Re: [pfSense] CVE-2004-0230

[Jim Thompson]

Maybe a blog post about this?

-- Jim

 On Sep 18, 2014, at 10:01, Jim Pingle li...@pingle.org wrote:
 
 On 9/18/2014 8:55 AM, Martin Fuchs wrote:
 Does CVE-2004-0230 affect pfSense 2.1.5 ?
 
 As Vick mentions, practically the answer is 'no'.
 
 There are some rare cases when it might, however. It would require:
 
 1. Disabled pf (System  Advanced, Firewall/NAT tab, check Disable all
 packet filtering)
 1a. Or the default rules were replaced by interface and floating rules
 in every direction set to 'no state'
 
 2. The firewall is still reachable by the attacker
 
 3. Connections are being made _to_ pfSense (not _through_ pfSense), e.g.
 local services such as the GUI, packages such as haproxy or squid, etc,
 *NOT* WAN-to-LAN or LAN-to-DMZ type connections.
 
 If all of the above are true then it may be susceptible to the attack
 described in the FreeBSD SA.
 
 I don't think I have ever witnessed a setup that met all of those
 criteria, and even those that could meet the criteria wouldn't
 necessarily have long-lived connections for which such a TCP session
 reset would have any meaningful impact.
 
 We will have the fix in 2.2 but I'm not sure if there will be another
 2.1.x release at this time, but we'll see what happens.
 
 Jim
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Develop Applications for pfseu

[Jim Thompson]

 On Sep 9, 2014, at 9:37 PM, Ryan Coleman ryanjc...@me.com wrote:
 
 Hi Tom!
 
 You would be better suited contacting Electric Sheep Fencing 
 (http://www.electricsheepfencing.com/) directly for your how-to but you can 
 start with a few basic concepts:
 1) This system is running FreeBSD 8.3 at present (future systems may be 
 running FreeBSD 9 or 10)

You shouldn't bother with the 2.1.x train.  Go 2.2. 

There is not FreeBSD 9 based version of pfSense, (nor will there ever be).

 2) Your best option would be SQLite and PHP - why? because I’ve been 
 developing in PHP since 2.3 days (current deployment is 5.5 but I am not sure 
 what version is installed and supported on the system)  and it’s pretty darn 
 user friendly.

PHP is version 5.5 in pfSense software version 2.2. 
https://doc.pfsense.org/index.php/2.2_New_Features_and_Changes

There is some additional information here.
https://doc.pfsense.org/index.php/How_do_I_get_PHP_support_for_mysql,_sqlite,_sockets,_etc

 3) I would steer clear of C for one specific reason: it’s a royal pain in the 
 butt and most of your needs should be capable with PHP.

I am of exactly the opposite opinion.   I don't like PHP, but I am but one 
person. 

Right now we are focused on getting 2.2 to a production-ready state.  After 
that, there will be a focus on performance, and sometime after that, in the 3.0 
release planning, it is likely that a fundamental architecture re-design will 
occur.

Since this type of work is expensive in terms of time (and yes, time is money), 
this is an early heads up to an event on the horizon.  I won't say more now, 
other than I'm willing to reconsider every technical aspect of the product 
during this process.  It is unlikely that 32-bit x86 machines are supported on 
the other side of that event.  To be clear, 32-bit platforms continue to be 
viable for the 2.2 releases.

(Cue up the always wrong idiots who claim that this time they're right, and 
pfSense will no longer be open source after a 3.0 in 5...4...3...2...)

 Something to take note of is that not all installations are the same. Most of 
 my clients run on AMD Geode processors. My two firewalls at home are running 
 on Xeon 6-core VMs in VMWare ESXi, some people are running on dual and quad 
 core CPUs. RAM ranges from a minimum of 256MB on those supported ALIX boards 
 (I’m sure someone will correct me if I am wrong on this) up beyond 4GB (on 
 the new APU boards and VMs and other systems). Others have installed the 
 software on different desktop PCs running as dedicated systems - I have one 
 such that is running on an old Dell P4 with Hyper Threading.
 
 What experience do you have in application development - both desktop and web?
 
 —
 Ryan
 Publisher, d3photography.com
 
 
 
 On Sep 9, 2014, at 22:39, Tom Mody bug29...@gmail.com wrote:
 
 Hi,
 I have worked on pfsense this summer and I am really interested in 
 developing apps for packet analysing , 
 I have pfsense apps source code from github but didn't get how to work with 
 it
 Please help me , how can I start writing apps for pfsense 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] menu bar in safari on 2.1.5

[Jim Thompson]

More properly, the CSS file was updated, but we didn’t change the name (or 
‘version’), so your browser is using a stale, cached version.

jim

 On Sep 10, 2014, at 12:29 PM, Ryan Coleman ryanjc...@me.com wrote:
 
 I had the issue too but all I had to do was flush my cache and it was cleared 
 up. There's a CSS file that's not updating. And I hits safari more than other 
 browsers -- since they added to Gold menu. 
 
 On Sep 10, 2014, at 14:08, Josh Reynolds j...@spitwspots.com 
 mailto:j...@spitwspots.com wrote:
 
 Having the same issue here, had to use the old sidebar theme.
 Josh Reynolds, Chief Information Officer
 SPITwSPOTS, www.spitwspots.com http://www.spitwspots.com/On 09/10/2014 
 04:09 AM, Toni Garcia wrote:
 Hello,
 
 I'm facing this exact problem using this theme with latest Firefox, Chrome 
 and Chromium. After clearing the cache I'm unable to see the complete menu 
 bar in one line, and System menu is really hard to access.
 
 It's me or it's a bug?
 
 Regards
 
 
 De: Vick Khera vi...@khera.org mailto:vi...@khera.org
 Para: pfSense Support and Discussion Mailing List 
 list@lists.pfsense.org mailto:list@lists.pfsense.org
 Enviados: Viernes, 29 de Agosto 2014 17:24:43
 Asunto: Re: [pfSense] menu bar in safari on 2.1.5
 
 
 On Fri, Aug 29, 2014 at 11:17 AM, Jim Thompson j...@netgate.com 
 mailto:j...@netgate.com wrote:
 Have you reloaded (the CSS changed) and/or cleared the browser cache?
 
 
 Yeah, just did that and it cleared up. Sorry for the noise.
 
 My failovers are all upgraded... waiting for later in the night to do the 
 primaries.
 
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 
 -- 
 Toni Garcia
 Técnico de Sistemas
 
 Oracle Linux 6 Certified Implementation Specialist
 Oracle Certified Professional Solaris 10 System Administrator
 Oracle Certified Associate Solaris 11 System Administrator
 
 SISTEL  
 Servicios Informáticos de Software
 y Telecomunicaciones
 Avd. Los Jarales, 4 (03010) ALICANTE
 
 TLF 965930080 - FAX 901021558
 www.sistel.es http://www.sistel.es/
 
 
 
 
 
 Por favor recuerda tu responsabilidad medioambiental antes de imprimir este 
 e-mail. / Please consider your environmental responsibility before printing 
 this e-mail.
 
 
 
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Fwd: [Announce] 2.1.5 Release

[Jim Thompson]

again, the CSS changed, and the browsers love to cache that stuff.

On Fri, Aug 29, 2014 at 8:47 AM, Peder Rovelstad provels...@comcast.net wrote:

 I did note the Code Red color scheme wraps the page header bar, putting
 Help under System.   I have such problems...

 It did this for me a well, but holding the shift key down and doing a
 browser refresh fixed it.

 Doug

 And there you go.  Thanks!

 P
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] menu bar in safari on 2.1.5

[Jim Thompson]

Have you reloaded (the CSS changed) and/or cleared the browser cache?

(I use Safari, too.)


On Fri, Aug 29, 2014 at 10:15 AM, Vick Khera vi...@khera.org wrote:

 In 2.1.5 pfsense_ng theme, you added a new menu bar item for the Gold
 support subscription.

 What this does in Safari is make the system menu unusable, as the Help
 menu wraps around and covers it. I can hover over the System menu and see
 the options, but when I try to go click on one, I pass over the Help menu
 and the popup switches to that list of options.

 See the screenshots of 2.1.4 vs. 2.1.5:





 The primary reason I was using this theme is because it works in Safari...
 I guess I'll revert back to the old pfsense theme.

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense hardware with comersial support.

[Jim Thompson]

 On Aug 29, 2014, at 10:19 AM, Vick Khera vi...@khera.org wrote:
 
 On Thu, Aug 28, 2014 at 3:37 AM, Ulrik Lunddahl u...@proconsult.dk wrote:
 Is there a difference in the software (firmware image)
 
 Is there a difference in the bundled support.
 
 From what I can tell, the difference between the Netgate products and
 the pfSense store products is to whom you send payment. The same
 people seem to be providing the support. That said, I purchased my
 systems directly from the pfSense store (I got bigger units, not the
 little guys).

They’re built by the same people.
They’re shipped by the same people.
The same people provide support.
The same firmware files are used (and the same update files).

There are 2 companies, but they’re in the same office.

jim


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense hardware with comersial support.

[Jim Thompson]

Not ‘DBAs’.  (Technically ‘Netgate’ is a DBA on “Rubicon Communications, LLC”, 
and pfSense is really “Electric Sheep Fencing, LLC”.  There is no “pfSense” DBA 
(though I’ve considered it.)


 On Aug 29, 2014, at 10:23 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 It is the same product - they are just two different vendors, really.
 
 And maybe they are the same but DBAs? I don't know, care, or worry about it. 
 The hardware lines that they share are the same thing. You just might get 
 more of something from one and not from the other.
 
 --
 Ryan
 
 
 On 8/29/2014 10:19 AM, Vick Khera wrote:
 On Thu, Aug 28, 2014 at 3:37 AM, Ulrik Lunddahl u...@proconsult.dk wrote:
 Is there a difference in the software (firmware image)
 
 Is there a difference in the bundled support.
 From what I can tell, the difference between the Netgate products and
 the pfSense store products is to whom you send payment. The same
 people seem to be providing the support. That said, I purchased my
 systems directly from the pfSense store (I got bigger units, not the
 little guys).
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Netgate APU2 SSD module question

[Jim Thompson]

And I'm saying that you have to evaluate these things as systems, not the base 
level tech. 

 On Aug 28, 2014, at 8:06 AM, Espen Johansen pfse...@gmail.com wrote:
 All I'm saying is that a normal SLC cell can handle about 10 times more 
 writes then a MLC if everything else is the same. And as far as I ca tell, 
 the ability to handle writes is the OPs main concern. A SLC based SDHC card 
 will have about 10 times longer life span in that regard.
 If you want it perfect then sure there are better options and technologies. 
 I'm just trying to make the choice a easy one based on what the OP asked. 
 There is allways better cheaper and faster tech just around the corner.
 
 27. aug. 2014 21:26 skrev Jim Thompson j...@smallworks.com følgende:
 SD cards are storage, but not “disks” nor “drives”.
 
 Beyond m-SATA, eMMC is your best option.  Not only are they faster than SD 
 cards (speeds of the larger devices rival those of traditional SSDs, as well 
 as supporting a “TRIM”-like operation, priority interruptible READ and ERASE 
 operations, background operations, and riding the cost-curve of cellular 
 handsets (growing) .vs consumer point-and-shoot cameras (shrinking), etc.)
 
 (This, by the way, is a huge, huge ‘hint’.)
 (You may wish read between the lines.)
 
 A lot of the SLC / MLC mythos is from before the days of JEDEC standards for 
 endurance, advanced wear-leveling algorithms, and before a lof of the 
 firmware engineers understood concepts such as “read disturbance”, “write 
 disturbance”, and “ECC correction thresholds”.  It’s certainly not as simple 
 as you’re making it out to be.
 
 (This, again, is the big reason that Netgate stayed out of the early fracas 
 around SSDs.)
 
 I’m not going to depend on what someone said in the forum over 3 years ago, 
 since it’s unlikely to apply today.
 
 Jim
 
 On Aug 27, 2014, at 1:32 PM, Espen Johansen pfse...@gmail.com wrote:
 
 For completeness sake.
 Just to clarify. You can get SDHC cards that are SLC based. Pretty much 
 everything called industrial grade SD/SDHC will be a SLC SSD in SD format.
 
 Understood. Thank you for the clarification. 
 
 Would it be possible to have the description updated on the sales page? It 
 only says you can boot via SD through USB. 
 
 --
 Ryan Coleman
 ryanjc...@me.com
 m. 651.373.5015
 o. 612.568.2749
 
 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote:
 
 
 Yes, the system can be booted from an SD (or SDHC) card.  Or from USB, or 
 from the m-SATA.
 
 All of these require proper preparation of the requisite ‘disk’ (-like 
 device).
 
 Jim
 
 On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 I understand *that* however it doesn't say on the features page it can be 
 booted off the SD slot - is that true? If so I have to change a few 
 quotes I have in play as they will need to get mSATA SSDs instead. 
 
 On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote:
 
 
 The SD (SDHC describes some cards which work in the slot) card slot is a 
 “base feature”.   If people choose to fit a m-SATA drive,
 then they can.  Or they can use the SD card socket.
 
 It’s not like we’re going to de-solder the SD card socket if it’s not 
 going to be used.
 
 Neither are we going to carry two different SKUs (one with, one without).
 
 Jim
 
 On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 Why not answer the question?
 
 
 On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote:
 
 Ryan,
 
 Don't troll. 
 
 
 
 On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 Wait, so the SDHC slot on this board is simply for show?
 
 On Aug 26, 2014, at 13:56, Sergii Cherkashyn 
 ser...@accurategroup.com wrote:
 
 Thank you Espen,
  
 Squid is for filtering purpose only, not to save bandwidth.
 On Netgate they have only this SSD as an option. But I’ll keep your 
 advice in mind.
  
 Best regards,
 Sergii Cherkashyn
  
 
 Date: Mon, 25 Aug 2014 20:45:46 +0200
 From: Espen Johansen pfse...@gmail.com
 To: pfSense support and discussion list@lists.pfsense.org
 Subject: Re: [pfSense] Netgate APU2 SSD module question
 Message-ID:
 
 caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com
 Content-Type: text/plain; charset=utf-8
  
 I personally don't think you will have an issue with too many writes 
 in a normal environment. Why squid tho? if its for filtering fine. 
 For acceleration and 3-6 persons it will most likely not do you much 
 good.
 Also check MLC vs SLC. SLC based SSD will last longer. Approximately 
 10 times longer. And even more with the right write leveling tech.
  
 Just my 2 cents.
  
  
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List

Re: [pfSense] Netgate APU2 SSD module question

[Jim Thompson]

Ryan,

Don't troll. 



 On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 Wait, so the SDHC slot on this board is simply for show?
 
 On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com 
 wrote:
 
 Thank you Espen,
  
 Squid is for filtering purpose only, not to save bandwidth.
 On Netgate they have only this SSD as an option. But I’ll keep your advice 
 in mind.
  
 Best regards,
 Sergii Cherkashyn
  
 
 Date: Mon, 25 Aug 2014 20:45:46 +0200
 From: Espen Johansen pfse...@gmail.com
 To: pfSense support and discussion list@lists.pfsense.org
 Subject: Re: [pfSense] Netgate APU2 SSD module question
 Message-ID:
 
 caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com
 Content-Type: text/plain; charset=utf-8
  
 I personally don't think you will have an issue with too many writes in a 
 normal environment. Why squid tho? if its for filtering fine. For 
 acceleration and 3-6 persons it will most likely not do you much good.
 Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 
 times longer. And even more with the right write leveling tech.
  
 Just my 2 cents.
  
  
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Netgate APU2 SSD module question

[Jim Thompson]

The SD (SDHC describes some cards which work in the slot) card slot is a “base 
feature”.   If people choose to fit a m-SATA drive,
then they can.  Or they can use the SD card socket.

It’s not like we’re going to de-solder the SD card socket if it’s not going to 
be used.

Neither are we going to carry two different SKUs (one with, one without).

Jim

 On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 Why not answer the question?
 
 
 On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com 
 mailto:j...@netgate.com wrote:
 
 Ryan,
 
 Don't troll. 
 
 
 
 On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com 
 mailto:ryanjc...@me.com wrote:
 
 Wait, so the SDHC slot on this board is simply for show?
 
 On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com 
 mailto:ser...@accurategroup.com wrote:
 
 Thank you Espen,
  
 Squid is for filtering purpose only, not to save bandwidth.
 On Netgate they have only this SSD as an option. But I’ll keep your advice 
 in mind.
  
 Best regards,
 Sergii Cherkashyn
  
 
 Date: Mon, 25 Aug 2014 20:45:46 +0200
 From: Espen Johansen pfse...@gmail.com mailto:pfse...@gmail.com
 To: pfSense support and discussion list@lists.pfsense.org 
 mailto:list@lists.pfsense.org
 Subject: Re: [pfSense] Netgate APU2 SSD module question
 Message-ID:
 
 caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com 
 mailto:caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com
 Content-Type: text/plain; charset=utf-8
  
 I personally don't think you will have an issue with too many writes in a 
 normal environment. Why squid tho? if its for filtering fine. For 
 acceleration and 3-6 persons it will most likely not do you much good.
 Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 
 times longer. And even more with the right write leveling tech.
  
 Just my 2 cents.
  
  
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Netgate APU2 SSD module question

[Jim Thompson]

Yes, the system can be booted from an SD (or SDHC) card.  Or from USB, or from 
the m-SATA.

All of these require proper preparation of the requisite ‘disk’ (-like device).

Jim

 On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 I understand *that* however it doesn't say on the features page it can be 
 booted off the SD slot - is that true? If so I have to change a few quotes I 
 have in play as they will need to get mSATA SSDs instead. 
 
 On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com 
 mailto:j...@smallworks.com wrote:
 
 
 The SD (SDHC describes some cards which work in the slot) card slot is a 
 “base feature”.   If people choose to fit a m-SATA drive,
 then they can.  Or they can use the SD card socket.
 
 It’s not like we’re going to de-solder the SD card socket if it’s not going 
 to be used.
 
 Neither are we going to carry two different SKUs (one with, one without).
 
 Jim
 
 On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com 
 mailto:ryanjc...@me.com wrote:
 
 Why not answer the question?
 
 
 On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com 
 mailto:j...@netgate.com wrote:
 
 Ryan,
 
 Don't troll. 
 
 
 
 On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com 
 mailto:ryanjc...@me.com wrote:
 
 Wait, so the SDHC slot on this board is simply for show?
 
 On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com 
 mailto:ser...@accurategroup.com wrote:
 
 Thank you Espen,
  
 Squid is for filtering purpose only, not to save bandwidth.
 On Netgate they have only this SSD as an option. But I’ll keep your 
 advice in mind.
  
 Best regards,
 Sergii Cherkashyn
  
 
 Date: Mon, 25 Aug 2014 20:45:46 +0200
 From: Espen Johansen pfse...@gmail.com mailto:pfse...@gmail.com
 To: pfSense support and discussion list@lists.pfsense.org 
 mailto:list@lists.pfsense.org
 Subject: Re: [pfSense] Netgate APU2 SSD module question
 Message-ID:
 
 caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com 
 mailto:caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com
 Content-Type: text/plain; charset=utf-8
  
 I personally don't think you will have an issue with too many writes in 
 a normal environment. Why squid tho? if its for filtering fine. For 
 acceleration and 3-6 persons it will most likely not do you much good.
 Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 
 times longer. And even more with the right write leveling tech.
  
 Just my 2 cents.
  
  
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Netgate APU2 SSD module question

[Jim Thompson]

That's how the SD card is connected. 

-- Jim

 On Aug 27, 2014, at 9:26, Ryan Coleman ryanjc...@me.com wrote:
 
 Understood. Thank you for the clarification. 
 
 Would it be possible to have the description updated on the sales page? It 
 only says you can boot via SD through USB. 
 
 --
 Ryan Coleman
 ryanjc...@me.com
 m. 651.373.5015
 o. 612.568.2749
 
 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote:
 
 
 Yes, the system can be booted from an SD (or SDHC) card.  Or from USB, or 
 from the m-SATA.
 
 All of these require proper preparation of the requisite ‘disk’ (-like 
 device).
 
 Jim
 
 On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 I understand *that* however it doesn't say on the features page it can be 
 booted off the SD slot - is that true? If so I have to change a few quotes 
 I have in play as they will need to get mSATA SSDs instead. 
 
 On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote:
 
 
 The SD (SDHC describes some cards which work in the slot) card slot is a 
 “base feature”.   If people choose to fit a m-SATA drive,
 then they can.  Or they can use the SD card socket.
 
 It’s not like we’re going to de-solder the SD card socket if it’s not 
 going to be used.
 
 Neither are we going to carry two different SKUs (one with, one without).
 
 Jim
 
 On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 Why not answer the question?
 
 
 On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote:
 
 Ryan,
 
 Don't troll. 
 
 
 
 On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 Wait, so the SDHC slot on this board is simply for show?
 
 On Aug 26, 2014, at 13:56, Sergii Cherkashyn 
 ser...@accurategroup.com wrote:
 
 Thank you Espen,
  
 Squid is for filtering purpose only, not to save bandwidth.
 On Netgate they have only this SSD as an option. But I’ll keep your 
 advice in mind.
  
 Best regards,
 Sergii Cherkashyn
  
 
 Date: Mon, 25 Aug 2014 20:45:46 +0200
 From: Espen Johansen pfse...@gmail.com
 To: pfSense support and discussion list@lists.pfsense.org
 Subject: Re: [pfSense] Netgate APU2 SSD module question
 Message-ID:
 
 caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com
 Content-Type: text/plain; charset=utf-8
  
 I personally don't think you will have an issue with too many writes 
 in a normal environment. Why squid tho? if its for filtering fine. For 
 acceleration and 3-6 persons it will most likely not do you much good.
 Also check MLC vs SLC. SLC based SSD will last longer. Approximately 
 10 times longer. And even more with the right write leveling tech.
  
 Just my 2 cents.
  
  
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Netgate APU2 SSD module question

[Jim Thompson]

Ryan,

I’m not sure what you’re asking.

This thread started off with Sergii Cherkashyn asking if running on an SSD was 
advisable.

Obviously, it works, or we wouldn’t offer it. (The thread Sergii pointed-to is 
from early 2011.  Netgate did not ship SSDs for several
years because the reliability *then* was so poor.  The situation changed, and, 
once quality SSDs were available (*with power-fail capacitors, etc.*),
we began offering same.

Then you jumped in asking (is) “SDHC slot on this board is simply for show?”

I honestly though you were trolling.   Since there is a configuration of the 
APU units available for sale both at the Netgate store *and* the pfSense store 
(http://store.pfsense.org) that does not include a m-sata drive, how else could 
the system boot pfSense?

Now you post on a public list, (a list about pfSense), asking me to change an 
unspecified page on (I assume), the Netgate site.

Setting aside the whole issue of why we’re talking about this on-list, I can’t 
find the text that confused you.

Here is what I found on the Netgate site:

http://store.netgate.com/APU1C4.aspx says: Boot from SD card (connected 
through USB), external USB or m-SATA SSD.”
http://store.netgate.com/APU1C.aspx says: Boot from SD card (connected through 
USB), external USB or m-SATA SSD.

You may wish to note that this language exactly matches that found on the PC 
Engines site: 
Boot from SD card (connected through USB), external USB or m-SATA 
SSD.”

ref: http://pcengines.ch/apu.htm, and http://pcengines.ch/apu1c.htm, 

and page 9 of the schematic for the APU (http://pcengines.ch/schema/apu1c.pdf) 
clearly shows that the “SD card interface” runs through a Alcore Micro AU6465 
(http://www.alcormicro.com/en_content/c_product/product_01b.php?CategoryID=7IndexID=19)
 to USB6 on the AMD T40 SoC.

If you will be so kind as to make a specific request for change of the language 
you found confusing, I’ll take a look at it. 
You might even send such a request to me in-private, so as not to further 
clutter the list.

Right now, I can’t find a problem.

JIm


 On Aug 27, 2014, at 9:26 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 Understood. Thank you for the clarification. 
 
 Would it be possible to have the description updated on the sales page? It 
 only says you can boot via SD through USB. 
 
 --
 Ryan Coleman
 ryanjc...@me.com
 m. 651.373.5015
 o. 612.568.2749
 
 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote:
 
 
 Yes, the system can be booted from an SD (or SDHC) card.  Or from USB, or 
 from the m-SATA.
 
 All of these require proper preparation of the requisite ‘disk’ (-like 
 device).
 
 Jim
 
 On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 I understand *that* however it doesn't say on the features page it can be 
 booted off the SD slot - is that true? If so I have to change a few quotes 
 I have in play as they will need to get mSATA SSDs instead. 
 
 On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote:
 
 
 The SD (SDHC describes some cards which work in the slot) card slot is a 
 “base feature”.   If people choose to fit a m-SATA drive,
 then they can.  Or they can use the SD card socket.
 
 It’s not like we’re going to de-solder the SD card socket if it’s not 
 going to be used.
 
 Neither are we going to carry two different SKUs (one with, one without).
 
 Jim
 
 On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 Why not answer the question?
 
 
 On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote:
 
 Ryan,
 
 Don't troll. 
 
 
 
 On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote:
 
 Wait, so the SDHC slot on this board is simply for show?
 
 On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com 
 wrote:
 
 Thank you Espen,
  
 Squid is for filtering purpose only, not to save bandwidth.
 On Netgate they have only this SSD as an option. But I’ll keep your 
 advice in mind.
  
 Best regards,
 Sergii Cherkashyn
  
 
 Date: Mon, 25 Aug 2014 20:45:46 +0200
 From: Espen Johansen pfse...@gmail.com
 To: pfSense support and discussion list@lists.pfsense.org
 Subject: Re: [pfSense] Netgate APU2 SSD module question
 Message-ID:
 
 caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com
 Content-Type: text/plain; charset=utf-8
  
 I personally don't think you will have an issue with too many writes 
 in a normal environment. Why squid tho? if its for filtering fine. For 
 acceleration and 3-6 persons it will most likely not do you much good.
 Also check MLC vs SLC. SLC based SSD will last longer. Approximately 
 10 times longer. And even more with the right write leveling tech.
  
 Just my 2 cents.
  
  
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman

Re: [pfSense] Netgate APU2 SSD module question

[Jim Thompson]

SD cards are storage, but not “disks” nor “drives”.

Beyond m-SATA, eMMC is your best option.  Not only are they faster than SD 
cards (speeds of the larger devices rival those of traditional SSDs, as well as 
supporting a “TRIM”-like operation, priority interruptible READ and ERASE 
operations, background operations, and riding the cost-curve of cellular 
handsets (growing) .vs consumer point-and-shoot cameras (shrinking), etc.)

(This, by the way, is a huge, huge ‘hint’.)
(You may wish read between the lines.)

A lot of the SLC / MLC mythos is from before the days of JEDEC standards for 
endurance, advanced wear-leveling algorithms, and before a lof of the firmware 
engineers understood concepts such as “read disturbance”, “write disturbance”, 
and “ECC correction thresholds”.  It’s certainly not as simple as you’re making 
it out to be.

(This, again, is the big reason that Netgate stayed out of the early fracas 
around SSDs.)

I’m not going to depend on what someone said in the forum over 3 years ago, 
since it’s unlikely to apply today.

Jim

 On Aug 27, 2014, at 1:32 PM, Espen Johansen pfse...@gmail.com wrote:
 
 For completeness sake.
 Just to clarify. You can get SDHC cards that are SLC based. Pretty much 
 everything called industrial grade SD/SDHC will be a SLC SSD in SD format.
 
 Understood. Thank you for the clarification. 
 
 Would it be possible to have the description updated on the sales page? It 
 only says you can boot via SD through USB. 
 
 --
 Ryan Coleman
 ryanjc...@me.com mailto:ryanjc...@me.com
 m. 651.373.5015 tel:651.373.5015
 o. 612.568.2749 tel:612.568.2749
 
 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com 
 mailto:j...@netgate.com wrote:
 
 
 Yes, the system can be booted from an SD (or SDHC) card.  Or from USB, or 
 from the m-SATA.
 
 All of these require proper preparation of the requisite ‘disk’ (-like 
 device).
 
 Jim
 
 On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com 
 mailto:ryanjc...@me.com wrote:
 
 I understand *that* however it doesn't say on the features page it can be 
 booted off the SD slot - is that true? If so I have to change a few quotes 
 I have in play as they will need to get mSATA SSDs instead. 
 
 On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com 
 mailto:j...@smallworks.com wrote:
 
 
 The SD (SDHC describes some cards which work in the slot) card slot is a 
 “base feature”.   If people choose to fit a m-SATA drive,
 then they can.  Or they can use the SD card socket.
 
 It’s not like we’re going to de-solder the SD card socket if it’s not 
 going to be used.
 
 Neither are we going to carry two different SKUs (one with, one without).
 
 Jim
 
 On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com 
 mailto:ryanjc...@me.com wrote:
 
 Why not answer the question?
 
 
 On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com 
 mailto:j...@netgate.com wrote:
 
 Ryan,
 
 Don't troll. 
 
 
 
 On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com 
 mailto:ryanjc...@me.com wrote:
 
 Wait, so the SDHC slot on this board is simply for show?
 
 On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com 
 mailto:ser...@accurategroup.com wrote:
 
 Thank you Espen,
  
 Squid is for filtering purpose only, not to save bandwidth.
 On Netgate they have only this SSD as an option. But I’ll keep your 
 advice in mind.
  
 Best regards,
 Sergii Cherkashyn
  
 
 Date: Mon, 25 Aug 2014 20:45:46 +0200
 From: Espen Johansen pfse...@gmail.com mailto:pfse...@gmail.com
 To: pfSense support and discussion list@lists.pfsense.org 
 mailto:list@lists.pfsense.org
 Subject: Re: [pfSense] Netgate APU2 SSD module question
 Message-ID:
 
 caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com 
 mailto:caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com
 Content-Type: text/plain; charset=utf-8
  
 I personally don't think you will have an issue with too many writes 
 in a normal environment. Why squid tho? if its for filtering fine. For 
 acceleration and 3-6 persons it will most likely not do you much good.
 Also check MLC vs SLC. SLC based SSD will last longer. Approximately 
 10 times longer. And even more with the right write leveling tech.
  
 Just my 2 cents.
  
  
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list___
 List mailing list
 List

Re: [pfSense] ZFS warning message on local console during boot

[Jim Thompson]

 On Jul 30, 2014, at 3:21 PM, Stefan Baur newsgroups.ma...@stefanbaur.de 
 wrote:
 
 Am 30.07.2014 um 22:09 schrieb Espen Johansen:
 ZFS = FS+LVM. Its efficient in many ways. Its highly resillient to
 things like silent data corruption ( disk FW bugs, power spikes). It has
 on the fly checking and repair. Copy on write, snapshoting, NFSv4 native
 acls and a few more nice things. I dont understand the bashing?
 
 This is a firewall, not a fileserver, where such features do indeed make
 sense.  And no bashing, just saying I don't care what filesystem
 pfSense uses under the hood, as long as it works.  The fact that it
 spits out a warning seems to indicate that it does not work and there's
 something wrong, so I came here to ask.

tl;dr:  I wouldn’t run ZFS… yet.

I didn’t see the error message, you’re barking up a tree attempting to use it 
right now.

That said, there are certain advantages to ZFS, and there are internal 
experiments underway looking to use it for a future (64-bit only) release of 
pfSense.

The data integrity and resiliency (due to COW semantics  checksumming) (etc) 
is one thing.  I’ve had pretty good results turning on LZJB
compression and ‘copies=2”, which is nearly as good as a nanobsd image with 2 
separate slices, and, since you have a live filesystem,
has NONE of the drawbacks of the nanobsd approach.  One could even ‘checkpoint’ 
(snapshot) the zvol prior to any change (pkg install, config change, etc),
and, of course zfs send | ssh foo; zfs receive” makes it entirely trivial to 
keep your entire firewall backed up, rather than (just) the config file.

People who say, “I can’t fathom a sensible use care for using ZFS on pfSense” 
or “why use it to replace nanobsd?” are (likely) stuck in a 
system admin mindset/mentality(*).  I get the same pushback about bhyve (“why 
would you use that on a firewall?”) from people stuck in the same
headspace.   I’m not going to reveal everything here, because it’s going to be 
post-2.2 before any of this comes about, and I’m keeping the focus on 2.2.

In short: ZFS is not just about building a NAS.

Jim

(*) If there isn’t an O’Reilly book out about it, it seems to not exist to 
these people.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[Jim Thompson]

 On Jul 30, 2014, at 4:40 PM, Stefan Baur newsgroups.ma...@stefanbaur.de 
 wrote:
 
 Am 30.07.2014 um 23:34 schrieb Jim Thompson:
 tl;dr:  I wouldn’t run ZFS… yet.
 
 I didn’t see the error message, you’re barking up a tree attempting to use 
 it right now.
 
 Again, I don't care what FS pfSense uses under the hood as long as it
 works.  I didn't make a conscious decision to install/run ZFS, I firmly
 believe I picked the default options during the pfSense install and now
 I'm seeing this warning.  I don't insist on using ZFS at all.  If I can
 and should get rid of ZFS to get rid of the warning, just tell me how.

no pfSense we produce has an installer that will make a zfs filesystem.

Try again?


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[Jim Thompson]

Well, you could use it for that (pfSense on pfSense), but there will be 
unnecessary overhead.

 On Jul 30, 2014, at 4:38 PM, Josh Reynolds j...@spitwspots.com wrote:
 
 Sounds like the mikrotik metarouter feature.
 
 Josh Reynolds, CIO
 SPITwSPOTS
 www.spitwspots.com
 
 On 07/30/2014 01:34 PM, Jim Thompson wrote:
 On Jul 30, 2014, at 3:21 PM, Stefan Baur newsgroups.ma...@stefanbaur.de 
 wrote:
 
 Am 30.07.2014 um 22:09 schrieb Espen Johansen:
 ZFS = FS+LVM. Its efficient in many ways. Its highly resillient to
 things like silent data corruption ( disk FW bugs, power spikes). It has
 on the fly checking and repair. Copy on write, snapshoting, NFSv4 native
 acls and a few more nice things. I dont understand the bashing?
 This is a firewall, not a fileserver, where such features do indeed make
 sense.  And no bashing, just saying I don't care what filesystem
 pfSense uses under the hood, as long as it works.  The fact that it
 spits out a warning seems to indicate that it does not work and there's
 something wrong, so I came here to ask.
 tl;dr:  I wouldn’t run ZFS… yet.
 
 I didn’t see the error message, you’re barking up a tree attempting to use 
 it right now.
 
 That said, there are certain advantages to ZFS, and there are internal 
 experiments underway looking to use it for a future (64-bit only) release of 
 pfSense.
 
 The data integrity and resiliency (due to COW semantics  checksumming) 
 (etc) is one thing.  I’ve had pretty good results turning on LZJB
 compression and ‘copies=2”, which is nearly as good as a nanobsd image with 
 2 separate slices, and, since you have a live filesystem,
 has NONE of the drawbacks of the nanobsd approach.  One could even 
 ‘checkpoint’ (snapshot) the zvol prior to any change (pkg install, config 
 change, etc),
 and, of course zfs send | ssh foo; zfs receive” makes it entirely trivial 
 to keep your entire firewall backed up, rather than (just) the config file.
 
 People who say, “I can’t fathom a sensible use care for using ZFS on 
 pfSense” or “why use it to replace nanobsd?” are (likely) stuck in a
 system admin mindset/mentality(*).  I get the same pushback about bhyve 
 (“why would you use that on a firewall?”) from people stuck in the same
 headspace.   I’m not going to reveal everything here, because it’s going to 
 be post-2.2 before any of this comes about, and I’m keeping the focus on 2.2.
 
 In short: ZFS is not just about building a NAS.
 
 Jim
 
 (*) If there isn’t an O’Reilly book out about it, it seems to not exist to 
 these people.
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[Jim Thompson]

 On Jul 30, 2014, at 7:20 PM, Paul Mather p...@gromit.dlib.vt.edu wrote:
 
 Despite all that FreeBSD ZFS love, I still would not recommend it on
 FreeBSD/i386-based installations (as the OP said he was using).  It is
 much more of a headache to use in that milieu, and, IMHO, doesn't get
 the testing and general care and feeding that the FreeBSD/amd64 version
 gets.

Note that I said any use we make would be amd64 only.

 Also, ZFS would not be a good fit on low-memory embedded hardware.
 There are enough problems getting ARC to play nicely on high-memory
 systems under memory pressure... :-)

What do you consider ‘low-memory’?

It’s getting difficult to put less than 4GB in some systems.  ZFS works really 
well on a 4GB system with around 100GB of ssd/m-sata.

auto-tuned ARC maximum is physical RAM less 1GB, or 1/2 of available RAM.  on a 
2GB system, this is 1GB, on a 4GB system, its 2GB.
Have you looked at memory usage in pfSense lately?  

Most of the ‘tuning guides’ consider fileserver/webserver/db applications.   
pfSense is none of these.  There are several applications that would
like to reliably write logfiles / rrd files, etc., however.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Jim Thompson]

 On Jul 27, 2014, at 13:06, Matthias May matth...@may.nu wrote:
 
 Am 27.07.2014 18:32, schrieb Kenward Vaughan:
 On 07/22/2014 02:19 PM, Rainer Duffner wrote:
 
 Am 22.07.2014 um 21:29 schrieb Nickolai Leschov nlesc...@gmail.com
 mailto:nlesc...@gmail.com:
 
 The difference is not $200, but about $100 with 8GB Sandisk Extreme
 Secure [sic!] SDHC card included.
 ...
 
 What sort of bandwidth are these be able to handle?  I have rotated older 
 computers into the closet over the years, and found them to be bottlenecks 
 earlier on (not so now with a relatively recent AMD 2500+ cpu).  With a 
 standard brighthouse hookup/plan we currently are at 1.2 GB/s.
 
 I'd hope these laugh at such speeds?
 
 
 Kenward
 Are you sure you meant 1.2 GB/s ?
 That would be 9.6 Gbit/s (as in 9600 Mbit/s)
 These don't route that much.
 With the built in Realtek cards you get 450 Mbit/s without any fancy rules.
 I would expect this to go down with additional rules.
 With intel cards on the same board you can get up to 650 Mbit/s, but i expect 
 it to be lower with additional rules.

Note that Intel NICs are not available on the PC Engines board, so it's not the 
same board, though a few suppliers build boards with the same 
SOC and Intel NICs. 

With a dual core Rangeley or Avoton 900Mbps between two ports is an everyday 
thing. 

 The strength of this board isn't, that it performs very fast, but that it 
 performs reasonably well without taking too much power.
 You can expect power consumation of below 10W without additional cards in the 
 PCIe slots.

Those are miniPCIe slots, not PCIe. 

Rangeley / Avoton are 6-20W TDP, depending on the number of cores. 

Jim


-- Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Jim Thompson]

 On Jul 22, 2014, at 16:19, Rainer Duffner rai...@ultra-secure.de wrote:
 
 
 Am 22.07.2014 um 21:29 schrieb Nickolai Leschov nlesc...@gmail.com:
 
 The difference is not $200, but about $100 with 8GB Sandisk Extreme Secure 
 [sic!] SDHC card included.
 
 1. What's secure about this card? I suppose it's a regular SDHC one.
 
 2. I would like to pay less, but I'm worried about assembling it right with 
 regards to cooling. Can anyone clarify how is cooling achieved in this unit?
 
 
 http://pcengines.ch/apu.htm
 
 
 Cooling: Conductive cooling from the CPU and south bridge to the 
 enclosure using a 3 mm alu heat spreader.“
 
 If assembly is similar to that of ALIX-boards, it’s not difficult.

Except for the heat spreader, and issues related to the sd cards falling out, 
it's exactly like an Alix. 

Which is to say, the similarities are easy to spot. 

Putting the spreader in place correctly, on the first attempt is in question. 

 How much is your time worth?

This is the question. ___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Seeking ipfw pf rulesets for performance work

[Jim Thompson]

We're doing some performance work with pf, and have issued a call for pf and 
ipfw rule sets. 

http://lists.freebsd.org/pipermail/freebsd-net/2014-July/039373.html

If you wish to help, please get in-touch with George. 

-- Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Jim Thompson]

Ryan,

Your point is entirely lost,  I’ve already shown where your words are false by 
any measure.

Time to close this thread.

Jim

 On Jul 27, 2014, at 9:08 PM, Ryan Coleman ryanjc...@me.com wrote:
 
 Nickolai,
 
 I don’t know about you but I get my 8GB SDHC Class 10 cards for between $5 
 and $15.
 
 —
 Ryan
 
 
 On Jul 22, 2014, at 14:29, Nickolai Leschov nlesc...@gmail.com wrote:
 
 The difference is not $200, but about $100 with 8GB Sandisk Extreme Secure 
 [sic!] SDHC card included.
 
 1. What's secure about this card? I suppose it's a regular SDHC one.
 
 2. I would like to pay less, but I'm worried about assembling it right with 
 regards to cooling. Can anyone clarify how is cooling achieved in this unit?
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Jim Thompson]

 On Jul 22, 2014, at 10:58, Ryan Coleman ryanjc...@me.com wrote:
 
 I asked the differences in the two line items from netgate. 

Perhaps you should ask sa...@netgate.com

Jim
 
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Jim Thompson]

 On Jul 22, 2014, at 17:19, Nickolai Leschov nlesc...@gmail.com wrote:
 
 I wonder why they wouldn't just build the board with some appropriate Atom 
 CPU?

:-)

 And maybe even more performant, to boot? E3815, probably?

Bay Trail?  Why?  That's for tablets. 

C2xx8 more likely.  IJS...___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Jim Thompson]

On Jul 22, 2014, at 17:19, Nickolai Leschov nlesc...@gmail.com wrote:

 Just like the others: dissipation through the aluminum case
 How does the CPU connect to the aluminum case? Is there some thermal 
 interface involved? Maybe an interface between CPU heatsink and aluminum case?

Yes, there is a transfer pad. 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Jim Thompson]

Very little if this thread is related to pfSense.  

Please stay on topic. 

-- Jim

 On Jul 22, 2014, at 17:32, Chris Bagnall pfse...@lists.minotaur.cc wrote:
 
 On 22/7/14 11:17 pm, Nickolai Leschov wrote:
 I didn't notice this page. So it looks like it's some kind of thermal paste
 allows for adequate thermal conductivity between the CPU/south bridge and
 the aluminum heat spreader, but the heat spreader is in dry contact with
 the case?
 
 The one I've just installed here in my home office has 'sticky' thermal pads 
 on both sides of the aluminium heat spreader, and sticks to both the chips 
 and the base of the chassis.
 
 It gets warm in use, but not uncomfortably hot. Ambient temperature is about 
 22C at this time of year.
 
 Now, how is the board held in place, inside the enclosure? Is it held in
 place by 'screws and hex nuts'?
 
 4 screws in the corners which go into binding posts on the chassis, not 
 particularly dissimilar from most PC motherboards into cases.
 
 What is the thing in the second-to-last picture near the thumb of the
 presenter's right hand: is it the SIM card tray? Is it accessible from
 outside, after the installation?
 
 There is a SIM card tray, and like the SD card slot, no, it's not accessible 
 externally after installation.
 
 (as a matter of curiosity, does pfSense support this SIM card slot for 
 anything 'interesting'? - one presumes it would need to be used in 
 conjunction with a miniPCIe radio card of some persuasion)
 
 Kind regards,
 
 Chris
 -- 
 This email is made from 100% recycled electrons
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Jim Thompson]

Ryan,

Profanity and personal attacks have no place on this list. 

-- Jim

 On Jul 22, 2014, at 20:12, Ryan Coleman ryanjc...@me.com wrote:
 
 Look fuck nut: branded and shipped hardware is 100% on topic. Thank you. 
 
 
 On Jul 22, 2014, at 20:10, Jim Thompson j...@netgate.com wrote:
 
 Very little if this thread is related to pfSense.  
 
 Please stay on topic. 
 
 -- Jim
 
 On Jul 22, 2014, at 17:32, Chris Bagnall pfse...@lists.minotaur.cc wrote:
 
 On 22/7/14 11:17 pm, Nickolai Leschov wrote:
 I didn't notice this page. So it looks like it's some kind of thermal paste
 allows for adequate thermal conductivity between the CPU/south bridge and
 the aluminum heat spreader, but the heat spreader is in dry contact with
 the case?
 
 The one I've just installed here in my home office has 'sticky' thermal 
 pads on both sides of the aluminium heat spreader, and sticks to both the 
 chips and the base of the chassis.
 
 It gets warm in use, but not uncomfortably hot. Ambient temperature is 
 about 22C at this time of year.
 
 Now, how is the board held in place, inside the enclosure? Is it held in
 place by 'screws and hex nuts'?
 
 4 screws in the corners which go into binding posts on the chassis, not 
 particularly dissimilar from most PC motherboards into cases.
 
 What is the thing in the second-to-last picture near the thumb of the
 presenter's right hand: is it the SIM card tray? Is it accessible from
 outside, after the installation?
 
 There is a SIM card tray, and like the SD card slot, no, it's not 
 accessible externally after installation.
 
 (as a matter of curiosity, does pfSense support this SIM card slot for 
 anything 'interesting'? - one presumes it would need to be used in 
 conjunction with a miniPCIe radio card of some persuasion)
 
 Kind regards,
 
 Chris
 -- 
 This email is made from 100% recycled electrons
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Jim Thompson]

On Jul 22, 2014, at 16:30, Nickolai Leschov nlesc...@gmail.com wrote:

 Bay Trail?  Why?  That's for tablets. 
 What's the difference, in practical terms? 

First: Rangeley has an integrated i354 10/100/1000 quad Ethernet MAC.  Bay 
Trail requires one to add Ethernet

Second:  Rangeley has a high-speed crypto co-processor (Quick Assist)

Third: the lowest end Rangeley has twice the cache of the low-end Bay Trail.  
Similarly, the highest end Rangeley has twice the cache of the highest end Bay 
Trail

Fourth: Bay Trail is a max quad core part, Rangeley is max 8-core (C27x8). 

Fifth: Bay Trail maxes out at 1.5GHz, Rangeley at 2.4GHz. (Both non-turbo)

Is that enough, or shall I continue?

Jim___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Jim Thompson]

I am.  I have. 

I'm trying to be patient and professional. 

 On Jul 22, 2014, at 20:47, Sean Colins s...@corequick.com wrote:
 
 Who is the list mom and why is he/she not responding to this?
 
 On Jul 22, 2014, at 6:12 PM, Ryan Coleman ryanjc...@me.com wrote:
 
 Look fuck nut: branded and shipped hardware is 100% on topic. Thank you. 
 
 
 On Jul 22, 2014, at 20:10, Jim Thompson j...@netgate.com wrote:
 
 Very little if this thread is related to pfSense.  
 
 Please stay on topic. 
 
 -- Jim
 
 On Jul 22, 2014, at 17:32, Chris Bagnall pfse...@lists.minotaur.cc 
 wrote:
 
 On 22/7/14 11:17 pm, Nickolai Leschov wrote:
 I didn't notice this page. So it looks like it's some kind of thermal 
 paste
 allows for adequate thermal conductivity between the CPU/south bridge and
 the aluminum heat spreader, but the heat spreader is in dry contact with
 the case?
 
 The one I've just installed here in my home office has 'sticky' thermal 
 pads on both sides of the aluminium heat spreader, and sticks to both the 
 chips and the base of the chassis.
 
 It gets warm in use, but not uncomfortably hot. Ambient temperature is 
 about 22C at this time of year.
 
 Now, how is the board held in place, inside the enclosure? Is it held in
 place by 'screws and hex nuts'?
 
 4 screws in the corners which go into binding posts on the chassis, not 
 particularly dissimilar from most PC motherboards into cases.
 
 What is the thing in the second-to-last picture near the thumb of the
 presenter's right hand: is it the SIM card tray? Is it accessible from
 outside, after the installation?
 
 There is a SIM card tray, and like the SD card slot, no, it's not 
 accessible externally after installation.
 
 (as a matter of curiosity, does pfSense support this SIM card slot for 
 anything 'interesting'? - one presumes it would need to be used in 
 conjunction with a miniPCIe radio card of some persuasion)
 
 Kind regards,
 
 Chris
 -- 
 This email is made from 100% recycled electrons
 ___
 List mailing list
 List@lists.pfsense.org
 http://cp.mcafee.com/d/1jWVIe6zqb5TbzxNEVpodTdzAQS1PPbVIsCCMqenxMUSejjo7fcK6NOqrZXKf6WvI0lqIv5CVmaYKrJmfyPsH5und_V2XJCn-LPy8VdOXTnKnjhd7b_6zAsUqerEEYJt6OaaJSmul3PWApmU6CQjr9K_8K6zBV55BeXNKVIDeqR4IM-l9QVpSDMF_00s4RtxxYGjB1SK7OFcSvaAOV2Hsbvg57OFeDbeQ-5fU02rvsKMr1vF6y0QJHez7MFVFtd40t9RTU_2TCy0xYP7_0Qg20m2r1EwS21Ew40I4Qh9wSMYr3d8KpF1D
 ___
 List mailing list
 List@lists.pfsense.org
 http://cp.mcafee.com/d/FZsS921J5yXBNMUQsII6XCNOqr0VVBYSejjod7bMUsr79FI3DCn3oVdd-ZT7ztfS0aJmfyPsH5undSH7NpKlyLbC_YxtSPb_nVN4sCVtXHTbFECzB_zhOesd7dQkumKzp55mXbfaxVZicHs3jqpJATvAn3hOYyyODtUTsSjDdqymovaAWsIXjUk_w0e2qKMM-l9OwXn3VkCrfBipsxlK5LE2zVkDjBDqv2DY01dLKnodwLQzh0qmRDhzUkYQKCy0eAWXYvxrPh0g-pz_wq810b1dwQgr10Qg20m2q8AMroudVHDmk1gq
 ___
 List mailing list
 List@lists.pfsense.org
 http://cp.mcafee.com/d/5fHCN0q43qb5TbzxNEVpodTdzAQS1PPbVIsCCMqenxMUSejjo7fcK6NOqrZXKf6WvI0lqIv5CVmaYKrJmfyPsH5und_V2XJCn-LPy8VdOXTnKnjhd7b_6zAsUqerEEYJt6OaaJSmul3PWApmU6CSjr9K_8K6zBV55BeXNKVIDeqR4IM-l9QVpSDMF_00s4RtxxYGjB1SK7OFcSvaAOV2Hsbvg57OFeDbeQ-5fU02rvsKMr1vF6y0QJHez7MFVFtd40t9RTU_2TCy0xYP7_0Qg20m2r1EwS21Ew40I4Qh9wSMYriex-wjKS
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 802.11ac Mini PCI Express adapter for pfSense

[Jim Thompson]

 On Jul 21, 2014, at 8:18 AM, Nickolai Leschov nlesc...@gmail.com wrote:
 
 What is the status of pfSense 2.2?

alpha snapshots

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 802.11ac Mini PCI Express adapter for pfSense

[Jim Thompson]

there is no 802.11ac support in FreeBSD (and thus pfSense) as yet.
802.11n support is in FreeBSD 10 (and thus pfSense 2.2)

 On Jul 20, 2014, at 11:08 PM, Ryan Coleman ryanjc...@me.com wrote:
 
 The compatibility is strictly up to the software drivers. Is the driver for 
 the card you’re looking at listed in the HCL?
 
 
 On Jul 20, 2014, at 16:52, Nickolai Leschov nlesc...@gmail.com wrote:
 
 I would like to use a PC Engines APU series board with pfSense as a wireless 
 router.
 
 In their store, I can see 802.11n cards, at most, but can I use 802.11ac 
 already? Does anyone have positive experience with a 802.11ac and can 
 recommend a particular model?
 
 Best regards,
 Nickolai
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] apu.4c silently dies

[Jim Thompson]

On Jun 4, 2014, at 2:29 PM, mayak ma...@australsat.com wrote:

 i really want to love this board, but, it it is simply a heater -- my 
 problems are thermal.
 
 i have now completely removed the the board from the case and put a huge 
 copper heat sync on it -- i'll take a picture -- i placed it next to a switch 
 where the fans blow on the sync.
 
 if my office gets above 23 or 24 degrees (C), it starts dropping packets, 
 then goes toes up.
 
 so sad as this is the ideal platform that i was after.

It’s nice, (and I have zero problems in a 24C ambient), but I wouldn’t call it 
“Ideal”.

(watch this space)



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Report Errors

[Jim Thompson]

 On Jun 2, 2014, at 13:18, Brian Caouette bri...@dlois.com wrote:
 
 As much as I like pfSense it
 and packages are really prone to glitches and over all bugs.

PfSense has bugs, and packages have bugs, but it is a mistake to conflate the 
two. 
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Report Errors

[Jim Thompson]

 On Jun 2, 2014, at 10:02 PM, Ryan Coleman ryanjc...@me.com wrote:
 
 It’s also a mistake to not report them to the maintainers. :)

That’s true, and the maintainers for Squid, Snort and Silicata are very good 
about fixing said bugs.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Jim Thompson]

On May 20, 2014, at 9:30 AM, Giles Coochey gi...@coochey.net wrote:

 On 20/05/2014 12:28, Ryan Coleman wrote:
 On May 20, 2014, at 1:59, Giles Coochey gi...@coochey.net wrote:
 
 
 s
 Not to mention that if I ran a PE 2850 at home there would probably be 
 complaints about the noise!!! Those things *scream* in the audible sense!!!
 
 Typically just on the first boot - mine always stopped screaming after about 
 30 seconds
 ___
 
 Even after the fan's have kicked out of their max-cooling, max-air-flow mode 
 the server is still way too loud for me in a home environment.
 
 Fan-less atom based box for home environment any day... and easily push 
 40Mbps IPsec.

The new ones (like the 2758 that pfSense sells) are actually *faster* than a 
2850.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Jim Thompson]

If you had purchased something more modern, (even an APU, which uses 5-10% of 
your 2850, and is completely silent) bhyve would be an option.

Which is the general direction I'm headed with pfSense for being able to run a 
media center or NAS on top. 

Refurb c1100s are  $600 on fleabay with 8 cores and 72GB ram. 

http://www.ebay.com/itm/261355969100 

We use these for test boxes at ESF, since we boot them off USB, I don't care 
about the no drives. 

If you don't need the ram, an 8GB version is  $300. 

http://www.ebay.com/itm/261441251762 

We pulled all our 2850s and 2950s out of service. They're not worth the power 
draw (operating costs).  I think the only remaining machine from that era we 
operate is a PE1950 my son uses for a minecraft server. 

-- Jim

 On May 20, 2014, at 12:45, Brian Caouette bri...@dlois.com wrote:
 
 For the price paid it can't be beat. I've seen smaller systems go for much 
 more so figured I had room to grow. At some point I maybe be able to have to 
 virtual machines on this unit and use one for a media center or cloud backup 
 for the home business. Are their packages available for this? I don't really 
 see anything that leads me to believe pfSense could be used in the way which 
 is why I'm thinking virtual. What software is available to do virtual 
 machines?
 
 On 5/20/2014 12:11 PM, Jason Pyeron wrote:
 -Original Message-
 From: Brian Caouette
 Sent: Tuesday, May 20, 2014 12:00
 
 Are we talking fan noise? Hard drive noise?
 
 Also a comment was made about power. What are we talking?
 The general comments about how a PE2850 is overkill in the described home
 environment.
 
 On 5/20/2014 2:59 AM, Giles Coochey wrote:
 
 
On 20/05/2014 02:12, Chris Bagnall wrote:

 
Forgive me for saying so, but that's a massive
 overkill for routing a 15Mbps connection. Granted, it'd be
 entirely appropriate if you were routing multiple gig
 transits in a datacentre environment where the power
 consumption might be justified, but in a home environment,
 you're just burning through electricity for the sake of it.
 Of course, if you're going to run pfSense as a VM under a
 hypervisor with several other VMs, then I take all the above
 back :-) Kind regards, Chris
 
Not to mention that if I ran a PE 2850 at home there
 would probably be complaints about the noise!!! Those things
 *scream* in the audible sense!!!
 --
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 -   -
 - Jason Pyeron  PD Inc. http://www.pdinc.us -
 - Principal Consultant  10 West 24th Street #100-
 - +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
 -   -
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 This message is copyright PD Inc, subject to license 20080407P00.
 
  
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Giant lock is still there?

[Jim Thompson]

On May 17, 2014, at 5:16 PM, Leon Volfson l...@one.co.il wrote:

 Hi guys,
 
 I had lots of issues in the past with the performance
 and as I understood then - one of the biggest problems was
 the Giant lock in pf.
 
 Since the 2.2 version is going to be FreeBSD 10 based I looked it up and
 saw that there was some work done on this by Gleb Smirnoff a couple of
 years ago.
 
 I was wondering whether it's actually been implemented and whether the 2.2
 is going to be Giant lock-free.
 
 Also - performance-wise, how much will I gain upgrading from 1.2.2? (old, I
 know, but worked better than 1.2.3 in my case and was left like this since).
What kind of CPU are you running?

What type of Ethernet parts?

What does your load look like?

Even after answering these, it’s going to be a guess as to how your performance 
will change.

Yes, Gleb’s changes to pf (which are in FreeBSD 10) are in pfSense 2.2.

You could always try a snapshot.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] upgrade dual ALIX netgate box?

[Jim Thompson]

On May 8, 2014, at 12:04 PM, b...@todoo.biz wrote:

 Hi we are french resellers of Alix / APU
 
 
 Le 6 mai 2014 à 21:16, Vick Khera vi...@khera.org a écrit :
 
 I have the dual ALIX RM1U box from netgate which is a bit over 2 years old 
 now (and an older one too!)
 
 Has anyone attempted replacing the ALIX boards with APU2 boards? They appear 
 to use the identical openings and case mounting holes.
 
 This is true. 

PC Engines updated their cases about 9 months ago.   Cases older than this are 
about 1mm too small.

 APU1C comes with an iron plate to be sticked below the APU in order  to 
 dissipate the heat. 

Iron?   It’s a heat-conductive pad, with an aluminum plate.

 Netgate themselves doesn't sell such a beast so it made me curious as to why 
 they wouldn't sell a version with the board swapped and instead recommend 
 other devices.
 
 I can’t really tell why NetGate does not resale APU1C 

http://store.netgate.com/APU1C.aspx (board only, 2GB ram)
http://store.netgate.com/APU1C4.aspx (board only, 4GB ram)
http://store.netgate.com/NetgateAPU2.aspx  (system, 2GB ram)
http://store.netgate.com/NetgateAPU2.aspx  (system, 4GB ram)

 Currently there is a problem with the MSata sold by PCEngines which does not 
 support TRIM - this has a limited effect on pfSense where TRIM is not 
 activated by default. That being said It is not really « normal » for an 
 MSata device not to support such function and might reveal some other 
 problems… though so far we have noticed 0 problem on such device. 

These cards DO support TRIM, but you have to correctly install software on the 
device to have it be stable.  We are working on a “platform specific release” 
of pfSense for the APU

 We have updated the firmware of the 10 units we have received so far. 
 We are currently testing the unit with quite good results considering the 
 price. 
 
 Also does anyone know of a crypto accelerator board for the APU2? Or is that 
 even worth the effort for 4 home-office OpenVPN tunnels?
 
 You really don’t need such item - processor is strong enough to handle any 
 kind of local VPN (our test shows about 80Mb/s with an OVPN tunnel)… 

We’re testing 67 Mbps using UDP over OpenVPN AES256.   AES-128 is about 78Mbps.

But “don’t really need” is strong language, and to be clear, I disagree.   My 
connection from my house is faster than this.

Jim


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Upgrading Alix 2d13

[Jim Thompson]

 On May 2, 2014, at 23:42, David Newman dnew...@networktest.com wrote:
 
 It's possible this is related to this being 4G Sandisk CF cards, and
 modern 2G and 4G Sandisk cards producing alignment errors.

Unlikely. 
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Interface options for pfsense

[Jim Thompson]

 On Apr 22, 2014, at 10:39, Stefan Baur newsgroups.ma...@stefanbaur.de wrote:
 
 In fact, I'd be petty disappointed, too, if a newer pfSense release
 stopped working on my hardware and it the whole issue appeared out of the 
 blue (== no hwe driver no longer supported or similar notice in the release 
 notes).

Your potential disappointment is noted. 

It's not like we disabled the hme driver. We have no ability to test it, since 
we don't have one of these cards. Nor are we likely to invest in one.

I can think of a half dozen reasons that could cause the card to run on 2.0.3, 
and not run on 2.1. 

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Interface options for pfsense

[Jim Thompson]

On Apr 20, 2014, at 5:32 PM, Volker Kuhlmann list0...@paradise.net.nz wrote:

 I've been running pfsense for many years (and been very happy with it)
 on scrapped PCs with a Sun 4-port Ethernet PCI card because I need 5
 Ethernet ports.
 
 Now freebsd dieing on the hme driver effectively turns those cards into
 scrap and I'm stuck. What are alternatives now?
 
 Are there any other 4-port cards that are supported by pfsense in
 practice (not just in theory), that are also affordable?

You’ll need to define “affordable”.   You’ll also need to state if you’re 
looking for PCI, PCI-x or PCIe cards.

 The power consumption (and box volume) of scrapped PCs is not optimal,
 and I've been looking at moving to a small single-board. Soekris was
 always underpowered and overpriced IMHO, and PCEngines underpowered,
 until they released the exciting APU series recently. They all only have
 3 Ethernet ports though, which is the stopper here.
 
 What mPCIe Ethernet cards are supported by pfsense that people can
 recommend?

We’ve run some experiments with various Intel-based cards in a NUC (we’re 
building a rack mount for them).
They work, but it’s not an inexpensive solution.

 Are there any USB Ethernet adapters that actually work with pfsense?
 Reliably? I am looking for reports from those who have tried, not the
 freebsd supported HW list - that list is too long and not really
 trustworthy (I have a USB wifi adapter which runs for 10min then makes
 pfsense kernel panic).

WiFi isn’t recommended until at least pfSense 2.2, if then.

 The frequently recommended option of using VLANs may look good for
 larger commercial networks, but just buying a VLAN capable switch costs
 more than a suitable pfsense box and brings the power budget of the
 combination to the same level as a scrapped PC - with the latter winning
 hands down on cost.

You can pick up the 8 port HP switches (e.g. 1810-8G aka J9802A) for less than 
$100 these days.
No fan, so noise-free.   8W maximum.  Real SNMP implementation, supports 
802.1q, jumbo packets, etc.

When we lived in Hawaii, (expensive power), I used to run a 24-port version of 
this (1810-24G aka J9803A).  Still no fan, 24 10/100/1000 ports, of these
can support SFP.   Current price is less than $200 on newegg, and probably way 
more switch than you need.

These days my “home lab” (the test lab at work) has a dedicated room, dedicated 
AC, several racks, and is connected via redundant 10Gbps links, with a backup 
fiber link at 100Mbps, so
my home network is just an APU, a 16-port dumb switch, and a couple 802.11 APs. 
  If I decided to upgrade the Grande connection to 1Gbps or, when Google fiber 
arrives, I’ll probably replace all that with an SDN (OpenFlow) setup.

Jim






___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Interface options for pfsense

[Jim Thompson]

On Apr 22, 2014, at 12:27 PM, Stefan Baur newsgroups.ma...@stefanbaur.de 
wrote:

 Am 22.04.2014 18:29, schrieb Jim Thompson:
 
 It's not like we disabled the hme driver.
 
 Nobody accused you of intentionally disabling it. Manure happens. :-) Relax.
 
 
 We have no ability to test it, since we don't have one of these cards. Nor 
 are we likely to invest in one.
 
 Over in the Interface yoyo thread, Message-ID
 5355875d.9050...@athompso.net, Adam Thompson wrote:
 
 If any of the devs want to test this hardware, I have at least one just 
 sitting on the shelf I can ship to you.  (I thought I had 3 or 4 of them, 
 maybe they're still sitting in the E450s that are also sitting on the shelf. 
  Well, actually on the ground, but only because I don't have any shelves 
 that can hold *those*.) 
 
 If Adam is willing to donate his spare card to you dev folks, and maybe
 Volker buys a Gold Membership (in case he doesn't have one already),
 would that significantly increase the chances of having a working hme
 driver in a future release? :-)

That would require finding a PC with a PCI slot, and time.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Interface options for pfsense

[Jim Thompson]

On Apr 22, 2014, at 3:42 PM, Volker Kuhlmann hid...@paradise.net.nz wrote:

 On Wed 23 Apr 2014 05:02:59 NZST +1200, Jim Thompson wrote:
 
 Are there any USB Ethernet adapters that actually work with pfsense?
 Reliably? I am looking for reports from those who have tried, not the
 freebsd supported HW list - that list is too long and not really
 trustworthy (I have a USB wifi adapter which runs for 10min then makes
 pfsense kernel panic).
 
 WiFi isn't recommended until at least pfSense 2.2, if then.
 
 OK, thanks Jim, good to know. Do you mean this to apply to USB wifi only?

No.

 There are cheap mPCIe atheros-based wifi cards for the PCEngine APU
 board. Are they known to be reliable?

Yes, I know.   We sell thousands of them every month, but not for use in 
pfSense.  Maybe with 2.2 the situation will improve.

 You can pick up the 8 port HP switches (e.g. 1810-8G aka J9802A) for less 
 than $100 these days.
 No fan, so noise-free.   8W maximum.
 
 Yes, thank you for mentioning that - I had seen that yesterday and their
 power specs had escaped me when I looked at them previously (some of
 those similar models do guzzle it).
 
 That's my plan B, but I really don't like to use VLANs when I can avoid
 the clutter and complexity (more bugs, more time spent). A pfsense box
 with more ports is much easier.

You asked.   BTW, VLANs end up as less clutter, not more.

jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense 2.1.2 is released

[Jim Thompson]

On Apr 16, 2014, at 4:34 PM, Brian Candler b.cand...@pobox.com wrote:

 On 15/04/2014 20:12, Jim Thompson wrote:
 We dropped the price, too.
 
 -- Jim
 Which price are you referring to?

On the EC2 instance(s).

 I see that a support subscription is now $200 for 2 hours plus $200 per extra 
 hour.

$400 for the initial 2 hours, $200/hr after that.

 The one my client purchased a couple of months ago was $600 for 5 hours and 
 (I think) $100 per extra hour.

 That doesn't sound like a price drop to me :-)

The initial buy-in is $400, not $600.



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense 2.1.2 is released

[Jim Thompson]

They're built; we're waiting on Amazon. 

-- Jim  

 On Apr 11, 2014, at 22:41, linbloke linbl...@fastmail.fm wrote:
 
 
 On 11/04/2014 5:23 am, Jim Thompson wrote:
 https://blog.pfsense.org/?p=1253
 
 pfSense release 2.1.2 is now available.  pfSense release 2.1.2 follows less 
 than a week after pfSense release 2.1.1, and is primarily a security release.
 
 Thanks for the new release. Any sign of updated AWS AMIs?
 
 Regards,
 lb
 
 The Heartbleed OpenSSL bug and another OpenSSL bug which enables a 
 side-channel attack are both covered by the following security announcements:
• pfSense-SA-14_04.openssl
• FreeBSD-SA-14:06.openssl
• CVE-2014-0160 (Heartbleed)
• CVE-2014-0076 (ECDSA Flaw)
 
 Packages also have their own independent fixes and need updating. During the 
 firmware update process the packages will be properly reinstalled.   If this 
 fails for any reason, uninstall and then reinstall packages to ensure that 
 the latest version of the binaries is in use.
 
 Other Fixes
• On packages that use row_helper, when user clicks on an add or delete 
 button, the page scrolls to top. #3569
• Correct a typo on function name in Captive Portal bandwidth allocation.
• Make extra sure that we do not start multiple instances of dhcpleases 
 if, for example, the PID is stale or invalid, and there is still a running 
 instance.
• Fix for CRL editing. Use an alphanumeric test rather than purely 
 is_numericint because the ID is generated by uniqid and is not purely 
 numeric. #3591
 
 You will want to perform a full security audit of your pfSense 
 installations, renewing any passwords, generating or fitting new 
 certificates, placing the old certificates on a CRL, etc.
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense 2.1.2 is released

[Jim Thompson]

 On Apr 12, 2014, at 18:55, Volker Kuhlmann hid...@paradise.net.nz wrote:
 
 On Fri 11 Apr 2014 18:43:18 NZST +1200, Ryan Coleman wrote:
 
 He gave you an option to subscribe to the list.
 
 You seem to have missed the point I was making: critical security fixes
 (the 2.1.2 release in this case, unless I am misunderstanding) were not
 posted to security-announce@.
 
 The posting to announce@ only happened, because of initial setup
 problems, after I pointed out it was missing.
 
 Volker

Technically, the SA was posted, but the guy (Jeremy) who setup the list hasn't 
given me mod privs yet, and they are stuck in the mod queue. 

So, actually, I've not missed your point.  

The whole security-announce setup is quite new.  Patience, please, while the 
kinks are worked out. 

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1.2-RELEASE up for testing

[Jim Thompson]

The final testing (testing updates against the real update servers, which can’t 
be effectively simulated) is happening now.   

jim

On Apr 10, 2014, at 12:50 PM, k_o_l k_...@hotmail.com wrote:

 Any update to when the fix will be released?!
 
 -Original Message-
 From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
 Buechler
 Sent: Wednesday, April 09, 2014 5:04 AM
 To: pfSense support and discussion
 Subject: Re: [pfSense] 2.1.2-RELEASE up for testing
 
 Scratch that - that just missed a commit for another security fix, it's
 rebuilding now.
 
 On Wed, Apr 9, 2014 at 3:48 AM, Chris Buechler c...@pfsense.org wrote:
 Normally we wouldn't put these out to the general public at this 
 stage, but a few people are wanting the OpenSSL fix ASAP, and I 
 already posted it to the forum. I've upgraded a handful of production 
 systems and it seems fine, but still a number of things we'll verify 
 before announcing it more widely and sending it to the mirrors and 
 auto-update.
 
 I think this is what will become 2.1.2 release.
 
 https://files.pfsense.org/cmb/2.1.2-REL-testing/
 
 also mirrored at:
 http://files.nyi.pfsense.org/cmb/2.1.2-REL-testing/
 
 Those are signed and everything, just a matter of moving them into 
 place if things test out fine.
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] pfSense 2.1.2 is released

[Jim Thompson]

https://blog.pfsense.org/?p=1253

pfSense release 2.1.2 is now available.  pfSense release 2.1.2 follows less 
than a week after pfSense release 2.1.1, and is primarily a security release.

The Heartbleed OpenSSL bug and another OpenSSL bug which enables a side-channel 
attack are both covered by the following security announcements:
• pfSense-SA-14_04.openssl
• FreeBSD-SA-14:06.openssl
• CVE-2014-0160 (Heartbleed)
• CVE-2014-0076 (ECDSA Flaw)

Packages also have their own independent fixes and need updating. During the 
firmware update process the packages will be properly reinstalled.   If this 
fails for any reason, uninstall and then reinstall packages to ensure that the 
latest version of the binaries is in use.

Other Fixes
• On packages that use row_helper, when user clicks on an add or delete 
button, the page scrolls to top. #3569
• Correct a typo on function name in Captive Portal bandwidth 
allocation.
• Make extra sure that we do not start multiple instances of dhcpleases 
if, for example, the PID is stale or invalid, and there is still a running 
instance.
• Fix for CRL editing. Use an alphanumeric test rather than purely 
is_numericint because the ID is generated by uniqid and is not purely numeric. 
#3591

You will want to perform a full security audit of your pfSense installations, 
renewing any passwords, generating or fitting new certificates, placing the old 
certificates on a CRL, etc.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense 2.1.2 is released

[Jim Thompson]

On Apr 10, 2014, at 4:10 PM, Volker Kuhlmann hid...@paradise.net.nz wrote:

 On Fri 11 Apr 2014 07:23:52 NZST +1200, Jim Thompson wrote:
 
 pfSense release 2.1.2 is now available.
 
 Thank you for all the quick work!
 
 May I ask though why this isn't simultaneously posted on
 pfsense-announce and pfsense-security-announce? In particular, if the
 security-announce list was to be used as a reliable source of critical
 information, posting the 2.1.2 release announcement with the heartbleed
 fix is not optional???

It was posted on announce@, but it seems that I’m moderated there.  This
is why my 2.1.1 release announcement was also held.   I’ve pushed the message 
through.

security@ is for posting SAs

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense 2.1.2 is released

[Jim Thompson]

On Apr 10, 2014, at 4:25 PM, Dimitri Rodis dimit...@integritasystems.com 
wrote:

 Can we also get information as to which versions of pfSense are affected 
 aside from 2.1.1? Or is 2.1.1 the only affected version?

https://pfsense.org/security/advisories/pfSense-SA-14_04.openssl.asc

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

[Jim Thompson]

 I believe pfSense users are only affected by the secondary flaw, and also any 
 software in pfSense using the /usr/local/... version of OpenSSL, as mentioned 
 by Vick Khera earlier.


Both SAs affect pfSense 2.1 and 2.1.1. 

Heartbleed is an issue because OpenSSL version 1.0.1f is used for software that 
is not part of FreeBSD 8.3-RELEASE (i.e. things found in /usr/local) in 
addition to the version without the Heartbleed issue, which is part of FreeBSD 
8.3-RELEASE

Both issues are being corrected via pending release of pfSense 2.1.2, as well 
as a near future rev for the pfSense 2.2 snapshots. 

-- Jim

 On Apr 8, 2014, at 21:05, Paul Mather p...@gromit.dlib.vt.edu wrote:
 
 On Apr 8, 2014, at 9:35 PM, Paul Mather p...@gromit.dlib.vt.edu wrote:
 
 On Apr 8, 2014, at 3:04 PM, Jim Thompson j...@smallworks.com wrote:
 
 
 Well, that’s the point, Paul.  (You hit the nail on the head.)
 
 If you don’t have an openssl service exposed, the problem doesn’t affect 
 you.
 
 Since normally the web GUI isn’t exposed to the WAN, the attack surface is 
 minimised.
 
 The FreeBSD Security Advisory FreeBSD-SA-14:06.openssl states this in the 
 Impact section:
 
 =
 III. Impact
 
 An attacker who can send a specifically crafted packet to TLS server or 
 client
 with an established connection can reveal up to 64k of memory of the remote
 system.  Such memory might contain sensitive information, including key
 material, protected content, etc. which could be directly useful, or might
 be leveraged to obtain elevated privileges.  [CVE-2014-0160]
 
 A local attacker might be able to snoop a signing process and might recover
 the signing key from it.  [CVE-2014-0076]
 =
 
 I take that to read the vulnerability being exploitable both ways, i.e., a 
 malicious server could also attack a vulnerable client connecting to it via 
 SSL/TLS, making the attack surface potentially much larger.
 
 FWIW, the pre-advisory heads-up message from the FreeBSD Security Officer 
 appears to back this up.  It included the following advice:
 
 =
 Users who use TLS client and/or server are strongly advised to apply
 updates immediately.
 
 Because of the nature of this issue, it's also recommended for system
 administrators to consider revoking all of server certificate, client
 certificate and keys that is used with these systems and invalidate
 active authentication credentials with a forced passphrase change.
 =
 
 Just as an followup and clarification to the above, the recent OpenSSL 
 vulnerability Security Advisory actually covers two OpenSSL flaws.  The 
 heartbleed flaw only affects FreeBSD 10 in the base OS.  All other 
 supported FreeBSD releases are affected by the other flaw they describe (in 
 the ECDSA Montgomery Ladder Approach implementation).
 
 I believe pfSense users are only affected by the secondary flaw, and also any 
 software in pfSense using the /usr/local/... version of OpenSSL, as mentioned 
 by Vick Khera earlier.
 
 Kudos to the pfSense team for beavering away and cranking out a fix!
 
 Cheers,
 
 Paul.
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

[Jim Thompson]

2.1.2 wasn’t “UP”.

Chris cut a version of something he called “2.1.2” that he indicated *might* 
become 2.1.2, but it was incomplete.
So I asked him to pull it back down.

Jim

On Apr 9, 2014, at 4:59 PM, Ryan Coleman ryanjc...@me.com wrote:

 There was a post to the list at 0400 central US today that 2.1.2 was up but 
 then he pulled it. I haven’t heard anything since then.
 
 You could turn off SSL or ust not use it for the time being from anywhere you 
 don’t trust the system - if they don’t see traffic to the firewall they 
 cannot snoop your information.
 
 
 On Apr 9, 2014, at 3:40 PM, mayak ma...@australsat.com wrote:
 
 snip
 
 hi all,
 
 any news? my routers feel exposed :-)
 
 god bless pfsense.
 
 m
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

[Jim Thompson]

Well, that’s the point, Paul.  (You hit the nail on the head.)

If you don’t have an openssl service exposed, the problem doesn’t affect you.

Since normally the web GUI isn’t exposed to the WAN, the attack surface is 
minimized.

We are working at cutting a new release.

Jim

On Apr 8, 2014, at 1:49 PM, Paul Galati paulgal...@gmail.com wrote:

 Is this vulnerability tied to a secure web connection on the wan interface?  
 If I do not have the web gui enabled on the wan interface and I am not using 
 openVPN, what other services allow this point of entry possible?
 
 Thanks for your time.
 
 Paul Galati
 paulgal...@gmail.com
 
 
 
 On Apr 8, 2014, at 8:20 AM, Marek Salwerowicz marek_...@wp.pl wrote:
 
 Regarding the web test provided at:
 http://filippo.io/Heartbleed/
 
 All my pfSense firewalls (their HTTPS WEB GUI) are vulnerable...
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

[Jim Thompson]

On Apr 8, 2014, at 12:34 PM, Paul Heinlein heinl...@madboa.com wrote:

 On Tue, 8 Apr 2014, b...@todoo.biz wrote:
 
 This might not be enough as there are two versions of openssl installed… One 
 in /usr/bin/openssl and one in /usr/local/bin/openssl
 
 Both should be ok.
 
 Not on 2.1:
 
 [2.1-RELEASE]/root(9): /usr/local/bin/openssl version
 OpenSSL 1.0.1e 11 Feb 2013
 
 Worse, that's the version used by OpenVPN and lighttpd:

Your use of “worse” here merely pours gasoline on an already burning fire.

 [2.1-RELEASE]/root(8): ldd /usr/local/sbin/openvpn
 /usr/local/sbin/openvpn:
   libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007e9000)
   libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x80094f000)
 
 [2.1-RELEASE]/root(14): ldd /usr/local/sbin/lighttpd
 /usr/local/sbin/lighttpd:
   libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007d3000)
   libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x800939000)

The situation is no different with pfSense version 2.1.1, even though the ports 
version of openssl is 1.0.1f.  (1.0.1g is required to be clear of the 
Heartbleed issue.)

[2.1.1-RELEASE][root@pfSense.localdomain]/root(3): /usr/local/bin/openssl 
version
OpenSSL 1.0.1f 6 Jan 2014
[2.1.1-RELEASE][root@pfSense.localdomain]/root(4): /usr/bin/openssl version
OpenSSL 0.9.8y 5 Feb 2013
[2.1.1-RELEASE][root@pfSense.localdomain]/root(5): 

[2.1.1-RELEASE][root@pfSense.localdomain]/root(15): ldd /usr/local/sbin/openvpn
/usr/local/sbin/openvpn:
liblzo2.so.2 = /usr/local/lib/liblzo2.so.2 (0x8006ca000)
libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007e9000)
libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x80094f000)
libc.so.7 = /lib/libc.so.7 (0x800c22000)
libthr.so.3 = /lib/libthr.so.3 (0x800e4f000)
[2.1.1-RELEASE][root@pfSense.localdomain]/root(22): ldd /usr/local/sbin/lighttpd
/usr/local/sbin/lighttpd:
libpcre.so.3 = /usr/local/lib/libpcre.so.3 (0x80067)
libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007d3000)
libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x800939000)
libthr.so.3 = /lib/libthr.so.3 (0x800c0c000)
libc.so.7 = /lib/libc.so.7 (0x800d25000)

As previously mentioned, we’re working on a new release.

jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

[Jim Thompson]

On Apr 8, 2014, at 3:39 PM, Rainer Duffner rai...@ultra-secure.de wrote:

 
 Am 08.04.2014 um 21:04 schrieb Jim Thompson j...@smallworks.com:
 
 
 Well, that’s the point, Paul.  (You hit the nail on the head.)
 
 If you don’t have an openssl service exposed, the problem doesn’t affect you.
 
 Since normally the web GUI isn’t exposed to the WAN, the attack surface is 
 minimized.
 
 We are working at cutting a new release.
 
 
 
 Hi,
 
 according to:
 
 http://www.kb.cert.org/vuls/id/BLUU-9HY33E
 
 only FreeBSD 10 is affected.
 
 There are binary updates for FreeBSD 10 available, just no advisory-text.
 No update for FreeBSD 9.1


pfSense 2.1 and 2.1.1 are affected.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] New intel atom board

[Jim Thompson]

On Apr 5, 2014, at 12:48 PM, Ugo Bellavance u...@lubik.ca wrote:

 http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fbncid=fb
 
 An interesting platform for pfSense?
 
 It looks like it only has 1 NIC though.

I looked at this earlier in the week when it was released.

It’s interesting,

(AES-NI and VT-x support! 
http://ark.intel.com/products/78475/Intel-Atom-Processor-E3845-2M-Cache-1_91-GHz)

and Circuitco is just up the highway in Richardson, TX.   I’ve considered 
driving up and seeing what it would take to take
the schematics (when they are available) and have a board built with 2 
Ethernets (rather than one), and maybe
a miniPCIe socket (for an 802.11 NIC, as pfSense 2.2 should make a lot more of 
these work, or possibly an m-sata drive),
in addition to pulling the expansion header off, and connectorizing the serial 
‘debug’ header for a proper console.

We would need a simple enclosure as well.Painted (or powder-coated) steel 
is less expensive than anodized aluminum, but I think the anodized aluminum 
looks nicer, and it can be laser engraved.

The other issue is single or dual core and 1GB or 2GB ram (4GB?)?
How interesting is the m-sata / miniPCIe option?

How you can help:

Indicate your level of interest.

This board would without a doubt cost more than the minnow board.   I don’t 
know how much more, but we’re not going to hit the
same volumes as the minnow board.  (I could be wrong.)   The minnow board could 
be subsidized by Intel. (I could be wrong.)

It’s going to require a significant investment (up-front NRE), an investment in 
getting a run of these made, and some return on those investments (profit).

How important is form-factor?   Larger PCBs cost more, but can sometimes relax 
routing enough to not need additional layers (fewer layers tend
to cost less).

- miniPCIe is going to require a connector (these cost money to both buy and 
place)

- m-sata also requires a switch, such that if the m-sata drive is in-place it 
is connected to the SATA controller

- RAM costs.   At these densities, 2GB of ram costs twice as much as 1GB of 
ram.   4GB of ram costs 4X as much as 1GB of ram.
making lots of different variants of the boards costs extra to both 
manufacture (stop the line, load the new parts, run the new SKU) and inventory.

- dual core or single core?Remember that pfSense 2.2 (which is based on 
FreeBSD 10)  supports a pf capable of multi-threading.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1 can't auto-update anymore?

[Jim Thompson]

Kevin,

Glad you like the update.

You won’t get ‘mutlicore’ PF until pfSense 2.2 (which is based on FreeBSD 10).  
Snapshots are available now.

Rangely hardware, you say?  
http://store.netgate.com/Firewall/C2758.aspx
Also available “real soon now at the pfSense store.   We believe in the C2000, 
so there will be other hardware leveraging that series coming available this 
year.
And yes, I agree that pfSense 2.2 will perform very well on the Intel C2000 
series SoCs.

You’ll notice that rather than create a “commercial version” of pfSense, (as 
many want to accuse me of doing), we just put the drivers in pfSense 2.1.1,
where everyone can enjoy them.   What you don’t get in the community builds is 
the testing/tuning that are part of the above.  The results are significantly
better than a stock load.

But even here, I’m working on a way to make those “platform-specific” tuning 
parameters available to the community.

Jim

On Apr 5, 2014, at 4:17 PM, Kevin Boatswain kboat...@gmail.com wrote:

 Well i just upgraded sucessfully thanks alot for the fix. 
 
 Dont know if its the sugar pill effect but general web browsing seems MUCH 
 MUCH Faster (and it wasnt slow to begin with). 
 
 
 
 I'm guessing this is due to many of the improvements including the updated PF 
 for multicore. 
 
 Not time to look at the supermicro versions of the Rangeley or Avoton 
 platforms as I was waiting until PFSense supported the new i354 and i210 
 nics. 
 
 
 
 These would make AWESOME pfsense platforms. 
 
 http://www.servethehome.com/Server-detail/intel-atom-c2750-8-core-avoton-rangeley-benchmarks-fast-power/
 
 
 
 
 
 
 On Sat, Apr 5, 2014 at 3:39 PM, Jeremy Porter jpor...@netgate.com wrote:
 There was an error in one of the version number strings, this has been fixed. 
  (It didn't replicate to one of the mirrors correctly.)
 
 
 Auto-update is just a quick link to the upgrade system, it dose not 
 automatically upgrade the firewall without clicking on it,
 so if your firewall is offline, that is likely a different problem.
 
 
 On 4/5/2014 2:48 PM, Kevin Boatswain wrote:
 I am having the same issue on my box. 
 
 Downloading new version information...done
 Unable to check for updates.
 Could not contact pfSense update server 
 http://updates.pfsense.org/_updaters
 
 
 At first I thought maybe my box needed to be rebooted but seeing your 
 message and the forum post below makes me wonder is there something wrong 
 with the upgrade url or am I supposed to be using a new upgrade url?
 
 https://forum.pfsense.org/index.php?topic=74639.0
 
 
 I am currently using http://updates.pfsense.org/_updaters for my update url 
 as well. 
 
 
 Odd that you were able to update from the console however.
 
  I wonder does the console use the same url listed in the Gui? 
  
 
 
 On Sat, Apr 5, 2014 at 1:46 PM, Brian Caouette bri...@dlois.com wrote:
 I see the same thing. I also notice I can no longer get online. I haven't 
 touched the box in over a month. It went from working to not working. I can 
 only assume its related to the auto update to 2.1.1 
 
 On 4/5/2014 2:40 PM, Adam Thompson wrote:
 On 14-04-05 01:31 PM, Adam Thompson wrote:
 My own 2.1-release pfSense now can't auto-update.
 After updating from the console to 2.1.1, the web GUI *still* can't handle 
 auto-update checking.  Ordinarily, I'd assume misconfiguration, but the 
 only thing affected is the web UI.  WTF?
 -- 
 -Adam Thompson
  athom...@athompso.net
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] New intel atom board

[Jim Thompson]

On Apr 5, 2014, at 5:06 PM, Adam Thompson athom...@athompso.net wrote:

 On 14-04-05 02:02 PM, Jim Thompson wrote:
 http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fbncid=fb
 An interesting platform for pfSense?
 It looks like it only has 1 NIC though.
 I looked at this earlier in the week when it was released.
 It’s interesting,
 [...]
 and Circuitco is just up the highway in Richardson, TX.   I’ve considered 
 driving up and seeing what it would take to take
 the schematics (when they are available) and have a board built with 2 
 Ethernets (rather than one), and maybe
 a miniPCIe socket (for an 802.11 NIC, as pfSense 2.2 should make a lot more 
 of these work, or possibly an m-sata drive),
 in addition to pulling the expansion header off, and connectorizing the 
 serial ‘debug’ header for a proper console.
 Given the high up-front costs to produce a variant board, wouldn't it be 
 easier, faster and cheaper to just use the expansion header, which IIRC 
 includes two PCIe 1x lanes?  If a breakout cable existed that provided 2 PCIe 
 slots, it would be possible to simultaneously have much more flexibility in 
 enclosure design (e.g. PCIe cards underneath the board?) as well as 
 flexibility in choice of add-on.

The expansion header only includes one PCIex1 2.0 lane, 1x SATA2, 1x USB 2.0 
host, I2C, GPIO, JTAG, +5VDC, GND
http://www.minnowboard.org/meet-minnowboard-max/

 I don't see that a breakout cable exists yet for the high-speed expansion 
 bus, so there's that minor (*cough*) problem... but that seems a much smaller 
 problem than re-tooling the board.
 
 We would need a simple enclosure as well.Painted (or powder-coated) 
 steel is less expensive than anodized aluminum, but I think the anodized 
 aluminum looks
 In case you don't have a local firm you're happy with, talk to Protocase for 
 sample qtys.  I've seen them be cheaper than mass mfg for small runs of 
 simple cases (e.g. interlocked-U style).

We have a local firm we’re pretty happy with.  We also have a lot of experience 
in injection molding now (smallworks.com)

 The other issue is single or dual core and 1GB or 2GB ram (4GB?)?
 The stock 2GB version should be adequate (barely) IMHO for most applications 
 that function with that class of CPU/ethernet/storage anyway.
 Much more interesting to me would be if a small, low-cost board like that 
 were available with ECC.  That CPU does support ECC RAM, after all…
yes it does.
ECC ram is also a lot more expensive.

 How interesting is the m-sata / miniPCIe option?
 Not to me, as I tend to deploy pfSense at the higher-end of the spectrum, but 
 *some* way to add WiFi would probably be important for the putative target 
 audience.  USB probably won't cut it for an AP, so mPCIe is probably needed.  
 Again, expansion-header-to-mPCIe should be possible instead of reworking the 
 board... and unlike PCIe 1x sockets, that wouldn't take up much more room 
 than putting the mPCIe headers on the board.

see above.

 How you can help:
 
 Indicate your level of interest.
 Neat, but not commercially interesting to me right now. Linksys/ASUS/D-Link 
 make cheaper gateways that are good enough for home users, and commercial 
 users will either get a FortiWiFi (or equivalent) or if pfSense, re-use an 
 existing rackmount server.
 
 This board would without a doubt cost more than the minnow board.   I don’t 
 know how much more, but we’re not going to hit the
 same volumes as the minnow board.  (I could be wrong.)   The minnow board 
 could be subsidized by Intel. (I could be wrong.)
 See above comments :-).  I'm not sure if a breakout cable is 100% workable, 
 but if so it's a faster/cheaper option than mPCIe.
 
 It’s going to require a significant investment (up-front NRE), an investment 
 in getting a run of these made, and some return on those investments 
 (profit).
 
 How important is form-factor?   Larger PCBs cost more, but can sometimes 
 relax routing enough to not need additional layers (fewer layers tend
 to cost less).
 Smaller is better.  Otherwise I may as well just deploy a miniITX or 1U 
 system.  Which, yes, argues *against* using a breakout cable for PCIe.
 
 - dual core or single core?Remember that pfSense 2.2 (which is based on 
 FreeBSD 10)  supports a pf capable of multi-threading.
 Good question - optimize for today or for tomorrow?

Back when I was a teenager, I liked to hang out in the local speed shop.  There 
was a plaque on the wall, with a very bent connecting rod, and the following 
lettered below it:

“Speed costs money, son.  How fast do you want to go?”

This was before Mad Max appropriated it: 
http://www.imdb.com/title/tt0079501/quotes?item=qt0427399

Jim


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] successor to ALIX is here

[Jim Thompson]

On Apr 2, 2014, at 3:17 PM, Thinker Rix thinke...@rocketmail.com wrote:

 On 2014-04-02 17:35, Eugen Leitl wrote:
 Apu.1c 
 http://www.heise.de/newsticker/meldung/Embeddded-Mainboard-mit-x86-CPU-und-Coreboot-2160404.html
 
 http://www.pcengines.ch/apu1c.htm
 
 in stock, €105.13
 
 Unfortunately again only 3 NICs... and Realteks with bad performance.
 I would love to see such a board one day with at least 4-8 NICs.

Such things are literally, on the way, but aren’t going to be priced similarly 
to the APU.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] successor to ALIX is here

[Jim Thompson]

On Apr 2, 2014, at 3:24 PM, Ryan Coleman ryanjc...@me.com wrote:

 Wouldn’t a layer-3 switch be a good investment in this situation? Put the 
 load on another device instead of, what is for all intents and (definitely) 
 purpose a thin, light-weight piece of hardware?

It doesn’t even need to be a layer-3 switch.

A decent layer-2 switch with enough programmable control would do it.

Such switches (layer 2 and even layer 3) exist, and programmable control can be 
had (sometimes) via protocols like OpenFlow.

The obvious path here is pfSense - ofSense as a controller for OpenFlow 
hardware.  Not that this isn’t already being actively discussed inside Netgate 
or anything… :-)
(here is a huge hint: http://store.netgate.com/Switches-C167.aspx)

This would enable multiples of 10G performance for load-balancing, packet 
filtering, and even NAT (with the right switch hardware).

The only issue here is that such switches tend to be a bit … pricey.   Thusfar, 
the community hasn’t shown a lot of appetite for solutions that cost more than 
a few hundred dollars.

Even Chris continually touts that an Alix board is “enough for most people”.   
He’s right, except that the world of existing networking doesn’t allow a lot of 
flexibility, and even home users
might find that the complexity of configuring NAT/VLANs/packet 
filtering/caching/… is a bit much.   I’m not saying that a home user needs a 
$3,000 openflow switch, but a $300 solution with
3-4 Gb Ethernet ports should be more than adequate, since, in the right 
scenarios, even a Gb/s Google Fiber feed could be handled by a 2-4 core SoC and 
a set of re-architected software.

Jim___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] successor to ALIX is here

[Jim Thompson]

On Apr 2, 2014, at 5:01 PM, Chris Bagnall pfse...@lists.minotaur.cc wrote:

 On 2/4/14 9:17 pm, Thinker Rix wrote:
 Unfortunately again only 3 NICs... and Realteks with bad performance.
 I would love to see such a board one day with at least 4-8 NICs.
 
 On that subject, we've recently been experimenting with these:
 http://linitx.com/product/jetway-jbc373-intel-atom-d525-barebone-system-quad-gigabit-lan/13700
 
 Initial results seem promising, they've got a CF slot, and they're not a 
 great deal more expensive than the ALIX units were.

Yeah, we carried those for a while, then they started coming back, so we 
carrying it in the store, and are moving the remaining inventory on Amazon.
I think we called it the FW-525B.

They (also) have RealTek NICs.

YMMV.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Blast from the past: pfSense 1.2 / ALIX / VLANs

[Jim Thompson]

What's your time worth?

-- Jim

 On Mar 24, 2014, at 9:03, Stefan Baur newsgroups.ma...@stefanbaur.de wrote:
 
 Am 24.03.2014 14:18, schrieb Chris Bagnall:
 However, the new tenant found that performance was erratic - certain
 websites loaded instantly, but others wouldn't load at all. This
 normally screams classic MTU problems, in my experience, but I normally
 see these on weird WAN connections, not on the LAN.
 
 Does anyone know if there are/were 'problems' with 1.2 and VLAN MTUs on
 ALIX platforms (ethernet driver 'vr'), and whether an update to 1.3
 might fix it? This is old hardware with only 128MB RAM, so jumping to
 2.x is optimistic.
 
 The site in question is a couple of hundred miles away from me, so 'try
 it and see' isn't really an option in this case. :-)
 
 While I do have to admint that I don't have experience with the
 particular ethernet driver you mention, I know that there are several
 Unix Operating Systems where not all ethernet drivers are capable of
 dealing with the added bytes that a VLAN tag brings with it.
 
 IIRC, VLAN needs four bytes, so instead of upgrading to 1.3 you could
 first try to set the MTU to 1496 instead of the usual 1500.
 
 -Stefan
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] (no subject)

[Jim Thompson]

Chris had to rebuild lists.pfsense.org, as one of the databases became 
corrupted. 
You might have gotten added in that process.


On Mar 19, 2014, at 1:54 PM, Doug Barton do...@dougbarton.us wrote:

 Actually I'm sort of curious as to how I got on the list in the first place. 
 I certainly did not sigh up for it. I can figure out how to remove myself of 
 course, but was there some sort of mass involuntary subscription process that 
 occurred in the last 24-36 hours?
 
 Doug
 
 
 On 3/19/2014 11:48 AM, Vick Khera wrote:
 because clicking the link at the bottom of every message you get from
 the list is too hard?
 
 
 
 On Wed, Mar 19, 2014 at 2:25 PM, robert gledhill robert...@gmail.com
 mailto:robert...@gmail.com wrote:
 
Remove me
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Wifi/WAN issues

[Jim Thompson]

 On Mar 6, 2014, at 5:26, Jeremy Bennett jbenn...@hikitechnology.com wrote:
 
 What am I doing wrong?

You're running a more modern card than supported in pfSense 2.1, which is based 
on FreeBSD 8.3. 

Perhaps 2.2 will fix the issue. 

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Wifi/WAN issues

[Jim Thompson]

On Mar 6, 2014, at 12:51 PM, Jeremy Bennett jbenn...@hikitechnology.com wrote:

 I spoke to the good folks at Netgate, and they assured me that the card was 
 indeed compatible with 2.1. From what I've seen, they've always been very 
 responsible with the products they sell and they were very helpful when I 
 raised the issue with them.
 
 So, that said, any other ideas?
 

Yeah, my mistake.  (Note my employer…)

I thought you had a more modern Atheros card.

These things typically turn out to be RF issues.   poor connection of the 
pigtail, high signal levels in the environment, etc.

In your particular case, you report:

In configuring the WAN interface, I set the card to infrastructure mode (BSS) 
and fill in the network I'm trying to join's name (wireless_network”).”

and

If I go to status  interfaces, I see that the status says no carrier

I setup an open network off of my cell phone and submitted the SSID of my 
phone's network and I get the same status : no carrier result.”

So we don’t know if your card is even receiving beacon frames.

Can you drop to a shell and run ifconfig wlan0 scan”  (for whatever the name 
of your interface is)?

Jim


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsync state full resync

[Jim Thompson]

See your link http://www.openbsd.org/faq/pf/carp.html

It's all in there.

-- Jim

 On Feb 16, 2014, at 12:03, rajan agarwal rajanagarwa...@gmail.com wrote:
 
 I was about to post the same question. Thanks Brian, been facing a problem 
 with this in my 2 pfsense setup.
 
 
 
 On Sun, Feb 16, 2014 at 7:20 PM, Brian Candler b.cand...@pobox.com wrote:
 I have a question about pfsync failover.
 
 Suppose you have a master/slave firewall pair; the master is broadcasting 
 updates to its state table and the slave is picking them up. Then you reboot 
 the master firewall. The slave firewall takes over.
 
 When the master firewall comes back, its state table will initiallly be 
 empty. So does it have a way to request from the slave a dump of the current 
 state table? And will this transfer be completed before it becomes master on 
 any CARP interfaces?
 
 I can't see this situation described at
 http://www.openbsd.org/faq/pf/carp.html
 http://www.openbsd.org/cgi-bin/man.cgi?query=pfsyncsektion=4manpath=OpenBSD+5.4
 
 It talks about state change messages but not a full resync.
 
 However, I can find a hint of a bulk transfer here:
 http://www.freebsd.org/cgi/man.cgi?query=pfsyncsektion=4
 and in this old posting:
 http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010823.html
 
 Thanks,
 
 Brian.
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Netgate's customized pfSense release

[Jim Thompson]

On Feb 14, 2014, at 5:15 AM, Jostein Elvaker Haande jehaa...@gmail.com wrote:

 On 14 February 2014 11:54, Brian Candler b.cand...@pobox.com wrote:
 On 13/02/2014 19:43, Jostein Elvaker Haande wrote:
 
 The thing that brand names as Netgear now sells out of the box
 [..]
 
 I welcome Netgear to the pfSense community as a most welcome addition,
 and I hope to see similar additions in the time to come.
 
 That would be Netgate, not Netgear :-)
 
 Oooops! :) Slight slip of the fingers that.

You would not believe how often it happens.

It’s likely that some of you don’t know that Netgate was originally the name of 
a source-available(*) packet filter for SunOS(**) in 1991.   
See, for example: 
http://www.greatcircle.com/firewalls/mhonarc/firewalls.199309/msg00092.html

Jim
(*) the term “open source” had yet to exist in 1991, which was when 
‘SmallWorks’, the company behind the Netgate firewall, was formed.
(**) FreeBSD didn’t exist in 1991, either.  ’Netgate' ran on BSDI’s BSD/OS 
though we never formally launched it the platform.
Rob Kolstad was my boss at Convex in the mid-80s. So I knew those guys 
really well, but the USL lawsuit prevented our launch on BSD/OS.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Netgate's customized pfSense release

[Jim Thompson]

On Feb 13, 2014, at 12:10 PM, Chris Buechler c...@pfsense.org wrote:

 On Thursday, February 13, 2014, Andrew Hull l...@coffeebreath.org wrote:
 Hi List,
 Having purchased several pfSense devices assembled by Netgate (m1n1wall and 
 FW-7541), I've noticed that the pfSense pre-install image was customized with 
 Netgate branding and the firmware auto-update mechanism was set to a Netgate 
 URL.
 
 Has this been discussed on the list before?

I’m not sure why it would be discussed on the list.  It’s an business matter 
between ESF and Netgate.

 My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the 
 devices with images from ESF. 
 
 No, no, no. Custom hardware-specific images are a good thing - when done by 
 us, as in the case of Netgate. More when I'm not on my phone. 

Indeed.  You’ll see more of this in the future.  It supports the project in a 
big way.  Perhaps you don’t care about that, but I do.

Jim


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Netgate's customized pfSense release

[Jim Thompson]

On Feb 13, 2014, at 11:30 AM, Mathieu Simon (Lists) matsimon.li...@simweb.ch 
wrote:

 
 
 Am 13.02.2014 17:54, schrieb Andrew Hull:
 [...] I've noticed that the pfSense pre-install image was
 customized with Netgate branding and the firmware auto-update mechanism
 was set to a Netgate URL.
 
 Has this been discussed on the list before?
 I don't think often for what I can remember.
 
 My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded
 the devices with images from ESF. Does anyone here have a strong opinion
 one way or the other?
 
 No worries, that's how open source works, and in case of the BSD license
 there are are almost all liberties to do derivative products, as long as
 you follow minimal rules and trademark (pfSense and the logo are
 trademarks of ESF). Netgate allows you to run what image you like, other
 (non pfSense) appliance vendors are way less nice :-)
 
 Common guess: Beyond branding, their images may contain pre-done tuning
 for the hardware that makes it perform at its best without extra user
 intervention. In comparison, at one place I have a 3-letter brand server
 running pfSense and I had to spend some time on loader.conf.local and
 tunings to make all NICs work and work good (props to ESF staff who
 assisted).
 
 Quick history:
 BSD Perimeter moved from Kentucky (in 2012) to Texas and reinstated as
 ESF. Jim Thompson from Netgate (also Texas) got involved with ESF, he is
 actually active in both companies.

In mid-2012, Chris approached several parties, including the principals of 
Netgate to
investigate their interest in purchasing the interest in BSD Perimeter formerly 
held by
Scott Ulrich.

In August 2012, the principals of Netgate completed the purchase of those 
shares.  Subsequently,
Chris moved to Texas (his idea, not forced on him in any way).

(To be perfectly clear on the history, Netgate was, quite literally, the first 
support customer of BSD Perimeter, 
back in 2006, and has continuously supported the project from that day until 
now.)

 That may explain why Netgate is permitted to redistribute modifed images
 without the need to rename the resulting product binaries or replacing
 the logos. (Jim, correct me I'm writing this out of my memory, I
 remember there was once a post or a mailing list discussion)

Given that I’m managing both companies, some things get ‘shared’ (Netgate and 
ESF
run on a common set of infrastructure (switches, servers, etc) though in some 
cases,
the usage is exclusively ESF  (e.g.  the co-location at NYI.)

Those of us in Austin (and there is more headcount under ESF than you might 
imagine) are all collocated in
the same office space.

That all said:

1) I really do try to keep Netgate and ESF ‘separate’ in terms of business.   

2) Co-branding is permitted, and even encouraged, if done under the auspices of 
the ESF program directed to same.
There is revenue attached that flows to ESF, and thus, directly supports the 
project. These releases are built on the
same (identical) infrastructure, from the same tree, by ESF personnel.

Jim




___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite

[Jim Thompson]

On Feb 12, 2014, at 9:05 AM, David Burgess apt@gmail.com wrote:

 
 On Feb 11, 2014 5:55 AM, Jim Thompson j...@netgate.com wrote:
 
 
  Thanks for this.
 
  As before, we'll supply a solution for pfSense on the ERL after 2.2 (based 
  on FreeBSD 10) after 2.2 drops.
 
  -- Jim
 
 That's great news. Does anybody care to speculate whether FreeBSD will be 
 able to take advantage of the packet forwarding acceleration of this hardware 
 at some point
 

you know it’s ipv4-only, right?  (there should be a layer2 version as well, but 
you can’t run both.)

jim



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite

[Jim Thompson]

The reality is “when it’s done”.

I’m hoping for “mid-May”.


On Feb 12, 2014, at 9:28 AM, Brian Caouette bri...@dlois.com wrote:

 What is the time frame for 2.2?
 
 On 2/11/2014 7:55 AM, Jim Thompson wrote:
 Thanks for this.
 
 As before, we'll supply a solution for pfSense on the ERL after 2.2 (based 
 on FreeBSD 10) after 2.2 drops.
 
 -- Jim
 
 On Feb 11, 2014, at 7:25, Eugen Leitl eu...@leitl.org wrote:
 
 http://rtfm.net/FreeBSD/ERL/
 
 FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
 
 The Ubiquiti EdgeRouter Lite is a neat little device that costs less than
 US$100, has three Ethernet ports, and can run FreeBSD/mips. It's based on 
 the
 Cavium Octeon CN5020 platform and features a dual core 500mhz MIPS64
 processor, 512MB RAM, and 4GB storage on removable USB.
 
 The EdgeRouter Lite in the foreground, near a Netgear WNDR3700 and a bulky
 ISP-provided cablemodem.
 
 This page provides ready-to-use images of FreeBSD 10.0-RELEASE. Thanks to 
 the
 open nature of the EdgeRouter Lite, it's very easy to install and use these
 images; just follow the instructions below. Thanks to the fine folks at the
 FreeBSD Project, building your own is almost as easy. A script to build 
 them,
 along with instructions, is also provided. Special thanks is due to Juli
 Mallett and Warner Losh, without whose hard work and generous assistance 
 none
 of this would be possible.
 
 Note that this is experimental software which comes with no warranty of any
 kind. These builds are works in progress and are not fit or suitable for any
 purpose whatsoever. By proceeding you assume all risks.
 
 On my EdgeRouter Lite, the builds provided below are stable and pretty much
 fully functional. There are two outstanding issues:
 
 Performance could be a little better, though it's more than adequate for my
 home Internet connection. Basic packet passing between two Gigabit hosts
 seems to top out at about 250Mbits/sec.
 
 There is currently no way to pass boot options (such as single-user mode) to
 the kernel from U-Boot.
 
 Hardware crypto acceleration via /dev/crypto seems to work. Use AES in CBC
 mode to see a huge speedup over CTR.
 
 etc.
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite

[Jim Thompson]

On Feb 12, 2014, at 9:41 AM, Eugen Leitl eu...@leitl.org wrote:

 On Wed, Feb 12, 2014 at 08:05:17AM -0700, David Burgess wrote:
 
 That's great news. Does anybody care to speculate whether FreeBSD will be
 able to take advantage of the packet forwarding acceleration of this
 hardware at some point?
 
 IIRC you need NDAs for that, so unless it's cleanroom reversed we're SOL.

Not really.  Even if it’s proprietary (and can’t be open sourced), what you’re 
after is the functionality, yes?

jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite

[Jim Thompson]

On Feb 12, 2014, at 9:55 AM, Eugen Leitl eu...@leitl.org wrote:

 On Wed, Feb 12, 2014 at 09:44:46AM -0600, Jim Thompson wrote:
 
 On Feb 12, 2014, at 9:41 AM, Eugen Leitl eu...@leitl.org wrote:
 
 On Wed, Feb 12, 2014 at 08:05:17AM -0700, David Burgess wrote:
 
 That's great news. Does anybody care to speculate whether FreeBSD will be
 able to take advantage of the packet forwarding acceleration of this
 hardware at some point?
 
 IIRC you need NDAs for that, so unless it's cleanroom reversed we're SOL.
 
 Not really.  Even if it’s proprietary (and can’t be open sourced), what 
 you’re after is the functionality, yes?
 
 Can the blobs be reversed so easily? (Too bad about lack of IPv6 offloading, 
 but we can live with that for a while, I guess).

I don’t know.  If you’re really curious, you can read this:
http://university.caviumnetworks.com/downloads/Mini_version_of_Prog_Guide_EDU_July_2010.pdf
to find out how to get ahold  the real programming guide from Cavium, then read 
Chapter 2 “Packet Flow” in same.

This might give you some ideas as well: 
https://hactive.googlecode.com/files/CN50XX-HRM-V0.99E.pdf
Note that this link seems to support the idea that IPv6 processing is supported 
by the hardware (see, for example, Sections 7.2.4, 7.5 and 7.7).

I do know that *I* don’t want to invest a ton of RE effort in a $99 platform 
that bears near zero margins, when far, far faster 
Intel / AMD platforms that aren’t more than 2-3X the price are just around the 
corner.  Note slide 17 in this:
https://noppa.aalto.fi/noppa/kurssi/s-38.3310/harjoitustyot/S-38_3310_matias_elo.pdf

Jim



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite

[Jim Thompson]

On Feb 12, 2014, at 12:16 PM, Brian Caouette bri...@dlois.com wrote:

 Sounds good. Is there a planned feature list we can look forward too?
 
 On 2/12/2014 10:43 AM, Jim Thompson wrote:
 The reality is “when it’s done”.
 
 I’m hoping for “mid-May”.
 
 
 On Feb 12, 2014, at 9:28 AM, Brian Caouette bri...@dlois.com wrote:
 
 What is the time frame for 2.2?


Is there a planned revenue stream?

The answer to both is ‘No’.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite

[Jim Thompson]

Thanks for this. 

As before, we'll supply a solution for pfSense on the ERL after 2.2 (based on 
FreeBSD 10) after 2.2 drops. 

-- Jim

 On Feb 11, 2014, at 7:25, Eugen Leitl eu...@leitl.org wrote:
 
 http://rtfm.net/FreeBSD/ERL/
 
 FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
 
 The Ubiquiti EdgeRouter Lite is a neat little device that costs less than
 US$100, has three Ethernet ports, and can run FreeBSD/mips. It's based on the
 Cavium Octeon CN5020 platform and features a dual core 500mhz MIPS64
 processor, 512MB RAM, and 4GB storage on removable USB.
 
 The EdgeRouter Lite in the foreground, near a Netgear WNDR3700 and a bulky
 ISP-provided cablemodem.
 
 This page provides ready-to-use images of FreeBSD 10.0-RELEASE. Thanks to the
 open nature of the EdgeRouter Lite, it's very easy to install and use these
 images; just follow the instructions below. Thanks to the fine folks at the
 FreeBSD Project, building your own is almost as easy. A script to build them,
 along with instructions, is also provided. Special thanks is due to Juli
 Mallett and Warner Losh, without whose hard work and generous assistance none
 of this would be possible.
 
 Note that this is experimental software which comes with no warranty of any
 kind. These builds are works in progress and are not fit or suitable for any
 purpose whatsoever. By proceeding you assume all risks.
 
 On my EdgeRouter Lite, the builds provided below are stable and pretty much
 fully functional. There are two outstanding issues:
 
 Performance could be a little better, though it's more than adequate for my
 home Internet connection. Basic packet passing between two Gigabit hosts
 seems to top out at about 250Mbits/sec.
 
 There is currently no way to pass boot options (such as single-user mode) to
 the kernel from U-Boot.
 
 Hardware crypto acceleration via /dev/crypto seems to work. Use AES in CBC
 mode to see a huge speedup over CTR.
 
 etc.
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] January Project News

[Jim Thompson]

It still needs attention in the editing and formatting
departments, but all the tech is there, yes. 

-- Jim

 On Jan 21, 2014, at 5:00, Michał Karas m.ka...@hafis.pl wrote:
 
 Hi,
 
 than you for your reply. Is the electronically available version already 
 finished. Does it cover all features of PFSense 2.0/2.1 ?
 
 Best 
 
 Michał
 
 
 
 On Tue, Jan 21, 2014 at 11:54 AM, Chris Buechler c...@pfsense.org wrote:
 On Tue, Jan 21, 2014 at 4:40 AM, Michał Karas m.ka...@hafis.pl wrote:
  Hello Chris,
 
  any updates on new PFSense book ? When will it be published ?
 
 
 Still to be determined. It's already available for subscribers @
 portal.pfsense.org in PDF, mobi and epub. Individual electronic copy
 sales will come at some point.
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 
 
 
 -- 
 Me-totemo-utsukushi-i-desu-ne totemo- 
   utsukushi-i-me-wo-shitemasu
   - Mitch Ikeda
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Apple Messages Blocked

[Jim Thompson]

Turning on UPNP might make things better.  It just works for me, too. 

-- Jim

 On Jan 15, 2014, at 10:00, Vick Khera vi...@khera.org wrote:
 
 
 On Tue, Jan 14, 2014 at 3:01 PM, Paul Galati paulgal...@gmail.com wrote:
 I have tried searching the forums for find a fix to allow Apple Messages app 
 to successfully connect using Audio, Video, or Screen Sharing.
 
 It just works for me. I have pfSense protecting my home network, sitting 
 behind a NAT from Verizon FiOS even (so my internal is double NATted.)  I 
 have done facetime chats with my kids on the computers at home which is the 
 same as the Messages app and me on a computer and/or my phone in another 
 state. I allow the internal computers to make all outbound connections, 
 though, so that may be a difference in your configuration.
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPSec problem with mobile IOS and Android

[Jim Thompson]

you lost me at “port forwarding”.

Making NAT work for IPSEC (passthrough) can be … quite challenging.


Hopefully you’re attempting to terminate IPSEC on the pfSense box, and the ISP 
router is configured to:
IP Protocol ID 50:  For both inbound and outbound filters. Should be set to 
allow Encapsulating Security Protocol (ESP) traffic to be forwarded.
IP Protocol ID 51:  For both inbound and outbound filters. Should be set to 
allow Authentication Header (AH) traffic to be forwarded.
UDP Port 500:  For both inbound and outbound filters. Should be set to allow 
ISAKMP traffic to be forwarded.

Note that ‘forwarding’ here is packet forwarding, not port forwarding.   If so, 
I’ve simply misunderstood you.  If not, you’re not going to make it work 
without a TON of work on NAT-traversal.

You say you looked at: https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 (I 
think).   Commercial support is available if you need it.

Jim

On Jan 4, 2014, at 5:03 PM, Carlos Vicente cjpvice...@gmail.com wrote:

 Hi all,
  
 I have a problem with an IPSec VPN from mobile clients (IOS and Android). I 
 can establish the tunnel but can’t ping, RDP or SSH the pfSense or any client 
 behind it (which is working with OpenVPN). I see the “passed” logs on the 
 firewall tab but can’t access the systems.
  
 My pfSense WAN is on the same subnet as the LAN of the ISP router, which has 
 port forwarding of ESP, AH and IKE to the pfSense WAN network adapter. All 
 the rules are correct and I they appear correctly on logs.
  
 My PfSense version is 2.0.3 upgraded from 1.2.3. I have tried all kind of 
 configs from the doc “Mobile IPsec on 2.0”, but, as I said, can establish the 
 connection but can´t access any device on LAN subnet.
  
 I use this excellent appliance for many years, so I must have IPSec VPN 
 working on mobile clients the same way I have them working with OpenVPN.
  
 I’m stuck here, so any help would be very appreciated.
  
 Thanks.
 CV
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Compile on Sun v215

[Jim Thompson]

Unlikely. 

-- Jim

 On Dec 9, 2013, at 4:07, Denny Fuchs linuxm...@4lin.net wrote:
 
 hi,
 
 I want to use old two of Sun Fire SPARC v215 for pfsense. FreeBSD 8/98 runs 
 without any problems, so the only question is, if it does make sense to 
 compile pfsense on that hosts.
 
 Ram: 12GB
 
 # cat /proc/cpuinfo
 cpu: TI UltraSparc IIIi (Jalapeno)
 fpu: UltraSparc IIIi integrated FPU
 pmu: ultra3i
 prom: OBP 4.22.33 2007/06/18 12:47
 type: sun4u
 ncpus probed: 2
 ncpus active: 2
 D$ parity tl1: 0
 I$ parity tl1: 0
 cpucaps: flush,stbar,swap,muldiv,v9,ultra3,mul32,div32,v8plus,vis,vis2
 Cpu0ClkTck: 59a53800
 Cpu1ClkTck: 59a53800
 MMU Type: Cheetah+
 State:
 CPU0:online
 CPU1:online
 
 cu denny
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

[Jim Thompson]

I was at the FreeBSD Vendor Summit last week, and raised the AES-NI
issue as important to be solved in the next six months.

The issue and fix are understood, it just needs someone to implement
it (and then, presumably, backport it to 8.3, so we can release an
update to 2.1 (2.1.1 or similar).

Jim

On Fri, Nov 8, 2013 at 12:33 PM, Thinker Rix thinke...@rocketmail.com wrote:
 Hi all,


 On 2013-11-06 07:53, Thinker Rix wrote:

 as I am planning to buy new hardware for pfSense, I was wondering if it is
 worthy to buy a CPU that supports AES new instructions, i.e.
 hardware-support for AES encyption.


 As I learned in this thread (big thanks to everybody participating), AES-NI
 is adding no value to pfSense currently, at all. So currently the only
 solution is to throw GHz at the problem.

 Searching myself through the web to learn what CPU speed I would need to
 achieve my desired 450 MBit/s VPN (or come at least somewhat close to this
 theoretical max), I found this:
 http://forums.freenas.org/threads/encryption-performance-benchmarks.12157/
 I copied those measurements found there into a spreadsheet so to analyze
 those values. If anybody is interested in this spreadsheet (.ods), I can
 send it to him via private mail (I guess binaries are not allowed in the
 mailing list). Just drop me a message.


 Regards
 Thinker Rix
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

[Jim Thompson]

I think the people with the relevant skill are willing to fix it, when
they're show that what they did (cryptdev support) doesn't provide any
benefit.

read:  it's being taken care of.

On Mon, Nov 11, 2013 at 1:20 PM, Vick Khera vi...@khera.org wrote:
 Did you get the sense people with the relevant skill were open to a bounty
 for implementing the necessary fixes?


 On Mon, Nov 11, 2013 at 1:36 PM, Jim Thompson j...@netgate.com wrote:

 I was at the FreeBSD Vendor Summit last week, and raised the AES-NI
 issue as important to be solved in the next six months.

 The issue and fix are understood, it just needs someone to implement
 it (and then, presumably, backport it to 8.3, so we can release an
 update to 2.1 (2.1.1 or similar).

 Jim

 On Fri, Nov 8, 2013 at 12:33 PM, Thinker Rix thinke...@rocketmail.com
 wrote:
  Hi all,
 
 
  On 2013-11-06 07:53, Thinker Rix wrote:
 
  as I am planning to buy new hardware for pfSense, I was wondering if it
  is
  worthy to buy a CPU that supports AES new instructions, i.e.
  hardware-support for AES encyption.
 
 
  As I learned in this thread (big thanks to everybody participating),
  AES-NI
  is adding no value to pfSense currently, at all. So currently the only
  solution is to throw GHz at the problem.
 
  Searching myself through the web to learn what CPU speed I would need to
  achieve my desired 450 MBit/s VPN (or come at least somewhat close to
  this
  theoretical max), I found this:
 
  http://forums.freenas.org/threads/encryption-performance-benchmarks.12157/
  I copied those measurements found there into a spreadsheet so to analyze
  those values. If anybody is interested in this spreadsheet (.ods), I can
  send it to him via private mail (I guess binaries are not allowed in the
  mailing list). Just drop me a message.
 
 
  Regards
  Thinker Rix
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

[Jim Thompson]

 On Nov 6, 2013, at 7:22, Vick Khera vi...@khera.org wrote:
 
 pfSense lists the AES-NI as a supported option for crypto acceleration.  
 pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config 
 setting for it.

I'm not aware if any performance testing for AES-NI on pfSense. 

There are reports that FreeBSD doesn't support AES-NI very well. 

Jim 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

[Jim Thompson]

On Nov 6, 2013, at 8:06 AM, Thinker Rix thinke...@rocketmail.com wrote:

 On 2013-11-06 15:29, Jim Thompson wrote:
 On Nov 6, 2013, at 7:22, Vick Khera vi...@khera.org wrote:
 
 pfSense lists the AES-NI as a supported option for crypto acceleration.  
 pfSense will use it for OpenVPN and IPsec if you tell it to. There's a 
 config setting for it.
 I'm not aware if any performance testing for AES-NI on pfSense.
 
 There are reports that FreeBSD doesn't support AES-NI very well.
 
 Thank you for this information, Jim. So I figure, that buying the Xeon just 
 for it's AES functions would (currently) be a waste of money.

I can’t answer this, because I’ve not tested it.

I know that the linux kernel, and openbsd both take full advantage of AES-NI 
instructions.

http://ibatanov.blogspot.com/2012/04/ipsec-performance-benchmarking-is-end.html
http://comments.gmane.org/gmane.os.openbsd.misc/199639

I know there is an implementation of AES-NI for cryptdev, but **I HAVE NOT 
TESTED IT (nor has anyone else on the pfSense team, AFAIK).

There seems to be an issue:
http://forum.pfsense.org/index.php/topic,54008.30.html
http://lists.freebsd.org/pipermail/freebsd-hackers/2012-May/038762.html

In the meantime, it might be possible to use OpenVPN with a patched openssl 
library to achieve the results you desire (but now you’re off into DIY land.)  
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

That all said, we will find and fix the issue at some point.   (I’m actually in 
San Jose for the FreeBSD Vendor Summit, and plan to bring it up as a potential 
issue.)

Jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

[Jim Thompson]

The issue may not be that easy to fix. 
Current theory is that it's is a structural issue in cryptdev. 

-- Jim

 On Nov 6, 2013, at 20:59, Chris Buechler c...@pfsense.org wrote:
 
 I have done some brief testing of AES-NI a few months back, though I
 can't seem to find the results at the moment and that test environment
 isn't online currently. It doesn't give the performance benefit that
 it should at this time. So the immediate benefit is minimal (except
 for the fact the Xeon proc would be faster than the Pentium), but it
 will be properly supported in the future, hopefully in 2.2 with its
 FreeBSD 10 base, but we haven't done any testing there yet.
 
 On Tue, Nov 5, 2013 at 11:53 PM, Thinker Rix thinke...@rocketmail.com 
 wrote:
 Hello all,
 
 as I am planning to buy new hardware for pfSense, I was wondering if it is
 worthy to buy a CPU that supports AES new instructions, i.e.
 hardware-support for AES encyption.
 
 Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all
 VPN traffic (openVPN)?
 Woud pfSense benefit from this in any other way, too?
 
 The motherboards that I want to buy unfortunately support AES-NI only with
 Xeons that currently start from approx 170 €. If I would take a CPU without
 AES-IN, I could go with a dual-Pentium for 40€. What impact would you expect
 from AES-IN, in regards to the fact tht I will be having traffic from VPN
 secured WLAN with approx 300-450 Mpbs and VPN to/from the internet, 1-2
 users at a time max. Do you think the AES-IN would be worthy the price
 premium of the Xeon for my case, e.g. because it would reduce VPN latency,
 etc., or is it just a pure waste of money in my case?
 
 Best regards
 Thinker Rix
 
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?

[Jim Thompson]

The Xeon CPUs are almost idle. 

The old Intel 32-bit Pentium 4 2.4GHz dual core server, however is the other 
end of that IPSEC tunnel. It's unlikely to be as idle as the Xeon. 

-- Jim

 On Nov 6, 2013, at 8:04, Thinker Rix thinke...@rocketmail.com wrote:
 
 On 2013-11-06 15:22, Vick Khera wrote:
 
 On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix thinke...@rocketmail.com 
 wrote:
 Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all 
 VPN traffic (openVPN)?
 Woud pfSense benefit from this in any other way, too?
 
 
 pfSense lists the AES-NI as a supported option for crypto acceleration.  
 pfSense will use it for OpenVPN and IPsec if you tell it to. There's a 
 config setting for it.
 
 As to your question of is it worth the cost, that depends on how much VPN 
 traffic you have. The Xeon will handle a damn lot of traffic all on its own. 
 If you are pushing more than 40Mbps on the VPN, then perhaps consider the 
 extra cost. If it is low, like under 5 or 10Mbps, then I'd probably suggest 
 that it is not worth the cost.
 
 As a reference, between my data center and my primary office, I have an 
 IPsec tunnel.  The office runs on an old Intel 32-bit Pentium 4 2.4GHz dual 
 core server.  The data center runs on Intel Xeon E31220L @ 2.20GHz 
 quad-core. Neither one has any built-in cryptodev supported devices. The 
 IPsec tunnel maxes out at about 20Mbps during large file backups. I don't 
 think it would go any faster with hardware acceleration, and the load on 
 these boxes hovers around 0 still. The data center firewall is also busy 
 pushing over 100Mpbs of regular traffic to hundreds of clients as well.
 
 Hi Vick,
 
 Thank you for your reference, it is very valuable for me!
 I guess I will go with a Pentium (Ivy Bridge) 2x 3.0 GHz CPU.
 
 What do you think is the reason for your VPN traffic maxing out at 20Mpbs (I 
 assume that your connection is not the traffic bottle neck, right?), although 
 your CPUs are almost idle?
 
 Best regards
 Thinker Rix
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Disk Read failure (but it seems to work anyway)

[Jim Thompson]

https://doc.pfsense.org/index.php/DMA_and_LBA_Errors


On Mon, Oct 28, 2013 at 12:18 PM, Bob Gustafson bob...@rcn.com wrote:

 I installed 2.1 on a SanDisk 4GB Ultra (200x) for use on an Alix board.

 I configured the ethernet ports using the serial connection and then left
 the connection and minicom running while I did more configuration using the
 ethernet webConfigurator.

 Every time I would make a change to the configuration, I get:

 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND
 LBA=78139
 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND
 LBA=78139
 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND
 LBA=78139
 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND
 LBA=78139

 from the serial port. Even though it says FAILURE, the configuration was
 retained. (Perhaps a power cycle will wipe it out. Will power cycle in a
 minute and report here)

 Can I do something to fix the problem, or eliminate the messages?

 Perhaps the SanDisk Ultra is too fast? I picked it more for reliability
 than speed. Perhaps it was not a good choice.

 -

 On power cycle, there were some read errors:

 ...uhub0: 4 ports with 4 removable, self powered
 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND
 LBA=78139
 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND
 LBA=78139
 Root mount waiting for: usbus1
 uhub1: 4 ports with 4 removable, self powered
 Trying to mount root from ufs:/dev/ufs/pfsense0
 Configuring crash dumps...
 Mounting filesystems...
 Setting up memory disks... done.
 Disabling APM onad0: FAILURE - SETFEATURES 0x85 status=51READY,DSC,ERROR
 erro
  /dev/ad0
 ...

 but it seems all of my configuration information was retained.

 Bob G

 __**_
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

[Jim Thompson]

On Oct 24, 2013, at 12:02 PM, Chris Bagnall pfse...@lists.minotaur.cc wrote:

 On 24/10/13 5:30 pm, Thinker Rix wrote:
 I want to have:
 - full Gigabit wire speed between the DMZ and the LAN zone (i.e. 2x
 Gigabit at max)
 
 Would have thought you'd be fine here.
 
 - full 450Mbps between the WLAN and pfsense
 
 Even with 450Mbps *radios* I'd be amazed if you get more than ~80Mbps out of 
 your WLAN. Not a pfSense limitation, just a reality of WLAN claimed radio 
 speeds. I generally expect to see ~55-65Mbps out of 2x2 radios, so ~80Mbps 
 out of 3x3 is probably realistic.

depends on your RF environment and channel orthogonality. 
 
 Unless you're in a really isolated area, using an 80Mhz channel (which is 
 what you'd need for 450Mbps radio speed) will slaughter spectrum availability 
 for your neighbours. Short of really needing that speed, try to stick with 
 20Mhz channels where possible. And if you're in a very congested WiFi area, 
 you may even get better speeds out of 20Mhz (much easier to find one free 
 20Mhz channel than a free 80Mhz channel).
 
 - maximal VPN speed without speed break due to hardware limitations,
 i.e. as near to wire speed as possible
 
 Depends on your choice of crypto algorithm and whether you can do it in 
 hardware.

I’d recommend for a CPU that supports AES-NI, even if the FreeBSD support for 
same turns out to be lagging.

‘wire speed’ would need to be defined.   I do know of boxes that will run at 
25Gbps.

As the guy at the hot rod shop told me 30 years ago, “Speed costs money son.  
How fast do you want to go?

 1. Would the Core2Duo CPU be sufficient for my requirements or should I
 chose the 2,4 GHz Quad-core, the 2,89 GHz-Quad-core or maybe an even a
 more powerful CPU or totally different setup?
 
 When I was deploying a Quagga-based BGP setup in a datacentre a couple of 
 years ago, the general consensus was that cores are more important than raw 
 clock speed - so 4x2.4Ghz is better than 2x3.4Ghz - at least when using 
 multiple interfaces.

That’s not what I’d have guessed.

If your application load is single-threaded (or a single process), then clock 
speed will win every time.
If your application (load) can be broken down into prices that execute in 
parallel, then cores will be a win.

You’ve not specified the problem well enough to discuss.

An AS with internal BGP (iBGP) must have all of its iBGP peers connect to each 
other in a full mesh (where everyone speaks to everyone directly). This 
full-mesh configuration requires that each router maintain a session to every 
other router. In large networks, this number of sessions may degrade 
performance of routers, due to either a lack of memory, or too much CPU process 
requirements.   There will also need be some serious consideration on the 
reliability of the network, and its constituent part(s).   

If those wireless links are for exterior paths, and not simply 802.11 LANs, 
then you’re in for a huge amount of trouble, as wireless isn’t reliable.  At 
all.

 This was, however, with Linux hosts. One of the nice things about those Intel 
 server cards is the ability to lock NIC affinity to CPUs/cores, so you can 
 effectively task a core to one or more NIC ports.

But that would require completely re-archtecting the application(s).

 
 Hopefully others will chime in as to whether the same is true with FreeBSD - 
 I seem to recall there were SMP/multi-core efficiency issues with earlier 
 FreeBSD versions - hopefully those have been ironed out by now.
 
 2. Is there any other bottle neck that will prevent my performance
 requirements?
 
 Bonding is not a guarantee of doubled speeds. In my experience, bonding 2 
 gigabit NICs will generally yield around 1.2-1.4Gbps raw throughput. You are 
 very unlikely to get 2Gbps. Bonding is more about redundancy (failover) than 
 throughput at this level. If you really need 1Gbps, you're going to have to 
 consider 10GE kit.
 
 3. When bonding the NICs, I was planning to use a port on each of the
 PCIe cards so to have a little bit of redundancy should an expansion
 card fail. Will there be significant performance losses due to this
 spread over 2 expansion cards, so that it would be much better to bond
 two NICs that live on the same expansion card and forget about the
 additional redundancy?
 
 No, I agree that bonding 2 ports on separate cards is the best option.
 
 You're already thinking redundancy with the multiple NIC considerations, but 
 in my experience, NICs don't really fail that often - at least not compared 
 to fans, power supplies and other PC components. Consider whether a 2x 
 pfSense cluster in CARP might be more to your needs if redundancy/failover is 
 a critical requirement.
 
 Looking at your hardware again, you've specced 12 NICs, but from what I can 
 see from your config, you only need 8 (2 VDSL ports, 2 bonded ports for LAN, 
 2 bonded ports for DMZ, (assuming) 2 bonded ports for WLAN).
 
 4x on-board Realtek 8111C Gigabit NICs
 
 Personally 

Re: [pfSense] Hardware requirements for gigabit wirespead

[Jim Thompson]

The topic has wandered away from pfSense. 

-- Jim

 On Oct 24, 2013, at 18:48, Chris Bagnall pfse...@lists.minotaur.cc wrote:
 
 On 24/10/13 7:31 pm, Adam Thompson wrote:
 If I upgraded to a better-quality unit, or switched to licensed
 spectrum, I could probably eliminate the variability and increase speed
 simultaneously.
 
 Indeed, we have Ubiquiti kit running point to point links in the 5Ghz 
 unlicensed spectrum (band C) over around 18km which deliver ~65Mbps 
 throughput. I think our distance record is just shy of 68km.
 
 Within the Ubiquity line, the AirFiber apparently would get me to
 ~99.99% reliability at ~600Mbps, or ~99.9% reliability at ~1Gbps. Still
 using unlicensed spectrum, using the built-in directional antennas.
 
 Do check the 24Ghz spectrum rules carefully in your jurisdiction - certainly 
 here in the UK the 24Ghz unlicensed spectrum is limited, and only allows 
 fairly low power without a licence.
 
 I do not have personal
 experience with Alvarion, but I can unreservedly recommend Dragonwave.
 
 I'd add Motorola Orthogon kit to that list, based on some offshore experience 
 with it a few years ago.
 
 Kind regards,
 
 Chris
 -- 
 This email is made from 100% recycled electrons
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Jim Thompson]

On Oct 15, 2013, at 8:53 AM, Alex DiMarco a...@cs.toronto.edu wrote:

 
 On Tue, Oct 15, 2013 at 8:20 AM, Robert Skinner rob...@robertskinner.com 
 wrote:
 You would have hated the 90s then.
 
 Interesting time that was, no particular hate though for that period.. 
 Now the 80's on the other hand :*) 

It was only the music that sucked in the 80s… Oh, and the clothing / hair 
styles, and the politics, and …  :-)
 Though annoying at times, these displays on mailing lists have also sparked 
 some great technology projects too. Those around in the early BSD days recall 
 such episodes. Not that I am promoting or encouraging such behavior.
 
 There is no doubt great technology has emerged from conflict; verbal and 
 otherwise.
  
 I think I may be an optimist with a belief that if we choose to interpret 
 intentions in a positive way even when they are communicated otherwise, we 
 can potentially do even greater things... maybe I am choosing to be naive...  
 but then, that is the title of this thread
 You will always have “that guy”, at a bar now and then, but as long as it’s 
 not a bar full of that personality.
 
 I think unfortunately all of us have had the privilege of being that guy at 
 the bar - I know I have a few times even without the Guinness or Scotch 
 flowing  8*]

So what excuse do I have, given that I was stone sober?   (In France at the 
time, but still… sober.)

Jim


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] not all backdoors are NSA backdoors

[Jim Thompson]

It occurs to me that being more ‘conversational’ with the community might be a 
good thing.   Describing what is happening with pfSense, and why, and engaging 
the pfsense community in the process could be a good thing.   My first attempt 
is included herein.

But first, on the tail of the recent thread that erupted here, consider this 
backdoor that someone (?) recently (?) discovered (?) in the firmware for 
certain D-link routers:  
http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

If you read the article, the user agent string that bypasses authentication 
(according to the post) can be read backwards as 
Edit by 04882 Joel Backdoor”.  One possible Joel is Joel Liu, Senior 
Director-Chief Technology Office Alpha Networks:
http://www.joesdata.com/executive/Joel_Liu_421313008.html

Alpha Networks being a spin-off of D-Link.  
http://www.alphanetworks.com/_english/06_about/01_detail.php?appid=143pid=12

They have a GPL compliance office:  
http://www.alphanetworks.com/_english/10_gpl/gpl.php, but you can bet they 
won’t ship you that source code.

[Normally, if one is going to hide secret strings inside the binary, one also 
obfuscates them.  An example: 
http://www.codeproject.com/Articles/502283/Strings-Obfuscation-System]

...

In some respects, the recent thread was about fear of asymmetric information, 
that those inside ESF have information and access that the community does not.

In contract theory and economics, information asymmetry deals with the study of 
decisions in transactions where one party has more or better information than 
the other. In contrast to neo-classical economics which assumes perfect 
information, this is about What We Don't Know. This creates an imbalance of 
power in transactions which can sometimes cause the transactions to go awry, in 
the worst case a kind of market failure.

Specific to the subject, the information asymmetry here is the community’s 
supposed inability to observe and/or verify ESF's actions.

To the best of our ability so far, pfSense is both observable and verifiable.  
The source code is on github (https://github.com/pfsense/),
and the build process is quasi-documented.Getting something like the 
‘backdoor by Joel’ above into the codebase without detection
would be difficult if not impossible.   (There are more subversive means, which 
I touched on mid-thread, but they still fail in the presence of a public 
development process.)

Frankly, (between you and I), the pfSense build process could be better 
documented.  Truth be told: the build system for pfSense is archaic.  Nobody 
associated with it (at this point) likes it.  Simultaneously, everyone is 
afraid to replace it. “There be dragons…”

An action-item post 2.2 (and it’s move to FreeBSD 10) is to clean-up the build 
system, possibly making it more like that which builds FreeBSD, rather than the 
mess of shell (and PHP) scripts that exists now.

Having a cleaner build system could lead to better verification of the 
resultant bits.

Another issue is the proliferation of pfSense mirrors.   How do we (all) trust 
the bits on these mirrors, given that they’re run by parties entirely 
independent and remotely located from ESF?   One possible solution:  signed 
packages, and there was a bit of infrastructure put in-place just prior to the 
2.1 release.  We’ve yet to accomplish the rest of this, but.. it’s coming.

As always, if you have ideas(*), bring them forward.

Jim

(*) that don’t involve re-incorporating as a non-US, non-profit company…

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Jim Thompson]

On Oct 12, 2013, at 7:20 AM, Thinker Rix thinke...@rocketmail.com wrote:

 On 2013-10-11 22:33, Walter Parker wrote:
 Yes, you have been informed correctly. There are more than 2. According the 
 World Atlas (http://www.worldatlas.com/nations.htm#.UlhOHVFDsnY) the number 
 is someone between 189 and 196.
 
 No kidding! ;-)
 
 But you did not answer the question asked: Name the country that you would 
 move the project to and why you believe that country would do a better job?
 
 Why should *I* name it and why should I present ready solutions for an idea 
 another community member brought up? Why should anybody be in a position to 
 present ready solutions at this point? How about having a fruitful discussion 
 and find solutions together?

There is no reason to build a house on sand.

There is no fruitful discussion to be had when the premise is patently false.

 Then because the USA can't be trusted, who is going to replace the Americans 
 on the project?
 
 You are mixing things up here. Just because the USA invented their tyrannous 
 Uniting and Strengthening America by Providing Appropriate Tools Required to 
 Intercept and Obstruct Terrorism Act, for which they perversely coined the 
 euphemistic term Patriot Act and there fore can not be trusted anymore for 
 hosting anything there, why should the Americans be replaced?!?!?
 
 The name and logo are owned by an American company.
 
 I guess, that is true, i.e. that ESF registered pfSense and it's log as a 
 brand name.

You seem upset at this.  Why?

Instead of some kooky conspiracy theory that ESF could be tortured or pressured 
to weaken pfSense, is this the *real* issue you have?

 I doubt they want to give them up to a foreign company owned by non-Americans
 
 Nobody suggested that. Try thinking a bit more outside the box!
 For instance: A non-profit foundation could be founded in a country outside 
 the USA, and the brand, hosting of the project, etc. be transferred to that 
 company. A board would be elected for this foundation who just a few basic 
 things annually to keep the foundation running.
 ESF on the other side would be released of a great threat! They could 
 continue offering their pfSense services to their customers as usual, but 
 from now on nobody could come and force them to do things to pfSense since 
 they have nothing to do with it”.

You seem upset that ESF controls the project.  Why?

 just to make it harder for the American government to pressure the project.
 
 Incorporating pfSense and bringing it out of the reach of US-domestic 
 jurisdiction would not make it harder but impossible to pressure the 
 project.

You have provided no explanation (other than “rubber hoses”) for what form that 
“pressure” would take.

 If the rest of world wants to fork the project because of concerns about the 
 US government, fine, but I don't think you will get buy in from ESF [the 
 American company that owns the rights to the name pfSense].
 
 Why to fork the code base?! No one suggested that - and no one suggested to 
 do things without - or even against - the key people of the ESF. Right the 
 opposite. It would even protect the ESF!
 
 Once again, name some names. Who do you consider more trustworthy?
 
 I am not Jesus to hand solutions to the community on a silver platter

though point in fact, Jesus didn’t hand anyone a solution.


 (but surely would be available for a *constructive* and *well-disposed*, 
 *amicable* discussion to find solutions together!). I know of quite a lot of 
 countries that seem interesting for a closer analysis for this cause and 
 surely would propose one or another in such a constructive discussion.
 
 Generally, what Adrian proposed makes only sense, if the community - 
 including ESF - understands the threat and decides to act proactively to 
 fight this threat.

“The community” doesn’t own the copyright on the code, nor the trademarks to 
the names used.  Those belong to ESF.

Further, you’ve hypothesized about a ‘threat’ without providing any factual 
basis for same.  The term for this form of argument is “conspiracy theory”.

Since pfSense is open source (specifically, the BSD license), “the community” 
(or rather “a community”) could take the decision to fork the code and create 
their own solution.  It’s been attempted a couple times, but none of these have 
flourished.  While I don’t encourage forks (it’s typically not good for either 
project), occasionally they work out (at least for a while), I don’t go out of 
my way to inhibit those who wish to fork.

However, in any case, such a community would be prohibited from naming the 
result “pfSense”.

 But since 33% of the ESF - namely Jim Thompson

You greatly inflate my ownership interest here.

 - prefers bullying, insulting, frightening and muzzling anybody who brings up 
 the threat that we are facing, trying to strike dead any thought as soon as 
 it comes up (strange, isn't it?),

Not as strange as someone randomly showing up one day, hiding

Re: [pfSense] Upgrade Guide: Needs update for Auto Update

[Jim Thompson]

On Oct 12, 2013, at 3:33 PM, Thinker Rix thinke...@rocketmail.com wrote:

 Hello all,
 
 I just performed an upgrade to 2.1 via the Auto update feature in the web 
 UI, which worked flawlessly.
 
 When studying the Upgrade Guide 
 (https://doc.pfsense.org/index.php/Upgrade_Guide) prior the upgrade I could 
 not find any information about it.
 Is there a way I can update the guide myself? Otherwise maybe someone with 
 writing rights to the CMS wants to update the manual.
 
 Cheers
 Thinker Rix
 
 P.S. Maybe an update to this page would be convenient, too: 
 https://doc.pfsense.org/index.php/Can_I_upgrade_my_pfSense_through_the_web_interface%3F


My immediate suggestion is to edit a copy of the page (it’s a wiki, so “view 
source”), perform a ‘diff’ and send the result to coreteam-at-pfsense-dot-org.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Jim Thompson]

On Oct 12, 2013, at 1:35 PM, Chris L c...@viptalk.net wrote:

 
 On 2013-10-12 01:40, Jim Thompson wrote:
 
 I'm not willing to endure this uninformed Alex Jonesian crapfest.
 
 Nice position to take, except Alex Jones was right.

Sigh.  As much as this doesn’t belong on the pfsense list…

I actually know Alex, or did, 13 year ago.   I got friendly enough with him 
back in the mid-late 90s that we had each other’s cell phone numbers.

Back then Jamie and I were involved with Fringeware.

http://en.wikipedia.org/wiki/FringeWare_Review
http://www.austinchronicle.com/issues/vol16/issue26/screens.fringeware.html

Fringeware became an advertiser on Alex Jones' radio show (on KLBJ, before he 
got booted).

On the front-end, I was a respected advertiser.  Meanwhile, others associated 
with Fringeware were culture-jamming him on the back-end. the result: #discordia

Oh, the memories this brings back.  (As you’ll see, the FBI showed up to demand 
something, didn’t have a warrant, and was shown the sidewalk.)

http://www.wingtv.net/thorn2006/jarhead.html
http://www.austinchronicle.com/news/2000-07-14/77932/

Clayton, btw is a dear friend.  Easily one of the most brilliant people I’ve 
ever known.  I hope he speaks at my funeral.

Other fun was had at Fringeware.  We supported the Yes Men 
(http://en.wikipedia.org/wiki/The_Yes_Men)  We actually hosted their website, 
as well as that of RTmark for a period in the late 90s on the same machine used 
for smallworks.com (which was originally the corporation behind the firewall 
named “Netgate”), fringeware.com, etc.

One of their pranks was that they setup a website named www.gwbush.com. 
(http://en.wikipedia.org/wiki/The_Yes_Men#George_W._Bush  
http://theyesmen.org/hijinks/gwbush http://www.rtmark.com/bush.html)  which 
resulted in Bush’s famous There ought to be limits to freedom,”  quote.

http://www.rtmark.com/bushpr2.html

The great untold story on this is that all these websites were hosted in a 
shitty office building on Shoal Creek Blvd, one floor up from the then offices 
of Karl Rove  Associates” even as they fought to shutdown gwbush.com.  The 
#irony was delicious, and they never succeeded. :-)

Anyway, you might want to study up on STRATFOR, or  Mary Maroney, who was the 
editor and chief of Infowars magazine until earlier this year.
Maroney formerly worked for Stratfor and Parker Media here in Austin.  If you 
don’t know who they are, then I suggest more research on your part.

Have fun, but be careful when you enter the rabbit hole.   Snowden and Manning 
are both late-comers to the party:

http://www.newyorker.com/reporting/2011/05/23/110523fa_fact_mayer?currentPage=all
http://www.technologyreview.com/news/519661/nsas-own-hardware-backdoors-may-still-be-a-problem-from-hell/
http://cryptome.org/nsa-ssl-email.htm
http://news.cnet.com/8301-31921_3-20017671-281.html
http://www.wired.com/images_blogs/threatlevel/2013/09/15-shumow.pdf (see also: 
http://www.wired.com/threatlevel/?p=85661)
http://arstechnica.com/security/2013/01/secret-backdoors-found-in-firewall-vpn-gear-from-barracuda-networks/
http://dl.packetstormsecurity.net/papers/general/my_research1.pdf
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.154.825 / 
http://www.cs.ucf.edu/~czou/research/Chipset%20Backdoor-AsiaCCS09.pdf  (now 
consider all the cheerleading for Intel Ethernet chips on the various pfSense 
lists…)

Jim


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Jim Thompson]

On Oct 10, 2013, at 4:34 PM, Yehuda Katz yeh...@ymkatz.net wrote:

 Since we keep coming back to FreeBSD as it pertains to security:
 
 3) FreeBSD is very mature, and very well reviewed.  I've looked into FreeBSD 
 to my personal satisfaction.  OpenBSD may be abrasive as a community at 
 times, but their work product is pretty impressive in terms of being clean 
 and funcitonal.  I was very happy with how they handled that whole IPSec 
 fiasco in 2011.  I've been following pfSense for a while now, and I've used 
 it off and on for years.  I'm very satisfied by the quality and oversight of 
 the coding.   But by all means dig as long as your curiosity holds out.  you 
 can never be 100% sure of the security of any software, but sufficiently 
 sure is absolutely worth looking into.  
 
 FreeBSD is not the distribution in the BSD family that is best known for 
 security. Indeed OpenBSD has a specific focus on security (which has been 
 studied, as has the relationship between the BSDs), but FreeBSD focuses on 
 being more inclusive of a variety of hardware at a cost of not being 100% 
 open source.
 That is a tradeoff, but it does not mean that FreeBSD is not secure, it just 
 means ... well I have not found a study about that yet.

Go ahead and believe the marketing/hype (“best known”) about OpenBSD if you 
like.

the simple fact is, if security issues are found in any of the BSDs, the fixes 
for them quickly propagate between all of them.

In the end, OpenBSD is no more ‘secure’ than FreeBSD or NetBSD.

Jim


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?

[Jim Thompson]

On Oct 10, 2013, at 5:42 PM, Paul Mather p...@gromit.dlib.vt.edu wrote:

   I first started using mailing lists back in the mid/late 1980s,

You’re not the only one.  :-)

I too was entertained by the n00b trying to tell grandpa how to use email.

Jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense 2.1: which FreeBSD version?

[Jim Thompson]

On Oct 10, 2013, at 6:25 PM, Jim Pingle li...@pingle.org wrote:

 You shouldn't need the -archive bits since 8.3 is still a supported release.

Until next April, anyway.




___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Jim Thompson]

On Oct 10, 2013, at 4:49 PM, Giles Coochey gi...@coochey.net wrote:

 On 10/10/2013 15:04, Chris Bagnall wrote:
 What made you change from AES to Blowfish, and is there any evidence to 
 suggest that Blowfish is more 'secure' than AES?
 
 My understanding is that AES was championed by an agency which has received 
 recent bad-press.;-)

This is not an answer.   

 Blowfish was a contender to actually become AES wasn't it?

yes, but even Bruce Schneier, Blowfish's creator, is quoted in 2007 as saying 
At this point, though, I'm amazed it's still being used. If people ask, I 
recommend Twofish instead.'

https://www.computerworld.com.au/article/46254/bruce_almighty_schneier_preaches_security_linux_faithful/

 I agree that I might see better performance with AES as it is supported in 
 hardware by many chipsets, and when selected all the contenders marked AES as 
 second best (after their own submissions of course...). I'm not saying it is 
 insecure, I'm just weary of the following:

non-technical reasons

 Is there any mechanism to insert ciphers into Pfsense that are not currently 
 supported?

You have the source code.

I, for one, am uninterested in non standards-compliant (and thus interoperable) 
implementations.

jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?

[Jim Thompson]

(TIC mode: on)

I think it’s obvious that:

- ESF is a front for the NSA
- the acquisition which closed last year was really just about gaining control 
of a critical component of Internet infrastructure.
- the delays getting 2.1 out the door were exclusively about getting some 
last-minute backdoor code installed.  AYBAB2U, baby!

(TIC mode: off)

On Oct 9, 2013, at 5:56 PM, Thinker Rix thinke...@rocketmail.com wrote:

 On 2013-10-09 18:20, Paul Kunicki wrote:
 I think that in light of the recent news of the NSA coercing various 
 organizations to provide them with means to eavesdrop this message has merit 
 and deserves response
 
 Exactly, Paul, you got my point!
 
 although I doubt the NSA really needs cooperation from these guys. Does 
 anyone else care to comment ?
 
 @your doubts about the NSA/FBI/put the name of your government's 
 surveillance institution here bothering with smaller companies such as 
 Electric Sheep Fencing LLC (formerly BSD perimeter) and their niche product 
 pfSense:
 
 Please take these 2 things into account:
 
 1. Recently they forced the small encrypted-email-service Lavabit to comply 
 with them (hand out their SSL-masterkeys  install a black-box at their 
 premises). Lavabit did not agree - and they shut him down. 
 https://en.wikipedia.org/wiki/Lavabit. Officially they wanted to force 
 Lavabit to just hand out Edward Snowden's emails (bad enough), but in reality 
 they wanted to gain access to all emails of Lavabit by receiving the SSL 
 masterkeys and by placing the blackbox at their premises, which rendered the 
 whole service useless.
 
 2. Routers/Gateways/Firewalls are highly interesting for big brother. Read 
 e.g. this article NSA Laughs at PCs, Prefers Hacking Routers and Switches 
 (https://mailman.stanford.edu/pipermail/liberationtech/2013-September/011287.html)
 
 So, combining those 2 facts - the fact that the NSA/FBI/etc. prefer to 
 infiltrate routers with the fact that they very well bother knocking the 
 doors of small businesses with niche products, I guess my question is quite 
 legitimate!
 
 Greetings
 Thinker Rix
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?

[Jim Thompson]

On Oct 9, 2013, at 6:38 PM, Thinker Rix thinke...@rocketmail.com wrote:

  My main question was not if the code includes bad things, but if the company 
 behind pfSense has been approached (yet) by authorities to comply with their 
 Orwellian global police state phantasy.

already answered.  Twice.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?

[Jim Thompson]

On Oct 9, 2013, at 6:46 PM, David Burgess apt@gmail.com wrote:

 
 On Wed, Oct 9, 2013 at 10:38 AM, Jim Thompson j...@netgate.com wrote:
 
 So asking the question is stupid(*), because a lie is indistinguishable from 
 the truth.
 
 
 I disagree on that point. Even if one is sure to get a no answer, 
 regardless of the truth, it is still useful to ask the question for at least 
 two reasons I can think of:
 
 1. To get the response on record. The responders can be held accountable 
 should it ever come out they knowingly lied.
 
 2. To examine the response for credibility. A simple yes or no answer might 
 not yield much, but such is rarely the case. If the answer is delayed, 
 unclear, couched in a bunch of rhetoric or handwaving, delayed or avoided, 
 then any or all of these things will be taken into account by those asking 
 the question or observing the response. This is a principle that is 
 understood by courts of law, psychologists, interrogators, and people of 
 intuition.

IMO, this bullshit thread only serves to assist those asking the question in 
stroking their own ego.

It doesn’t contribute anything to the project.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list