Categories

  • 424
    Topics
    1.3k
    Posts

    R

    Balances traffic based on source IP, destination IP, source port, destination port, and protocol, allowing effective load distribution while maintaining session consistency.

  • 118.0k
    Topics
    742.2k
    Posts

    johnpozJ

    @liquidity well things that jump out at me - 1st one is the 63 notifications.. I would highly suggest you look into those, and clear/fix whatever they are showing.

    2nd.. You have dns servers listed, so your forwarding? Pretty pointless so setup dns in pfsense if your not forwarding.. If your forwarding you have dnssec enabled. Forwarding and dnssec is nothing but problematic and provides nothing but wasted dns queries.

  • Discussions about pfSense software packages

    Cache/Proxy IDS/IPS Traffic Monitoring pfBlockerNG UPS Tools ACME FRR Tailscale WireGuard
    19.7k
    Topics
    124.8k
    Posts

    JonathanLeeJ

    Squid itself has been updated with many of the fixes per this email.

    Just got an update on Squid working on bug fixes. Looks like 7 is the version that mitigates most of all of them.

    "The Squid Project apologizes for being late in responding to the
    publication of 55 vulnerabilities disclosed by Joshua Rogers of Opera Software
    at https://megamansec.github.io/Squid-Security-Audit/

    We thank Joshua for discovering these bugs and sharing their details with us.
    The surprise publication caught us off guard, but Squid
    developers had worked on addressing some of the disclosed vulnerabilities
    since before that publication. This message summarizes Squid's status on
    October 9th, 2024.

    As of Squid v6.8, the vast majority of high-impact vulnerabilities have been
    addressed. The following disclosed vulnerabilities are still present:

    Vulnerability “strlen(NULL) Crash Using Digest Authentication”
    This vulnerability is still present in Squid v6.11. A fix is expected in Squid
    v6.12, due any day now.
    Digest authentication is disabled by default; the current workaround is
    to avoid Digest authentication.

    To verify whether your Squid configuration is vulnerable, check whether it
    contains "auth_param” directive. Configurations with auth_param directives
    mentioning "digest" scheme may be vulnerable.

    pipeline_prefetch (HTTP pipelining of client-to-Squid requests)
    All reported pipelining-related vulnerabilities may still be present in Squid
    v6. Pipelining code will probably be removed in master branch and become
    unavailable in Squid v7. Pipelining is disabled by default.

    If you do not need pipelining (or do not know for sure that you need it), do
    not enable that performance optimization.

    To verify whether your Squid configuration is vulnerable, check whether it
    contains a pipeline_prefetch directive. Configurations containing a
    pipeline_prefetch directive set to a positive value may be vulnerable.

    ESI (Edge Side Includes)
    Most reported ESI-related vulnerabilities are still present in Squid v6. ESI
    code has been removed in the master branch and will not be available
    in Squid v7.
    ESI is disabled in the default build starting with Squid v6.10. In earlier
    versions, ESI code is enabled by default, but the risk is moderate because
    exploiting this family of vulnerabilities requires Squid to be
    configured as a reverse proxy for a malicious origin server.

    If you do not need ESI (or do not know whether you need it), disable it with
    --disable-esi (default for Squid v6.10 and later).

    To verify whether your Squid build is vulnerable, run squid -v. Squid v6.9
    and earlier versions may be vulnerable unless the output contains
    --disable-esi. Squid v6.10 and later versions may be vulnerable if the
    output contains --enable-esi.

    Squid v5
    Some fixes were backported to Squid v5, but we lack the resources necessary to
    support that old version. Folks running Squid v5 and earlier versions should
    either upgrade to the latest v6 release or rely on their
    integrator/distributor for support.

    --
    Francesco Chemolli
    Squid Software Foundation

    squid-users mailing list
    squid-users@lists.squid-cache.org
    https://lists.squid-cache.org/listinfo/squid-users"

    Version 7 is where most almost all of the issues are resolved with. Again some changes were made that would require a Netgate php-software used to configure Squid to Squid software convergence test and tune up. I love Squid it is like a swiss army knife.

  • 42.3k
    Topics
    265.9k
    Posts

    I

    @DarkMasta
    Soweit ich weiß ist die Installation nicht verschlüsselt. Wer physischen Zugriff hat, kann auch im Zweifel die Config auslesen. Wie gesagt, wenn es um das reine Entsorgen geht, würde ich die Datenträger zerstören. Ansonsten DBAN für HDDs oder Secure-Erase-Befehl bei SSDs durchführen. Das ist aber deutlich mehr Aufwand.

  • Information about hardware available from Netgate

    2.4k
    Topics
    19.2k
    Posts

    L

    @SteveITS Yes, turning it off got me better download numbers, especially (100mb+). I didn't think that the NICs on this device supported anything other than limiters? I remember reading that somewhere when I was shopping for it. I was using some other traffic-based optimization when I had an intel-based pfSense installation.

    My use of limiters was mainly for reducing buffer-bloat and preventing any particular device on the LAN from saturating the connection (this was on 25/6 VDSL). Perhaps I don't need any traffic management any more. My buffer-bloat testing gives me an "A"-rating now, just as-is. That wouldn't have been possible without the limiter on VDSL/cable in the past.

    I'll have to investigate CODEL parameters a bit when used with a higher speed connection like this.

  • Information about hardware available from Netgate

    44
    Topics
    210
    Posts

    GertjanG

    @LesserBloops said in Netgate Security Advisory: CVE-2024-6387:

    I had no idea System_Patches existed until happening upon this thread

    Yeah .... well, scrap what's I've said above.
    I'll rephrase, and express my real opinion :
    It must be a package, so when an update exists, it will get flagged on the dashboard as 'update == patches' exist. That's the great thing about the pfSense package system.
    I was wondering : why isn't this build into pfSense directly ? But that would mean that there will be another thing to check, pfSense packages updates and patches updates. Another dashboard widget ?
    So : upon pfSense installation : advise the user to pick this package ?
    Or, don't signal the admin, and install the package without admin consent ?
    Humm, maybe not ...

    Right now, any package is installed with admin consent, as you have to install them 'ones'.

    Parches proposed by this package are only mostly 'quality of live' amelioration. But ones in a while they are a must have, as it solves a real issue. Then the question doesn't exist anymore : people will find the forum for support, will find that there is a solution ... a patch, and so on ...

    Real issues, like urgent software updates like (example) curl, unbound nginx etc etc (tyhese are not pfSense packages, but FreeBSD packages ! - or FreeBSD updates ported to their pfSense equivalent by Netgate ) are already getting updated using the command line ( SSH or console !! ) option 13.

    @LesserBloops : I've got one for you : Auto update check, checks for updates to base system + packages and sends email alerts
    "Install" that one also. You maybe not knowing it, but you need it 😊
    Btw : you will need to install the Cron pfSense package.

    This script file tells me, as I receive a mail, if anything has an upgrade waiting. Even pfSense itself.

  • Feel free to talk about anything and everything here

    Forum Feedback Community Job Board
    3.4k
    Topics
    18.4k
    Posts

    stephenw10S

    This was resolved I think?