what the hell is a C++ compiler doing on my system ???

[Franck78]

Hello,

Searching for big files on my system I found really unexpected things on pfSense...

What are doing on a firewall production system compiler/linker and other tools ?

This is nut. This is like giving a saw to prisoner and make him swear to not use it to get out of jail !

I was a developper on IPCop 1.4 series and the rule was pretty simple : nothing that is strictly necessary to run the thing is included is the production .iso file. But you are free to install any addon you'd like.

On 19.1.1 you can compile "Hello wolrd" right out of the box. Insane. The distribution is bloated with header files, static libs and so on.

You can even ssh anywhere. What is ssh client doing here ?
Or things like pkg ??
A firewall is not an everyday workstation. Of course it must provide a basic env to administer the system ( sed, grep, find, vi, ...) but nothing more.

The addition of a required tool on ipcop was (simplified):
-describe the package (version, source, etc etc)
-snapshot of file structure
-build+install the tool
-snapshot to get new files added
-manually construc file list of required files to be in the final .iso
meaning all help files, man pages, examples, compilation files were never present on final product (and none of the compilers of course).

Franck

[phoenix]

Hello,

Searching for big files on my system I found really unexpected things on pfSense...

Shouldn't you be asking that on a pFsense forum?

[fabian]

I was a developper on IPCop 1.4 series and the rule was pretty simple : nothing that is strictly necessary to run the thing is included is the production .iso file. But you are free to install any addon you'd like.

If you plan to make a minimal distribution, this is correct. For that reason, the plugins pull in extra dependencies to keep the core smaller.

On 19.1.1 you can compile "Hello wolrd" right out of the box. Insane. The distribution is bloated with header files, static libs and so on.

This is normal everywhere except some desktop distributions. For example on Arch Linux the packages are also not split up in package and packange-devel. That's great because I hate searching which header files are missing (especially if they have strange names which has nothing to do with the package name).

You can even ssh anywhere. What is ssh client doing here ?

Because SSH is a legit protocol and can also be used for backups, git (opnsense-patch) etc.

Or things like pkg ??

pkg is used for updating or installing plugins.

A firewall is not an everyday workstation. Of course it must provide a basic env to administer the system ( sed, grep, find, vi, ...) but nothing more.

If we would strip it to that, it would be not more than a basic packet filter.

[franco]

I agree with employing a hardened / stripped down install, it's easily possible with the tools we provide and a bit of tinkering what is required and what is not.

The downside is what is required and what is not will consume all your time all the time down the road. Development efforts will slow down to a crawl if you need to remotely build something and push it over; people can't adjust their setups for their needs beyond our tiny plugins ecosystem (compared to FreeBSD ports with 20.000+ ports available).

You don't have a package manager in your hardened system? Just use fetch or PHP curl or Python requests to get a binary compatible one from FreeBSD.

You worry about shipping compilers in 2019? You have Perl and Python and PHP preinstalled and you can load any kinky compiler you want and bootstrap it by yourself or just use the FreeBSD binary packages. Packages are just fancy tar archives ready to be unpacked and started.

Then still, all malware can be precompiled and delivered via remote exploits if you don't worry about scripts at all.

You don't worry about the things that happen after you've been hit by a remote exploit.


Cheers,
Franco