HBSD SEGVGUARD errors on filterdns

[franco]

Hi Stefan,

NTP being deferred is normal, Suricata should not be able to print "deferred", because NTP is the only thing that does that as far as I know.

G620 is around 2011 - 2013, it should run amd64, but if it's not it (or the mainboard) may be damaged... it's hard to tell.

Filterdns is an old daemon that resolves host aliases to IP addresses for firewall operation. How many aliases do you have in terms of hosts in them?

From what I can see being added by Ad in the development version, filterdns will be removed for this particular use case with 18.1.


Cheers,
Franco

[Stefan]

Well then I look forward to 18.1!

[Stefan]

I have 31 aliases. Though the worst offenders are trouble no matter how you add then into the filter.

I use feeds where ever possible but a few of the biggest trouble makers mutate daily, so to speak. For example Tor exits and Linode (both are common visitors to my systems and websites). Both have a hand full of ASN's. But each of their ASNs will have 1400+ CIDRs all of which are /29, /30, and /31 networks (note that each those networks only have between 1 and 4 IP addresses each). There are about a dozen major trouble makers running thousands of small networks (/24 or smaller). These are the ones that are hard to handle.

[franco]

Hi Stefan,

Ok it would make sense that there is considerable pressure on filterdns to keep up to date which may cause this. I'm assuming that when ASLR triggers, it could be a latent bug in the filterdns code. I can ping this thread when we have confidence in the replacement if you are interested in trying the newer model before 18.1 is out officially.


Thank you,
Franco

[Stefan]

Thanks Franco,

Yes, I would be interested in being an early adopter. Other software companies even offer "nightly" builds to early adopters, including AutoDesk and an Austrian Mac based rules engine developer. Adding OPN into the fold would be something that I would enjoy doing.

Cheers,
Stefan

[franco]

Hi Stefan,

We do have a parallel development track and a private nightly build system ( https://nightly.opnsense.org/ ) ... but we are not confident it helps people to upgrade into untested packages and code, so we instead build one development package per release, which has a more consistent state.

Switching is easy:

# opnsense-update -t opnsense-devel

And switching back...

# opnsense-update -t opnsense

From both packages, you can use the latest code safely most of the time also:

# opnsense-code core
# cd /usr/core
# make upgrade

I've added a ping reminder in the ticket for the alias rework for later, see:

https://github.com/opnsense/core/issues/1971


Cheers,
Franco

[Stefan]

Thank you, Franco

[franco]

FYI: The opnsense-devel update going out with 17.7.11 tomorrow will no longer use filterdns at all.


Cheers,
Franco

[Stefan]

Fantastic, thank you! I look forward to the update.

[Stefan]

17.7.11  the same as 18.1.b_199?

[franco]

Hi Stefan,

We don't keep track of the pre RC builds, but 17.7.11's development version translates to 18.1.b_273. It just counts the commits on this track.


Cheers,
Franco

[Stefan]

Okay I'm in sync with things now.

[Stefan]

Switched to opnsense-devel. Much improved filter stability.

Now running LibreSSL, showed marked improvement in system wide performance when using high level cryptography. No loss of GUI accessibility.

[franco]

That's a good start. Thank your for testing!

[Stefan]

Saw attempted DDOS attack. The system held, no HBSD SEGVGUARD error. Although filterdns dumped to the console screen.

Updating to b_273 and will wait for next attack.