Re: [pfSense] pfSense 2.1.2 is released
He gave you an option to subscribe to the list. Do what I’m going to do: Subscribe. On Apr 10, 2014, at 5:52 PM, Volker Kuhlmann hid...@paradise.net.nz wrote: On Fri 11 Apr 2014 09:27:07 NZST +1200, Jim Thompson wrote: It was posted on announce@, but it seems that I’m moderated there. This is why my 2.1.1 release announcement was also held. I’ve pushed the message through. Setup glitches. Thanks! security@ is for posting SAs Uhhmm, IMHO I don't really care what it's called, the relevant criteria for the user is whether I need to know about it. I would welcome an announcement list that mentions all security-related issues I need to be aware of when using pfsense, so that list can be monitored without the clutter of daily discussions. Like the Linux distro security lists, they're well organised with no irrelevant drivel. To be honest, any security announcement list that doesn't mention the kind of problem like heartbleed looks like a complete waste of time to me! Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] after upgrade to 2.1.1: never ending Carp cluster member has resumed the state BACKUP mails
- Martin Fuchs mar...@fuchs-kiel.de wrote: Same under pfSense 2.1.2 Any hints ? Could it be helpful to play with the base ans skew values ? Hi Martin, could it be related to problems with the arpinger? What are your gateway status look like? best Ray ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Version 2.1.2 - Thanks for the UNPRECEDENTED Level of Support
Thanks for all your efforts! Hint: maybe some more users could think eg. about the gold subscription plan to show their appreciation and make the dev guys live easier ... Best, Holger ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Version 2.1.2 - Thanks for the UNPRECEDENTED Level of Support
On 04/11/2014 10:39 AM, Holger Goetz wrote: Thanks for all your efforts! Hint: maybe some more users could think eg. about the gold subscription plan to show their appreciation and make the dev guys live easier ... Best, Holger yes. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] after upgrade to 2.1.1: never ending Carp cluster member has resumed the state BACKUP mails
Hi ! All except one hosts show up as online. The other one is not reachable from the firewall, but from the lan... -Ursprüngliche Nachricht- Von: List [mailto:list-boun...@lists.pfsense.org] Im Auftrag von Raimund Sacherer Gesendet: Freitag, 11. April 2014 09:26 An: pfSense Support and Discussion Mailing List Betreff: Re: [pfSense] after upgrade to 2.1.1: never ending Carp cluster member has resumed the state BACKUP mails - Martin Fuchs mar...@fuchs-kiel.de wrote: Same under pfSense 2.1.2 Any hints ? Could it be helpful to play with the base ans skew values ? Hi Martin, could it be related to problems with the arpinger? What are your gateway status look like? best Ray ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Problems with apinger on 2.1-RELEASE
Just a shot in the wild. Did you have state killing disabled in the setup? Otherwise more information is needed on this. Normally apinger should be way better on 2.1 that it was on 2.0 because a lot of work went into that. Hello Ermal, I guess you refer to this option: State Killing on Gateway Failure The monitoring process will flush states for a gateway that goes down if this box is not checked. Check this box to disable this behavior. I have this option checked. I am not sure if this option exists also on the 2.0-RELEASE. Should I uncheck this box? On first sight I do not see how not to kill states could interfere with how apinger works the way I experience it. Thank you, best ray ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Heartbleed and OpenVPN
Greetings- Hot on the heels of the OpenSSL debacle, and a fresh new release of pfSense (THANK YOU), I'm curious about the Heartbleed vulnerabilitie's actual surface attack area. All of the relevant information, reports, and PoC's are pointing at exploit only via an affected HTTPS webserver. However, I have not yet seen any PoC for exploiting other SSL based services, specifically OpenVPN. At this time, are there PoC's for Heartbleed and OpenVPN? I understand regardless the upgrade/patch is needed, but curious to know if an exploit is yet in the wild for OpenVPN ( TCP or UDP, using PKI or even static keys). Thanks! --Tim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Heartbleed and OpenVPN
On 04/11/2014 03:57 PM, Tim Nelson wrote: Greetings- Hot on the heels of the OpenSSL debacle, and a fresh new release of pfSense (THANK YOU), I'm curious about the Heartbleed vulnerabilitie's actual surface attack area. All of the relevant information, reports, and PoC's are pointing at exploit only via an affected HTTPS webserver. However, I have not yet seen any PoC for exploiting other SSL based services, specifically OpenVPN. At this time, are there PoC's for Heartbleed and OpenVPN? I understand regardless the upgrade/patch is needed, but curious to know if an exploit is yet in the wild for OpenVPN (TCP or UDP, using PKI or even static keys). Thanks! --Tim hi tim, indeed, tcp connections (https) wee the easiest targets, but openvpn was compromised -- if you had an openvpn port open to the internet, you should take all the necessary measures. i am in the process (after having updated to 2.1.2) of replacing every certificate, and changing every password. massive work, but absolutely required -- the exploit was available for approximately two years. i am functioning on no sleep for the last three days, i cannot believe this happened. ouch m ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Heartbleed and OpenVPN
On 4/11/2014 9:57 AM, Tim Nelson wrote: Hot on the heels of the OpenSSL debacle, and a fresh new release of pfSense (THANK YOU), I'm curious about the Heartbleed vulnerabilitie's actual surface attack area. All of the relevant information, reports, and PoC's are pointing at exploit only via an affected HTTPS webserver. However, I have not yet seen any PoC for exploiting other SSL based services, specifically OpenVPN. At this time, are there PoC's for Heartbleed and OpenVPN? I understand regardless the upgrade/patch is needed, but curious to know if an exploit is yet in the wild for OpenVPN (TCP or UDP, using PKI or even static keys). Static keys were never vulnerable, nor is SSL/TLS when using a TLS Authentication Key unless the attacker has the key, in which case you probably have larger problems... or you're on a public VPN service that is running lots of people through common instances. https://community.openvpn.net/openvpn/wiki/heartbleed has more info. I also have yet to see a testing program/script/PoC that would get anything from OpenVPN. If anyone does know of one, we'd love to see it. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Heartbleed and OpenVPN
This project: https://github.com/FiloSottile/Heartbleed (which I have contributed to) allows you to check any STARTTLS-based service (POP/IMAP/SMTP/etc). I am not sure what would need to be changed for OpenVPN. - Y On Fri, Apr 11, 2014 at 9:57 AM, Tim Nelson tnel...@rockbochs.com wrote: Greetings- Hot on the heels of the OpenSSL debacle, and a fresh new release of pfSense (THANK YOU), I'm curious about the Heartbleed vulnerabilitie's actual surface attack area. All of the relevant information, reports, and PoC's are pointing at exploit only via an affected HTTPS webserver. However, I have not yet seen any PoC for exploiting other SSL based services, specifically OpenVPN. At this time, are there PoC's for Heartbleed and OpenVPN? I understand regardless the upgrade/patch is needed, but curious to know if an exploit is yet in the wild for OpenVPN (TCP or UDP, using PKI or even static keys). Thanks! --Tim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Problems with apinger on 2.1-RELEASE
Hello List, I checked a bit further and at first I deleted all the rrd graphs, because I had GW graphs from my old machine (which where i386) and the new one is amd64. I do not know if there is a problem with apinger if you have i386 rrd files on an amd64 architecture. It could be that apinger has problems when it's not possible to write the RRD data correctly? After this change I still got the problem that a couple of seconds the widget displays online, then Pending, then online, then Pending ... so I dug a bit deeper and when I found out how the data get's updated I saw that sometimes I get gateway status data and sometimes not. I checked the /var/run/apinger.status file and it was updated always. Out of a hunch I commented out this bit: /* Always get the latest status from apinger */ /* if (file_exists({$g['varrun_path']}/apinger.pid)) sigkillbypid({$g['varrun_path']}/apinger.pid, USR1); */ in /etc/inc/gwlb.inc And suddenly it seems to work fine. The data in /var/run/apinger.status is still updated constantly, it may be that in the widget I do not see every change right away because the USR1 signal is not sent when we read the file, but at least the problem with the widget behaving erratically is now gone! I am not sure if/how the USR1 kill can influence gathering the data from the file, but somehow it does ... Hopefully someone who knows pfSense better than me can shed a light on the why Best, Ray - Raimund Sacherer r...@logitravel.com wrote: Hello, I installed on the weekend our new firewall system. It consists of two Dell R210 with intel (igb) 2-port interface cards. The old system was 2.0-RELEASE. We have 11 Gateways configured, it's a mix of WAN's and LAN-Type interconnects with 2 other companys. We have a couple of ADSL's, a 10Mbit fiber and 2 100Mbit fiber WAN's. The apinger works perfectly on the 2.0-RELEASE. In the 2.1-RELEASE I have the following problems: On Sunday I made the switch and I noticed that all gateways are marked as down, with status first pending, then unknown. In the logs I have a message which says that all gateways can not be contacted and they are assumed online. Now without the apinger working correctly I did not configure the 2nd Firewall out of fear that there will be problems and I deactivated gateway monitoring. In the last two days I played around with the 2nd Firewall and I noticed this: up to 4 interfaces/gateways configured (out of the 11) everything works fine, I see stable behavior in the gatway section on the dashboard. Then I added one interface more and I sasw problems in the dashboard, the lines went from online to unknown/pending. When I deactivated the last interface all went online again. I did not investigate further as I had to go. (after a couple of activate/deactivate I had problems that activating the interface in the GUI and clicking save/apply did not configure the interface, ifconfig said it was simply not there, I had to execute /etc/rc.interfaces_opt_configure to get everything configured again, not sure if this can occur if you have lot's of tabs open to the firewall or if there is another configuration/GUI bug). Today I configured 1 more interface and with 6 interfaces I see something really weird. The dashboard shows me that all lines are online (with RTT times which seem reasonable) for around 8 seconds, then it shows me unknown for about 20-30 seconds, then online for around 8 seconds again, then unknown it seems the more interfaces you configure, the weirder get's the apinger behavior. I tried to copy the apinger from the 2.0-RELEASE and use it, but it also did not work as expected. I hope someone can find out what's wrong with apinger, because it definitly *is* a problem, I have seen a couple of people in the forums, and I think at least 2 bug - reports, maybe it does not occur if you have only a couple of WAN's. Tomorrow I will try to see if I can install the 2.0-RELEASE on this machine (I hope it can support the new hardware) because 2.0 was rock-solid for me (we had the FW with an uptime of 895 days without any signs of trouble). I fear a little an upgrade to 2.1.1-RELEASE because there seems to be quite some troubling problems with this release as well ... :-( Thank you, Best regards, Raimund ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense help at Dayton NJ needed
Hi all, sorry for my abuse of the mailing list. We have the disaster of a broken pfSense upgrade to 2.1.2. Unfortunally we don't have a proper technican on site all repair attemps by phone have been not successfull and the (planned) new pfSense HA-cluster will not reach our location before Tuesday. Is there a list member somewhere from Dayton NJ who can help us or does someone knows somebody near Dayton ? Thanks and bye Christoph ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Heartbleed and OpenVPN
+1 on hearing about an OpenVPN test. On Fri, Apr 11, 2014 at 10:07 AM, Jim Pingle li...@pingle.org wrote: On 4/11/2014 9:57 AM, Tim Nelson wrote: Hot on the heels of the OpenSSL debacle, and a fresh new release of pfSense (THANK YOU), I'm curious about the Heartbleed vulnerabilitie's actual surface attack area. All of the relevant information, reports, and PoC's are pointing at exploit only via an affected HTTPS webserver. However, I have not yet seen any PoC for exploiting other SSL based services, specifically OpenVPN. At this time, are there PoC's for Heartbleed and OpenVPN? I understand regardless the upgrade/patch is needed, but curious to know if an exploit is yet in the wild for OpenVPN (TCP or UDP, using PKI or even static keys). Static keys were never vulnerable, nor is SSL/TLS when using a TLS Authentication Key unless the attacker has the key, in which case you probably have larger problems... or you're on a public VPN service that is running lots of people through common instances. https://community.openvpn.net/openvpn/wiki/heartbleed has more info. I also have yet to see a testing program/script/PoC that would get anything from OpenVPN. If anyone does know of one, we'd love to see it. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] After IPSEC build and save - Interal DNS and routing fail
Greetings, I have been noticing that after I build an IPSEC tunnel, even if I disable both phases and save the config pfSense internal network routing and DNS basically fails. Nobody on the internal network can get out to the net. All the tunnels are up and I can login remotely but everyone else is stranded until a reboot is initiated. Where might I go to investigate what may be happening after I save and IPSEC VPN config and DNS fails for the internal network. DHCP server? DNS Forwarder? This is a dual WAN Soekris 5501 box with single LAN. IPSEC VPN's are built on both WAN circuits as we just acquired the second WAN circuit about 2 months ago. pfSense 2.1.2... although it happened with 2.1 as well. Best Regards, -- Mark Street, D.C., RHCE Chief Technology Officer Alliance Medical Center (707) 433-5494 Trust decentralization over centralization, voluntarism over coercion, bottom-up over top-down, adaptation over planning, openness over secrecy, practice over ideology, and markets over politics. Eric Raymond ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Problems with apinger on 2.1-RELEASE
On Fri, Apr 11, 2014 at 4:35 PM, Raimund Sacherer r...@logitravel.com wrote: Hello List, I checked a bit further and at first I deleted all the rrd graphs, because I had GW graphs from my old machine (which where i386) and the new one is amd64. I do not know if there is a problem with apinger if you have i386 rrd files on an amd64 architecture. It could be that apinger has problems when it's not possible to write the RRD data correctly? After this change I still got the problem that a couple of seconds the widget displays online, then Pending, then online, then Pending ... so I dug a bit deeper and when I found out how the data get's updated I saw that sometimes I get gateway status data and sometimes not. I checked the /var/run/apinger.status file and it was updated always. Out of a hunch I commented out this bit: /* Always get the latest status from apinger */ /* if (file_exists({$g['varrun_path']}/apinger.pid)) sigkillbypid({$g['varrun_path']}/apinger.pid, USR1); */ in /etc/inc/gwlb.inc And suddenly it seems to work fine. The data in /var/run/apinger.status is still updated constantly, it may be that in the widget I do not see every change right away because the USR1 signal is not sent when we read the file, but at least the problem with the widget behaving erratically is now gone! I am not sure if/how the USR1 kill can influence gathering the data from the file, but somehow it does ... Hopefully someone who knows pfSense better than me can shed a light on the why Thank you for the analysis. Would you mind reporting your findings on redmine.pfsense.org and also attach your config.xml annonymized or describe in more details your config with so many gateways? Best, Ray - Raimund Sacherer r...@logitravel.com wrote: Hello, I installed on the weekend our new firewall system. It consists of two Dell R210 with intel (igb) 2-port interface cards. The old system was 2.0-RELEASE. We have 11 Gateways configured, it's a mix of WAN's and LAN-Type interconnects with 2 other companys. We have a couple of ADSL's, a 10Mbit fiber and 2 100Mbit fiber WAN's. The apinger works perfectly on the 2.0-RELEASE. In the 2.1-RELEASE I have the following problems: On Sunday I made the switch and I noticed that all gateways are marked as down, with status first pending, then unknown. In the logs I have a message which says that all gateways can not be contacted and they are assumed online. Now without the apinger working correctly I did not configure the 2nd Firewall out of fear that there will be problems and I deactivated gateway monitoring. In the last two days I played around with the 2nd Firewall and I noticed this: up to 4 interfaces/gateways configured (out of the 11) everything works fine, I see stable behavior in the gatway section on the dashboard. Then I added one interface more and I sasw problems in the dashboard, the lines went from online to unknown/pending. When I deactivated the last interface all went online again. I did not investigate further as I had to go. (after a couple of activate/deactivate I had problems that activating the interface in the GUI and clicking save/apply did not configure the interface, ifconfig said it was simply not there, I had to execute /etc/rc.interfaces_opt_configure to get everything configured again, not sure if this can occur if you have lot's of tabs open to the firewall or if there is another configuration/GUI bug). Today I configured 1 more interface and with 6 interfaces I see something really weird. The dashboard shows me that all lines are online (with RTT times which seem reasonable) for around 8 seconds, then it shows me unknown for about 20-30 seconds, then online for around 8 seconds again, then unknown it seems the more interfaces you configure, the weirder get's the apinger behavior. I tried to copy the apinger from the 2.0-RELEASE and use it, but it also did not work as expected. I hope someone can find out what's wrong with apinger, because it definitly *is* a problem, I have seen a couple of people in the forums, and I think at least 2 bug - reports, maybe it does not occur if you have only a couple of WAN's. Tomorrow I will try to see if I can install the 2.0-RELEASE on this machine (I hope it can support the new hardware) because 2.0 was rock-solid for me (we had the FW with an uptime of 895 days without any signs of trouble). I fear a little an upgrade to 2.1.1-RELEASE because there seems to be quite some troubling problems with this release as well ... :-( Thank you, Best regards, Raimund ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list
Re: [pfSense] after upgrade to 2.1.1: never ending Carp cluster member has resumed the state BACKUP mails
On Tue, Apr 8, 2014 at 9:26 AM, Martin Fuchs mar...@fuchs-kiel.de wrote: Hi ! We're running a clustered pfSense (2 Machines x86) and it runs fine. Yesterday i updated to the 2.1.1 release and since then i contstantly receive Carp cluster member has resumed the state BACKUP mails. You'll get one email per CARP IP in that case, so it can be a decent number of emails, but should only be in one batch unless your CARP is actually flapping (which you'd see in your system log). Check the system log for what it's actually sending you. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] HeartBleed suggestion - block heartbeat requests
This was on the bugtraq list on Wednesday. It would be a Good Thing if we could block heartbeat queries to internal devices which may not be patched using something like this ... (NOTE there are wordwrap problems in what I've pasted) = Included Stuff Follows = From: Fabien Bourdaire li...@ecsc.co.uk To: bugt...@securityfocus.com Subject: CVE-2014-0160 mitigation using iptables Following up on the CVE-2014-0160 vulnerability, heartbleed. We've created some iptables rules to block all heartbeat queries using the very powerful u32 module. The rules allow you to mitigate systems that can't yet be patched by blocking ALL the heartbeat handshakes. We also like the capability to log external scanners :) The rules have been specifically created for HTTPS traffic and may be adapted for other protocols; SMTPS/IMAPS/... # Log rules iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ 52=0x1803:0x1803 -j LOG --log-prefix BLOCKED: HEARTBEAT # Block rules iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ 52=0x1803:0x1803 -j DROP # Wireshark rules $ tshark -i interface port 443 -R 'frame[68:1] == 18' $ tshark -i interface port 443 -R 'ssl.record.content_type == 24' We believe that this should only be used as a temporary fix to decrease the exposure window. The log rule should allow you to test the firewall rules before being used in production. It goes without saying that if you have any suggested improvements to these rules we would be grateful if you could share them with the security community. Clearly, use of these rules is at your own risk ;) ECSC SOC Team Researchers: Adam Shore Alex Innes Fabien Bourdaire = Included Stuff Ends = -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Building pfSense
hail, I had the link I followed the steps provided here http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso, but it won't work for me again. How can I find the guide to build it myself ? I need to put the amd64 kernel option for my net6501. thanks, matheus -- We will call you Cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On 11/04/2014 5:23 am, Jim Thompson wrote: https://blog.pfsense.org/?p=1253 pfSense release 2.1.2 is now available. pfSense release 2.1.2 follows less than a week after pfSense release 2.1.1, and is primarily a security release. Thanks for the new release. Any sign of updated AWS AMIs? Regards, lb The Heartbleed OpenSSL bug and another OpenSSL bug which enables a side-channel attack are both covered by the following security announcements: • pfSense-SA-14_04.openssl • FreeBSD-SA-14:06.openssl • CVE-2014-0160 (Heartbleed) • CVE-2014-0076 (ECDSA Flaw) Packages also have their own independent fixes and need updating. During the firmware update process the packages will be properly reinstalled. If this fails for any reason, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use. Other Fixes • On packages that use row_helper, when user clicks on an add or delete button, the page scrolls to top. #3569 • Correct a typo on function name in Captive Portal bandwidth allocation. • Make extra sure that we do not start multiple instances of dhcpleases if, for example, the PID is stale or invalid, and there is still a running instance. • Fix for CRL editing. Use an alphanumeric test rather than purely is_numericint because the ID is generated by uniqid and is not purely numeric. #3591 You will want to perform a full security audit of your pfSense installations, renewing any passwords, generating or fitting new certificates, placing the old certificates on a CRL, etc. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list