@jwg014 said in pfSense Plus version 22.01 and pfSense CE version 2.6.0 Software are Now Available!:

any Idea how to deal with CVE-2022-0778 in the case e.g. HaProxy use inside pfSense?

HAProxy would only be affected if you have it configured to accept client certificates as a form of authentication. Which is possible, but rare in practice. If you have concerns about that, move the service inside a VPN where it's much more protected. As far as we can tell so far, VPNs are not likely to be as much of an issue as there are other hurdles attackers would have to overcome before the certificates come into play (e.g. TLS key protecting OpenVPN in addition to certificate auth.), and several VPN types and configs don't use certificates at all (e.g. WireGuard). We're still checking into it and keeping an eye on what people find, though.

Happy birthday !

unfortunately When I attempt to upgrade or restore from a backup the system errors out. My thought was to back out of the upgrade but I can't figure out how.

JK

Sorry guys, but the new kernel module RTL8153 is unstable.

I own a Thinkpad USB adaptor and used it for months/years with the usual usbconfig & set_config line earlyshellcmd in config.xml. It was rocket stable to load standard ure driver and working several months without reboot (90 days before the latest upgrade!).

However, since upgrading to 2.5.2 the new kernel module, the network adaptor stops working after for 1 or 2 days. Link indicators are still blinking on the adaptor, but interface is down in the interface status page and console shoes no IP adress. The funny point is that existing TCP (VPN for example) connections are still working! If I unplug/plug RJ45 or USB, it doesn’t change anything and pfSense cannot reassign an DHCP IP adress.

After a reboot, network is back up and working fine... but stops working again after a few days without any reason. Honestly, I would really hope for the driver to be removed so that I can use again ure module manually without any issue.

Is figured it out.

I used "du" to drill down to the biggest consumers of diskspace and found that suricata was the offender. I reduced the log sizes and retention policy down and now have some free space.

@jegr Sorry just saw this notification...let me check on these for you.

@dylan-fraser said in pfSense Community Edition (CE) 2.5.0 and pfSense Plus 21.02 now available!:

ISSUE WITH UPGRADE - Netgate SG-3100

OPENVPN client on Netgate SG-3100 issue with portfowarding traffic from OVPN interface.

pfsense.PNG

I run OpenVPN on generic router box and had no issues with 2.5.x releases.
I would assume that for Netgate SG-3100 issue it'd be addressed by Netgate guys quickly. Do we have a confirmed bug for this problem in the tracking system ?

@taz79 said in pfSense Plus 21.02-p1 Now Available:

but anyway strange that there is no post about this update in here??

Yeah, I'd have to agree that it's odd there was no announcement of the(ir) forum. It was on the blog though.

https://www.netgate.com/blog/

Between the Blog, this forum, redmine and reddit... it's hard to know where to go and when to get the latest info "straight from the horse's mouth".

Hopefully they are all just really busy working through the problems on the 2.5/21.02 release.

This same bug was in 2.5 DEVEL and I reported it to support, but was only told to revert to 2.4 stable. I guess I was just too exited about wireguard. Next big upgrade I'm waiting a few weeks before jumping on it.

Wire guard is working great!

Your team rocks

Hi,

Is there gonna be a new minor release coming up soon to patch the recent vulnerabilities on intel processors and/or upgrade to freebsd 11.4 ?

@mykl I would contact our sales team so they can work with you directly and get more information.

Might as well capture my results here upgrading pfSense from 2.4.4p3 to 2.4.5...

SG-5100 - Primary Firewall - No issues with upgrade.

SG-2440 - Backup Firewall - On first boot after upgrade, no LAN or serial console access. Subsequent reboots no change. Ended up doing a memstick image install and then restoring configs from Primary. All good now.

Both systems use same trivial configuration and the packages are the same (apcupsd, arpwatch, sudo) except SG-2440 also has coreboot.

Peter

if you find some serious shit like a RCE - you call the vendor before writing some half-assed CVE. Or you post that at darknet forums to become famous and get that zero$day$$$ money. But posting it publicly without alerting the vendor? That's just bad style.

Any chance that you guys will start selling pfSense shirts in the store again? Mine is getting a bit worn from the love it gets. :)

@dennis_s said in 2019 Annual pfSense User Survey:

SG-1100

I am from South Africa and need this so badly, I just purchased one (at the exchange rate of 14-t-1!!!) :)

There are still some known issues blocking 2.5 on the 1100 we need to get resolved first, and then once that happens it will be available for test upgrades.

One day...

update went smooth on APU2C4

Great work, so many thanks!

Glad I saw this posted somewhere on the forum my box is updated, a little different as this time i upgraded from a Mac