0x2846e7ee000 r-x   24   25  20   7 CN-- vn /lib/libthr.so.3
19966      0x2846e7ee000      0x2846e9ee000 ---    0    0   1   0 CN-- df
19966      0x2846e9ee000      0x2846e9ef000 rw-    1    0   1   0 C--- vn /lib/libthr.so.3
19966      0x2846e9ef000      0x2846e9fb000 rw-   11   11   1   0 C--- df
19966      0x2846e9fb000      0x2846ea44000 r-x   57   59   4   2 CN-- vn /lib/libpcap.so.8
19966      0x2846ea44000      0x2846ec44000 ---    0    0   1   0 CN-- df
19966      0x2846ec44000      0x2846ec46000 rw-    2    0   1   0 CN-- vn /lib/libpcap.so.8
19966      0x2846ec46000      0x2846ec47000 rw-    0    0   0   0 ---- --
19966      0x2846ec47000      0x2846ecbc000 r-x  117  125  14   4 CN-- vn /usr/local/lib/libpcre.so.1.2.5
19966      0x2846ecbc000      0x2846eebb000 ---    0    0   1   0 CN-- df
19966      0x2846eebb000      0x2846eebc000 rw-    1    0   1   0 C--- vn /usr/local/lib/libpcre.so.1.2.5
19966      0x2846eebc000      0x2846f030000 r-x  372  390  81  35 CN-- vn /lib/libc.so.7
19966      0x2846f030000      0x2846f22f000 ---    0    0   1   0 CN-- df
19966      0x2846f22f000      0x2846f23a000 rw-   11    0   1   0 C--- vn /lib/libc.so.7
19966      0x2846f23a000      0x2846f253000 rw-   13   13   1   0 C--- df
19966      0x2846f253000      0x2846f271000 r-x   30   31   2   1 CN-- vn /usr/local/lib/libhtp-0.5.18.so.1.0.0
19966      0x2846f271000      0x2846f471000 ---    0    0   1   0 CN-- df
19966      0x2846f471000      0x2846f472000 rw-    1    0   1   0 C--- vn /usr/local/lib/libhtp-0.5.18.so.1.0.0
19966      0x2846f472000      0x2846f48f000 r-x   29   29   2   1 CN-- vn /usr/local/lib/libyaml-0.so.2.0.4
19966      0x2846f48f000      0x2846f68e000 ---    0    0   1   0 CN-- df
19966      0x2846f68e000      0x2846f68f000 rw-    1    0   1   0 CN-- vn /usr/local/lib/libyaml-0.so.2.0.4
19966      0x2846f68f000      0x2846f6ad000 r-x   30   31   2   1 CN-- vn /usr/lib/libmagic.so.4
19966      0x2846f6ad000      0x2846f8ac000 ---    0    0   1   0 CN-- df
19966      0x2846f8ac000      0x2846f8ae000 rw-    2    0   1   0 C--- vn /usr/lib/libmagic.so.4
19966      0x2846f8ae000      0x2846f8c3000 r-x   21   22   2   1 CN-- vn /usr/local/lib/libnet11/libnet.so.1.7.0
19966      0x2846f8c3000      0x2846fac3000 ---    0    0   1   0 CN-- df
19966      0x2846fac3000      0x2846fac4000 rw-    1    0   1   0 CN-- vn /usr/local/lib/libnet11/libnet.so.1.7.0
19966      0x2846fac4000      0x2846fac6000 rw-    0    0   0   0 ---- --
19966      0x2846fac6000      0x2846fbbf000 r-x   32   42   2   1 CN-- vn /usr/local/lib/libiconv.so.2.5.1
19966      0x2846fbbf000      0x2846fdbf000 ---    0    0   1   0 CN-- df
19966      0x2846fdbf000      0x2846fdc1000 rw-    2    0   1   0 CN-- vn /usr/local/lib/libiconv.so.2.5.1
19966      0x2846fdc1000      0x2846fdd7000 r-x   22   23  16   5 CN-- vn /lib/libz.so.6
19966      0x2846fdd7000      0x2846ffd7000 ---    0    0   1   0 CN-- df
19966      0x2846ffd7000      0x2846ffd8000 rw-    1    0   1   0 C--- vn /lib/libz.so.6
19966      0x2846ffd8000      0x2846fff8000 rwx   32   32   1   0 ---- df
19966      0x28470000000      0x28472000000 rw- 7678 7678   1   0 C--- df
19966      0x28472000000      0x28473a00000 rw- 6654 6654   1   0 --S- df
19966      0x28473a00000      0x28473db4000 rw-  144  152   1   0 CN-- vn /usr/share/misc/magic.mgc
19966      0x28473db4000      0x28473df4000 rwx   64   64   1   0 ---- df
19966      0x28473e00000      0x28474e00000 rw- 4094 73627  16   0 --S- df
19966      0x28474e00000      0x28474e30000 rwx   48 73627  16   0 ---- df
19966      0x28474e30000      0x28475000000 rwx  445  445   1   0 ---- df
19966      0x28475000000      0x28475e00000 rw- 3584 73627  16   0 --S- df
19966      0x28475e00000      0x28475e10000 rwx   16 73627  16   0 ---- df
19966      0x28475e10000      0x28476000000 rwx  489  489   1   0 ---- df
19966      0x28476000000      0x28477800000 rw- 6144 73627  16   0 --S- df
19966      0x28477800000      0x28477810000 rwx   16 73627  16   0 ---- df
19966      0x28477810000      0x28477a00000 rwx  496  496   1   0 ---- df
19966      0x28477a00000      0x28478600000 rw- 3072 73627  16   0 --S- df
19966      0x28478600000      0x28478640000 rwx   64 73627  16   0 ---- df
19966      0x28478640000      0x28478800000 rwx  448  448   1   0 ---- df
19966      0x28478800000      0x28479200000 rw- 2560 73627  16   0 --S- df
19966      0x28479200000      0x28479220000 rwx   32 73627  16   0 ---- df
19966      0x28479220000      0x28479400000 rwx  480  480   1   0 ---- df
19966      0x28479400000      0x28479e00000 rw- 2560 73627  16   0 --S- df
19966      0x28479e00000      0x28479e20000 rwx   26 73627  16   0 ---- df
19966      0x2847a000000      0x28482000000 rw- 32723 73627  16   0 --S- df
19966      0x28482000000      0x28482400000 rw- 1024 1024   1   0 --S- df
19966      0x28482400000      0x28482e00000 rw- 2560 73627  16   0 --S- df
19966      0x28482e00000      0x28484000000 rw- 4608 4608   1   0 --S- df
19966      0x28484000000      0x28484800000 rw- 1792 73627  16   0 --S- df
19966      0x28484800000      0x28485200000 rw- 2560 12800   2   0 --S- df
19966      0x28485200000      0x28486400000 rw- 2628 2628   1   0 ---- df
19966      0x28487800000      0x2848a000000 rw- 10240 12800   2   0 --S- df
19966      0x2848a800000      0x2848e000000 rw- 14336 73627  16   0 --S- df
19966      0x2848e000000      0x284a2721000 rw- 2586 2586   1   0 ---- dv
19966     0x7ad66f713000     0x7ad66f733000 rw-    3    3   1   0 ---D df
19966     0x7ad66f914000     0x7ad66f934000 rw-    1    1   1   0 ---D df
19966     0x7ad66fb15000     0x7ad66fb35000 rw-    2    2   1   0 ---D df
19966     0x7ad66fd16000     0x7ad66fd36000 rw-    3    3   1   0 ---D df
19966     0x7ad66ff17000     0x7ad66ff37000 rw-    5    5   1   0 ---D df
19966     0x7ad670118000     0x7ad670138000 rw-   10   10   1   0 ---D df
19966     0x7ad670138000     0x7ad670139000 ---    0    0   0   0 ---- --
19966     0x7ad6b00d9000     0x7ad6b0119000 rw-   37   37   1   0 C--D df
19966     0x7ad6b0119000     0x7ad6b0139000 rw-   32   32   1   0 C--- df
19966     0x7fa588f4b000     0x7fa588f4c000 r-x    1    1  49   0 ---- ph


http://imgur.com/2ne88hd