Re: [pfSense] Problems with apinger on 2.1-RELEASE
- Raimund Sacherer r...@logitravel.com wrote: Hello, I installed on the weekend our new firewall system. It consists of two Dell R210 with intel (igb) 2-port interface cards. The old system was 2.0-RELEASE. We have 11 Gateways configured, it's a mix of WAN's and LAN-Type interconnects with 2 other companys. We have a couple of ADSL's, a 10Mbit fiber and 2 100Mbit fiber WAN's. The apinger works perfectly on the 2.0-RELEASE. In the 2.1-RELEASE I have the following problems: On Sunday I made the switch and I noticed that all gateways are marked as down, with status first pending, then unknown. In the logs I have a message which says that all gateways can not be contacted and they are assumed online. Now without the apinger working correctly I did not configure the 2nd Firewall out of fear that there will be problems and I deactivated gateway monitoring. In the last two days I played around with the 2nd Firewall and I noticed this: up to 4 interfaces/gateways configured (out of the 11) everything works fine, I see stable behavior in the gatway section on the dashboard. Then I added one interface more and I sasw problems in the dashboard, the lines went from online to unknown/pending. When I deactivated the last interface all went online again. I did not investigate further as I had to go. (after a couple of activate/deactivate I had problems that activating the interface in the GUI and clicking save/apply did not configure the interface, ifconfig said it was simply not there, I had to execute /etc/rc.interfaces_opt_configure to get everything configured again, not sure if this can occur if you have lot's of tabs open to the firewall or if there is another configuration/GUI bug). Today I configured 1 more interface and with 6 interfaces I see something really weird. The dashboard shows me that all lines are online (with RTT times which seem reasonable) for around 8 seconds, then it shows me unknown for about 20-30 seconds, then online for around 8 seconds again, then unknown it seems the more interfaces you configure, the weirder get's the apinger behavior. I tried to copy the apinger from the 2.0-RELEASE and use it, but it also did not work as expected. I hope someone can find out what's wrong with apinger, because it definitly *is* a problem, I have seen a couple of people in the forums, and I think at least 2 bug - reports, maybe it does not occur if you have only a couple of WAN's. Tomorrow I will try to see if I can install the 2.0-RELEASE on this machine (I hope it can support the new hardware) because 2.0 was rock-solid for me (we had the FW with an uptime of 895 days without any signs of trouble). I fear a little an upgrade to 2.1.1-RELEASE because there seems to be quite some troubling problems with this release as well ... :-( Thank you, Best regards, Raimund Hello, to confirm, today I installed 2.0-RELEASE and I do not have any apinger issues! I am available for testing and if someone need more detailed information about the nic's, config etc. We also bought support and I think I have a couple of hours left, which I would be willing to spend towards resolving this problem, Best Ray ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Problems with apinger on 2.1-RELEASE
Just a shot in the wild. Did you have state killing disabled in the setup? Otherwise more information is needed on this. Normally apinger should be way better on 2.1 that it was on 2.0 because a lot of work went into that. On Thu, Apr 10, 2014 at 6:27 PM, Raimund Sacherer r...@logitravel.com wrote: - Raimund Sacherer r...@logitravel.com wrote: Hello, I installed on the weekend our new firewall system. It consists of two Dell R210 with intel (igb) 2-port interface cards. The old system was 2.0-RELEASE. We have 11 Gateways configured, it's a mix of WAN's and LAN-Type interconnects with 2 other companys. We have a couple of ADSL's, a 10Mbit fiber and 2 100Mbit fiber WAN's. The apinger works perfectly on the 2.0-RELEASE. In the 2.1-RELEASE I have the following problems: On Sunday I made the switch and I noticed that all gateways are marked as down, with status first pending, then unknown. In the logs I have a message which says that all gateways can not be contacted and they are assumed online. Now without the apinger working correctly I did not configure the 2nd Firewall out of fear that there will be problems and I deactivated gateway monitoring. In the last two days I played around with the 2nd Firewall and I noticed this: up to 4 interfaces/gateways configured (out of the 11) everything works fine, I see stable behavior in the gatway section on the dashboard. Then I added one interface more and I sasw problems in the dashboard, the lines went from online to unknown/pending. When I deactivated the last interface all went online again. I did not investigate further as I had to go. (after a couple of activate/deactivate I had problems that activating the interface in the GUI and clicking save/apply did not configure the interface, ifconfig said it was simply not there, I had to execute /etc/rc.interfaces_opt_configure to get everything configured again, not sure if this can occur if you have lot's of tabs open to the firewall or if there is another configuration/GUI bug). Today I configured 1 more interface and with 6 interfaces I see something really weird. The dashboard shows me that all lines are online (with RTT times which seem reasonable) for around 8 seconds, then it shows me unknown for about 20-30 seconds, then online for around 8 seconds again, then unknown it seems the more interfaces you configure, the weirder get's the apinger behavior. I tried to copy the apinger from the 2.0-RELEASE and use it, but it also did not work as expected. I hope someone can find out what's wrong with apinger, because it definitly *is* a problem, I have seen a couple of people in the forums, and I think at least 2 bug - reports, maybe it does not occur if you have only a couple of WAN's. Tomorrow I will try to see if I can install the 2.0-RELEASE on this machine (I hope it can support the new hardware) because 2.0 was rock-solid for me (we had the FW with an uptime of 895 days without any signs of trouble). I fear a little an upgrade to 2.1.1-RELEASE because there seems to be quite some troubling problems with this release as well ... :-( Thank you, Best regards, Raimund Hello, to confirm, today I installed 2.0-RELEASE and I do not have any apinger issues! I am available for testing and if someone need more detailed information about the nic's, config etc. We also bought support and I think I have a couple of hours left, which I would be willing to spend towards resolving this problem, Best Ray ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1.2-RELEASE up for testing
Any update to when the fix will be released?! -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler Sent: Wednesday, April 09, 2014 5:04 AM To: pfSense support and discussion Subject: Re: [pfSense] 2.1.2-RELEASE up for testing Scratch that - that just missed a commit for another security fix, it's rebuilding now. On Wed, Apr 9, 2014 at 3:48 AM, Chris Buechler c...@pfsense.org wrote: Normally we wouldn't put these out to the general public at this stage, but a few people are wanting the OpenSSL fix ASAP, and I already posted it to the forum. I've upgraded a handful of production systems and it seems fine, but still a number of things we'll verify before announcing it more widely and sending it to the mirrors and auto-update. I think this is what will become 2.1.2 release. https://files.pfsense.org/cmb/2.1.2-REL-testing/ also mirrored at: http://files.nyi.pfsense.org/cmb/2.1.2-REL-testing/ Those are signed and everything, just a matter of moving them into place if things test out fine. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1.2-RELEASE up for testing
The final testing (testing updates against the real update servers, which can’t be effectively simulated) is happening now. jim On Apr 10, 2014, at 12:50 PM, k_o_l k_...@hotmail.com wrote: Any update to when the fix will be released?! -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler Sent: Wednesday, April 09, 2014 5:04 AM To: pfSense support and discussion Subject: Re: [pfSense] 2.1.2-RELEASE up for testing Scratch that - that just missed a commit for another security fix, it's rebuilding now. On Wed, Apr 9, 2014 at 3:48 AM, Chris Buechler c...@pfsense.org wrote: Normally we wouldn't put these out to the general public at this stage, but a few people are wanting the OpenSSL fix ASAP, and I already posted it to the forum. I've upgraded a handful of production systems and it seems fine, but still a number of things we'll verify before announcing it more widely and sending it to the mirrors and auto-update. I think this is what will become 2.1.2 release. https://files.pfsense.org/cmb/2.1.2-REL-testing/ also mirrored at: http://files.nyi.pfsense.org/cmb/2.1.2-REL-testing/ Those are signed and everything, just a matter of moving them into place if things test out fine. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1.2-RELEASE up for testing
Am 10.04.2014 02:12, schrieb Jan: Chris, any idea on the schedule? Cheers On 04/09/2014 05:03 PM Chris Buechler wrote: Scratch that - that just missed a commit for another security fix, it's rebuilding now. On Wed, Apr 9, 2014 at 3:48 AM, Chris Buechler c...@pfsense.org wrote: Normally we wouldn't put these out to the general public at this stage, but a few people are wanting the OpenSSL fix ASAP, and I already posted it to the forum. I've upgraded a handful of production systems and it seems fine, but still a number of things we'll verify before announcing it more widely and sending it to the mirrors and auto-update. I think this is what will become 2.1.2 release. https://files.pfsense.org/cmb/2.1.2-REL-testing/ also mirrored at: http://files.nyi.pfsense.org/cmb/2.1.2-REL-testing/ Those are signed and everything, just a matter of moving them into place if things test out fine. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list any news on that? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1.2-RELEASE up for testing
just the right time for me :) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense 2.1.2 is released
https://blog.pfsense.org/?p=1253 pfSense release 2.1.2 is now available. pfSense release 2.1.2 follows less than a week after pfSense release 2.1.1, and is primarily a security release. The Heartbleed OpenSSL bug and another OpenSSL bug which enables a side-channel attack are both covered by the following security announcements: • pfSense-SA-14_04.openssl • FreeBSD-SA-14:06.openssl • CVE-2014-0160 (Heartbleed) • CVE-2014-0076 (ECDSA Flaw) Packages also have their own independent fixes and need updating. During the firmware update process the packages will be properly reinstalled. If this fails for any reason, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use. Other Fixes • On packages that use row_helper, when user clicks on an add or delete button, the page scrolls to top. #3569 • Correct a typo on function name in Captive Portal bandwidth allocation. • Make extra sure that we do not start multiple instances of dhcpleases if, for example, the PID is stale or invalid, and there is still a running instance. • Fix for CRL editing. Use an alphanumeric test rather than purely is_numericint because the ID is generated by uniqid and is not purely numeric. #3591 You will want to perform a full security audit of your pfSense installations, renewing any passwords, generating or fitting new certificates, placing the old certificates on a CRL, etc. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
Excellent work!! -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jim Thompson Sent: Thursday, April 10, 2014 3:24 PM To: pfSense Support and Discussion Mailing List Subject: [pfSense] pfSense 2.1.2 is released https://blog.pfsense.org/?p=1253 pfSense release 2.1.2 is now available. pfSense release 2.1.2 follows less than a week after pfSense release 2.1.1, and is primarily a security release. The Heartbleed OpenSSL bug and another OpenSSL bug which enables a side-channel attack are both covered by the following security announcements: . pfSense-SA-14_04.openssl . FreeBSD-SA-14:06.openssl . CVE-2014-0160 (Heartbleed) . CVE-2014-0076 (ECDSA Flaw) Packages also have their own independent fixes and need updating. During the firmware update process the packages will be properly reinstalled. If this fails for any reason, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use. Other Fixes . On packages that use row_helper, when user clicks on an add or delete button, the page scrolls to top. #3569 . Correct a typo on function name in Captive Portal bandwidth allocation. . Make extra sure that we do not start multiple instances of dhcpleases if, for example, the PID is stale or invalid, and there is still a running instance. . Fix for CRL editing. Use an alphanumeric test rather than purely is_numericint because the ID is generated by uniqid and is not purely numeric. #3591 You will want to perform a full security audit of your pfSense installations, renewing any passwords, generating or fitting new certificates, placing the old certificates on a CRL, etc. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
How do you revoke a CA certifate? -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jim Thompson Sent: Thursday, April 10, 2014 3:24 PM To: pfSense Support and Discussion Mailing List Subject: [pfSense] pfSense 2.1.2 is released https://blog.pfsense.org/?p=1253 pfSense release 2.1.2 is now available. pfSense release 2.1.2 follows less than a week after pfSense release 2.1.1, and is primarily a security release. The Heartbleed OpenSSL bug and another OpenSSL bug which enables a side-channel attack are both covered by the following security announcements: . pfSense-SA-14_04.openssl . FreeBSD-SA-14:06.openssl . CVE-2014-0160 (Heartbleed) . CVE-2014-0076 (ECDSA Flaw) Packages also have their own independent fixes and need updating. During the firmware update process the packages will be properly reinstalled. If this fails for any reason, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use. Other Fixes . On packages that use row_helper, when user clicks on an add or delete button, the page scrolls to top. #3569 . Correct a typo on function name in Captive Portal bandwidth allocation. . Make extra sure that we do not start multiple instances of dhcpleases if, for example, the PID is stale or invalid, and there is still a running instance. . Fix for CRL editing. Use an alphanumeric test rather than purely is_numericint because the ID is generated by uniqid and is not purely numeric. #3591 You will want to perform a full security audit of your pfSense installations, renewing any passwords, generating or fitting new certificates, placing the old certificates on a CRL, etc. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On 10/04/2014 21:13, kol wrote: How do you revoke a CA certifate? Export the CRL from whatever you use to manage your CA (I use TinyCA, I've no experience of using pfSense, this whole thing might well be even easier if you use pfSense). In pfSense: System - Cert Manager - Certificate Revocation - + paste in the CRL. It way have In Use: NO. VPN - OpeNVPN - server - Edit - Cryptographic Settings - Peer Certificate Revocation List - select the CRL. -- Pete Boyd Open Plan IT - http://openplanit.co.uk The Golden Ear - http://thegoldenear.org ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Fri 11 Apr 2014 07:23:52 NZST +1200, Jim Thompson wrote: pfSense release 2.1.2 is now available. Thank you for all the quick work! May I ask though why this isn't simultaneously posted on pfsense-announce and pfsense-security-announce? In particular, if the security-announce list was to be used as a reliable source of critical information, posting the 2.1.2 release announcement with the heartbleed fix is not optional??? Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
Can we also get information as to which versions of pfSense are affected aside from 2.1.1? Or is 2.1.1 the only affected version? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Apr 10, 2014, at 4:10 PM, Volker Kuhlmann hid...@paradise.net.nz wrote: On Fri 11 Apr 2014 07:23:52 NZST +1200, Jim Thompson wrote: pfSense release 2.1.2 is now available. Thank you for all the quick work! May I ask though why this isn't simultaneously posted on pfsense-announce and pfsense-security-announce? In particular, if the security-announce list was to be used as a reliable source of critical information, posting the 2.1.2 release announcement with the heartbleed fix is not optional??? It was posted on announce@, but it seems that I’m moderated there. This is why my 2.1.1 release announcement was also held. I’ve pushed the message through. security@ is for posting SAs Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Apr 10, 2014, at 4:25 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Can we also get information as to which versions of pfSense are affected aside from 2.1.1? Or is 2.1.1 the only affected version? https://pfsense.org/security/advisories/pfSense-SA-14_04.openssl.asc ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Fri 11 Apr 2014 09:27:07 NZST +1200, Jim Thompson wrote: It was posted on announce@, but it seems that I’m moderated there. This is why my 2.1.1 release announcement was also held. I’ve pushed the message through. Setup glitches. Thanks! security@ is for posting SAs Uhhmm, IMHO I don't really care what it's called, the relevant criteria for the user is whether I need to know about it. I would welcome an announcement list that mentions all security-related issues I need to be aware of when using pfsense, so that list can be monitored without the clutter of daily discussions. Like the Linux distro security lists, they're well organised with no irrelevant drivel. To be honest, any security announcement list that doesn't mention the kind of problem like heartbleed looks like a complete waste of time to me! Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On 4/10/2014 5:52 PM, Volker Kuhlmann wrote: On Fri 11 Apr 2014 09:27:07 NZST +1200, Jim Thompson wrote: It was posted on announce@, but it seems that I’m moderated there. This is why my 2.1.1 release announcement was also held. I’ve pushed the message through. Setup glitches. Thanks! security@ is for posting SAs Uhhmm, IMHO I don't really care what it's called, the relevant criteria for the user is whether I need to know about it. I would welcome an announcement list that mentions all security-related issues I need to be aware of when using pfsense, so that list can be monitored without the clutter of daily discussions. Like the Linux distro security lists, they're well organised with no irrelevant drivel. To be honest, any security announcement list that doesn't mention the kind of problem like heartbleed looks like a complete waste of time to me! Volker The security@ email list is brand new. Its so we can announce issues like Heartbleed. People can filter on it etc. Any security issues we become aware of will be announce here, as security advisories. The email list and page, we just started working on last week, prior to finding out about this, so we push them ahead along with the fixed version of pfsense. Pretty much all of this is being setup to get things to current best practices. We're still working on this, and everything else, so we are open to suggestions and improvements as well as feedback. I think we'd be happy to host a security-discusse@ mailing list if people want that. The main goal for announce was to let people have a simple source for those security advisories. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Version 2.1.2 - Thanks for the UNPRECEDENTED Level of Support
Thanks go out to Chris, Jim and the whole pfSense team for what must be back breaking work coming on the heels of the 2.1.1 release! This kind of commitment speaks volumes for the quality of products coming out of Netgate. Yudhvir ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Version 2.1.2 - Thanks for the UNPRECEDENTED Level of Support
+1 -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Apr 10, 2014, at 20:18, Mehma Sarja mehmasa...@gmail.com wrote: Thanks go out to Chris, Jim and the whole pfSense team for what must be back breaking work coming on the heels of the 2.1.1 release! This kind of commitment speaks volumes for the quality of products coming out of Netgate. Yudhvir ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Version 2.1.2 - Thanks for the UNPRECEDENTED Level of Support
It's much appreciated, thanks guys. Well done! :) On 04/11/2014 09:18 AM Mehma Sarja wrote: Thanks go out to Chris, Jim and the whole pfSense team for what must be back breaking work coming on the heels of the 2.1.1 release! This kind of commitment speaks volumes for the quality of products coming out of Netgate. Yudhvir ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Fri 11 Apr 2014 12:11:06 NZST +1200, Jeremy Porter wrote: The security@ email list is brand new. Its so we can announce issues like Heartbleed. People can filter on it etc. Any security issues we become aware of will be announce here, as security advisories. Perhaps it would be useful to clarify the intended use/purpose of the lists, at https://lists.pfsense.org/mailman/listinfo Write a paragraph if needed, it doesn't have to be a one-liner for each list. Is the intended purpose of the SAs to notify of a problem, to point users to a fix, or both? I am having the Linux distro security lists in mind[1], and there postings summarise the problem, point to the background, and state that the user needs to do X to deal with it. Only security-relevant issues are posted, not general bug fixes. I would find this method ideal for pfsense too because the noise is low. It should include problems with packages too - those not using the package don't need to read on. I do think all the actions the user needs to do (usually upgrades) need to be posted. If a fix is NA at the time of the problem notification then you need to post twice. Perhaps I am mistaken about the pfsense fix for the heartbleed bug - but if the required, or even only recommended, fix is to upgrade to pfsense 2.1.2 then that must be posted on the security-announce@ too. The idea, well my idea, would be to only have to follow security-announce@ and from that to be sure that no security-relevant action is missed. The discussion list doesn't need that prority. The email list and page, we just started working on last week, prior to finding out about this, so we push them ahead along with the fixed version of pfsense. Thanks for that! And thanks too for all the work to fix this openssl problem! I think we'd be happy to host a security-discusse@ mailing list if people want that. Not for me. The normal discussion list should be fine. I was trying to raise the point of security announcements, not security itself. Thanks again, Volker [1] Specifically, opensuse-security-announce http://lists.opensuse.org/ -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list