Re: [pfSense] pfsense upgrade problems?
On 22/02/17 15:23, Eero Volotinen wrote: > The process will require 14 MiB more space. > > 73 MiB to be downloaded. > > Fetching php56-5.6.30.txz: .. done > > pkg: php56-5.6.30 failed checksum from repository This kind of error can happen for 2 reasons: 1. Metadata is out of date. In this case simplest solution is to run 'pkg update -f' on console just to be sure it's updated 2. File is corrupting during download -- Renato Botelho ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.3.x 32bit?
> On 2 Nov 2016, at 15:40, Eero Volotinen wrote: > > Well, it just don't find any updates. (from console or from webgui) What is your platform? full install or nanobsd? If it’s nanobsd, which size? -- Renato Botelho ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.3.x 32bit?
> On 2 Nov 2016, at 14:59, Eero Volotinen wrote: > > thanks. > > Any idea why I cannot upgrade 2.2.x (32bit) to 2.3.x from console/gui You should, What is the error you are experiencing? -- Renato Botelho ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Switching from 2.3.1 DEV to 2.3.1 REL ?
> On May 18, 2016, at 20:39, Olivier Mascia wrote: > > I had switched through the GUI to Branch development snapshots experimental > while I was initially in 2.3-REL on some boxes. It helped a lot in the > interim. > Following announcement of 2.3.1-REL I just switched the GUI settings back to > Stable branch. > But upon checking for new update, it offers me some 2.3.2 snapshot, and not > 2.3.1-REL. > > I guess the steps to do should be more or less similar to those I had to do > to switch from 2.3 beta to 2.3 REL. > But could you please remind these steps (or link) here to help? > > Could you also log the wish to have the GUI obey the instruction of switching > back to Stable branch and indeed offer an 'upgrade' path from whatever > snapshot it was on back or toward the latest REL version? I'm sure it would > help some people, too. > > Many thanks for this 2.3.1 bug fix release! When you use stable repo configuration, as you did, you will show on GUI 2.3.2 as the next available version and it happens because your current repository config still have information about devel branch, since stable didn’t exist yet when you updated last time. You can go ahead and upgrade and you will end up on 2.3.1-RELEASE, but if you want to be really sure about it, go to console and run option 13, when it asks for confirmation just say No. At this point all repo information will be updated and you will see 2.3.1-RELEASE even on GUI -- Renato Botelho ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] freak vulnerable for pfsense
> On Mar 19, 2015, at 07:27, Amit Saxena wrote: > > > > Dear Team, > > I am working on pfsense firewall as well as configured as a Opnevpn server > I got the information that "Freak vulnerable" so i want to know it affected > to Pfsense box > My pfsense Detail > > Pf sense version 2.1 and opnessl version 0.9.8y Consider upgrade it to pfSense 2.2.1, which has openssl 1.0.1l. -- Renato Botelho ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 32 or 64?
> On Jan 6, 2015, at 16:11, Jim Pingle wrote: > > On 01/06/2015 12:57 PM, Márcio Merlone wrote: >> I am planning to replace some Linksys boxes on remote offices with a >> virtual pfSense in the next months and was wondering what's recommended >> for a new install today: 32 or 64 bits? I ask considering what's best >> for the mid-long term, are there any 64bit-only features now or planned? >> Will I loose something running a 32 bit version now or a few years from now? >> >> What are the advantages/disadvantages of each now and what is expected >> for a near future? I am not asking for an in-depth analysis, but rather >> a general overview and opinion of the main diffs. > > If the hardware can run 64-bit, use 64-bit. If the hardware can't run > 64-bit, don't buy it. :-) +1 -- Renato Botelho ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FQDN alias update failure
> On Dec 19, 2014, at 18:07, Volker Kuhlmann wrote: > > pf tables can be populated from FQDNs through pfsense aliases. However > the FQDNs are not re-evaluated and pf tables are not updated after > applying changes to the aliases or filter rules, creating confusion when > setting up rules. The update only happens eventually when the filterdns > background process gets around to it. Every time alias is changed, a HUP signal is sent do filterdns [1], and it triggers it to read config again and update aliases. > Is there a way to run a command that does an update immediately, while > the problem is being fixed? > > filterdns is run as > > /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c > /var/etc/filterdns.conf -d 1 > > and expects a config file as minimum argument. > > However it always starts up a new instance that keeps running. Is it > possible to tell it to terminate after one update iteration, or do I > need to write a script that kills it after 10 seconds? Thanks. Could you let me know the steps to have multiple filterdns instances running? I couldn’t reproduce it here. [1] https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/filter.inc#L394 -- Renato Botelho ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Upgrading from 2.2RC to 2.2 final
> On Dec 17, 2014, at 08:57, Carlos L. Martinez > wrote: > > > Hi all, > > I will install two pfsense fws using 2.2RC next week. When 2.2 final will be > released, upgrading from 2.2RC to 2.2 final will be supported or will I have > to do a clean install? You will be able to upgrade it to RELEASE when it’s available. But it’s good to remember 2.2 is not recommended to be used in production until RELEASE is done. -- Renato Botelho ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Restore older version backup
> On Dec 15, 2014, at 12:59, Kostas Backas wrote: > > Hello! > > I have an Alix with the latest 2.1.5 version. Can I restore a backup from > this hardware (Alix), but older version (2.0.x)? Yes. -- Renato Botelho ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Use 2.0.3 config on 2.1.5, does it work ?
> On Nov 27, 2014, at 21:47, Nenhum_de_Nos wrote: > > Hail, > > I am about to change a firewall hardware, and I see the possibility to update > the pfSense version as well. > > Is it safe to do it out-of-the-box ? Hello, It’s ok to restore a 2.0.3 config into a 2.1.5 installation. pfSense has code to upgrade the config until the current version. -- Renato Botelho ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Added ntopng.pbi via command line, how do I add to webui?
On Sep 17, 2014, at 20:48, Wade Blackwell wrote: > > Good afternoon all, > I added ntopng to my platform via command line and restarted the > webconfigurator. I was expecting to see the package show up under > diagnostics, as it did on my other platform that I installed the package via > webui package installer, but it doesn't. Is there a way to add that? Searches > on this topic have been inconslusive. Thanks, install looked like this; > > [2.1.5-RELEASE][r...@firewall.domain.com]/usr/local/pkg(21): pbi_add > --no-checksig ntopng-1.1_1-amd64.pbi > Verifying Checksum...OK > Extracting to: /usr/pbi/ntopng-amd64 > Adding group: redis > Adding user: redis > Installed: ntopng-1.1_1 Web interface components are not distributed inside PBI. You should install it using System -> Packages menu. -- Renato Botelho ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] updating issues with signature on image
On Jul 13, 2014, at 21:43, Lyle Giese wrote: > > I have a Soekris net4801, running 2.0.2-release(i386) NanoBSD Size 512mb. It > shows 2.1.2-release is available for auto-update. > > After downloading, I get an error message that the digital signature is > invalid. I have to abort and the only options is to allow unsigned images. > Is the right or is there something wrong with the update process? It’s probably pointing to a non-official URL to get updates. The latest released version is 2.1.4 and it’s signed. The correct URL to get firmware updates to i386 arch is: http://updates.pfsense.org/_updaters -- Renato Botelho http://people.freebsd.org/~garga/pubkey.asc ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dependencies on older packages?
On Jun 11, 2014, at 7:41, Brian Candler wrote: > > I went to install wget on a pfsense ( 2.1-RELEASE) box, and I got this: > > # pkg_add -r wget > Fetching > ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/wget.tbz... > Done. > Fetching > ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/All/pkg-config-0.25_1.tbz... > Done. > Fetching > ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/All/libidn-1.22.tbz... > Done. > pkg_add: warning: package 'libidn-1.22' requires 'libiconv-1.13.1_2', but > 'libiconv-1.14_1' is installed > pkg_add: warning: package 'libidn-1.22' requires 'gettext-0.18.1.1', but > 'gettext-0.18.3' is installed > pkg_add: warning: package 'wget-1.13.4_1' requires 'libiconv-1.13.1_2', but > 'libiconv-1.14_1' is installed > pkg_add: warning: package 'wget-1.13.4_1' requires 'gettext-0.18.1.1', but > 'gettext-0.18.3' is installed > > It seems that the wget package is out of date, as it depends on older > versions of packages than the ones already installed. Is this to be expected? > > The only other package I had installed was iperf (via the GUI). Yes, it’s expected. You are using a FreeBSD repo made when 8.3 was released, after that, ports tree received tons of updates. You can try to set PACKAGESITE env var pointing to 8.4-release packages or even to 8-stable and see if it helps. It’s just good to remember that it’s not an officially way to install things on pfSense. -- Renato Botelho http://people.freebsd.org/~garga/pubkey.asc ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] This post on Full-Disclosure
On 28-01-2014 11:40, Chris Buechler wrote: > On Tue, Jan 28, 2014 at 6:25 AM, Giles Coochey wrote: >> >> http://seclists.org/fulldisclosure/2014/Jan/187 >> >> I'm not connected with the author, or share any opinions. >> >> I simply monitor the Full Disclosure list, as well as pfsense and thought it >> appropriate to make the pfsense list aware. >> > > Thanks for posting. Sure would have been nice if they'd contacted > secur...@pfsense.org in advance. One of us will get that fixed at some > point in the next day. There may not be a single install on the planet > affected by the combination of things where that's applicable. The > issue is in the Snort package. > > For you to do anything with such privilege escalation vulnerabilities, > you must have a valid login to administer the firewall and be logged > in. In most cases, users with admin access to the firewall are in the > admins group, where they can do anything by design. Nothing to > escalate to from there. This also only applies if you have the Snort > package installed. > > So the people who could be impacted are those who: > 1) have people with firewall admin user accounts with limited privileges > 2) have the Snort package installed > 3) have admin users with limited privileges that are granted rights to Snort > > If all of the 3 above apply, then admin users with limited rights who > have access to Snort can bypass all restrictions on their account by > exploiting that RCE or LFI. If less than 3 of the above list apply, > then this has no relevance to you. > > >> I imagine a lot of what is disclosed in the post represents problems with >> third party packages, and would mostly be mitigated by not allowing the web >> interface to be accessible from non-trusted networks / IPs. >> > > That's definitely a best practice with anything used solely for > management purposes, don't leave it open to the entire Internet. But > that's not relevant here (nor to IIRC any of the vulnerabilities that > have ever existed in our web interface). Historically, we've done as > well or better than any commercial product with a web management > interface, but there are always risks, and that's the #1 defense. The > vulnerabilities we've had in our web interface have been XSS, CSRF, > and privilege escalation. It doesn't matter whether your web interface > is open to the Internet or not for those classes of issues. But it's > always possible some serious security issue could be found in lighttpd > (the web server), PHP itself, or our code, that would allow an > unauthenticated user to compromise a system if it's open to the > Internet. So don't do that. I've pushed a fix and bumped package version to 3.0.3. -- Renato Botelho GnuPG Key: http://www.FreeBSD.org/~garga/pubkey.asc signature.asc Description: OpenPGP digital signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
