Re: [pfSense-discussion] pfsense IPSEC support
On Sat, Dec 05, 2009 at 06:52:47PM -0500, Jim Pingle wrote: Harald Jenny wrote: first I wanted to say thank you for this nice piece of software, I think it can keep up with most commercial appliances, the only thing that makes me a little bit sad is the IPSEC support. Not really being a great BSD-crack it seems to me that the FreeBSD port of isakmpd (combined with a port of sasyncd) would improve pfsense's IPSEC capabilities vastly compared to racoon. Maybe you could comment on this issue and what it would take to improve IPSEC within pfsense. Perhaps it might help to know what you believe the deficiencies in IPsec on pfSense are? First I want to say sorry this was not meant to insult anybody as I think you do a good work but I thought that there is always room for improvement, especially for so-called enterprise-grade features. And what the other implementation offers any better support or functionality? Well isakmpd under OpenBSD as well as strongswan and openswan under Linux offer support for CRLs but maybe I just missed this in pfsense - and with sasyncd in combination with isakmpd IPSEC tunnel states can be replicated as well allowing for seamless VPN failover. The implementation used on pfSense is capable of a lot more, but many options are not covered by the GUI in 1.2.x. I see. The GUI in 2.0 for IPsec is greatly improved, but still has a few quirks (it is still alpha-alpha, after all) Ok maybe I should investigate this further before requesting a new IKE-Daemon. Jim Kind regards Harald - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] pfSense 2.0 ssh login question
Dear list members, I'm currently playing with pfSense 2.0 an was wondering how to change the default shell for the root login - apperently just using chsh on the rw mounted cf is not enough to do change shell from /bin/sh to /bin/tcsh. What did I miss? Kind regards Harald Jenny - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense 2.0 ssh login question
Hi Adam, first thanks for your long and comprehensive answer. Sorry for not providing this information in the first place as I did not think it makes any difference but I'm using the embedded version with NanoBSD. On Thu, Dec 02, 2010 at 01:16:09AM -0600, Adam Thompson wrote: /etc/rc.initial, line 114 (on my build, anyway). For whatever reason, choosing option 8 invokes tcsh(1) directly. I guess this was meant as method to fix things deep inside? Presumably you could change this, but I don't know what else this could break... *probably* nothing except future updates, or more likely you'd have to re-change the file after every update. Yes I already made such experiences... Alternatively, you might try changing the login shell for *admin*, not root. H I believe that having multiple users with the same UID but different login shells officially results in undefined behaviour, but obviously it works with /etc/passwd under FreeBSD. I can't tell if this was the original intent (does this qualify as Stupid passwd(5) Tricks à la Letterman?) or not, but there's root, toor, and admin, all with UID 0. Obviously the last one in the file wins. That does not really explain the behaviour I experienced yet: As admin has /etc/rc.initial as it's login shell vs root with /bin/sh, I looked at how /etc/rc.initial get involved for root. This is done via /root/.profile which in case of an interactive shell starts /etc/rc.initial. Renaming /root/.profile to /root/.profile_ORIG resulted in root logging in into a /bin/sh environment. I could fix this by adding a /bin/tcsh to /root/.profile but as this means changes to the image I was somewhat reluctant to start walking this way... It appears that root is logged in automatically (well, sort of... root logs in but admin's data is used for getpwent(3) calls, whatever...) by adding al=root to the terminal definition in (iirc) /etc/gettytab. But that would circumvent the usage of admin somehow ;-). This whole setup appears to be... not fragile, exactly, more like no user-serviceable parts inside. Yes seems so... Pending one of the devs chiming in, I'd guess editing /etc/rc.initial is the least likely option to break anything. Well after my tries I somehow get the idea that /etc/passwd gets replaced on every reboot... maybe any of the developers can comment on this? And yeah, having tcsh as the default shell is annoying, Not really, back in 2000 I used to work with tcsh often enough to appreciate it's features and as no /bin/bash is available it's a solid alternative. but really - why are you spending so much time at the CLI on your *firewall* that you feel you have to change it? Because my company is planning to replace our current monowalls with some other solution and we are trying to make this as efficient as possible... FWIW, I'm looking at the installable version, not the embedded version, so YMMV. Hmmm I'm not familiar enough with *BSD to comment on the differences but thanks for your help. -Adam Thompson athom...@athompso.net Kind regards Harald Jenny -Original Message- From: Harald Jenny [mailto:har...@a-little-linux-box.at] Sent: Wednesday, December 01, 2010 16:08 To: discussion@pfsense.com Subject: [pfSense-discussion] pfSense 2.0 ssh login question Dear list members, I'm currently playing with pfSense 2.0 an was wondering how to change the default shell for the root login - apperently just using chsh on the rw mounted cf is not enough to do change shell from /bin/sh to /bin/tcsh. What did I miss? Kind regards Harald Jenny --- -- To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense 2.0 ssh login question
On Thu, Dec 02, 2010 at 07:39:52AM -0500, Andrew C Burnette wrote: root (old history, but still valid) needs a shell that's statically built (e.g. no linked libraries). In case a library disappears or in the default *nix/*bsd distro the /usr partition doesn't mount, you can still log in and attempt a repair. Ok thanks for the information. As mentioned, add in another account manually, with your preferred shell, and you should be ok. The account will pe also be preserved across upgrades or is it necessary to reinstall it on every upgrade? Kind regards Harald Jenny On 12/01/2010 05:08 PM, Harald Jenny wrote: Dear list members, I'm currently playing with pfSense 2.0 an was wondering how to change the default shell for the root login - apperently just using chsh on the rw mounted cf is not enough to do change shell from /bin/sh to /bin/tcsh. What did I miss? Kind regards Harald Jenny - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] status of nrpe2 package for pfsense 2.0
Dear list members, while I was testing the NanoBSD version of pfsense 2.0 I tried to setup the NRPE daemon via the webinterface and found out that it's not installed per default. Is this on purpose or do the unsatisfied package dependencies (nrpe2 as well as nagios-plugins depend on a version of perl not available anymore) and library issues (linking against .5 versions while the system has .6 versions installed) prevent the inclusion of nrpe? If the problems are the reason why the packages are unavailable may I ask if somebody will work on this in th near future or would the developers be willing to accept updated packages from an external contributer? Thanks for taking the time to answer my questions. Kind regards Harald Jenny - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
