any Idea how to deal with CVE-2022-0778 in the case e.g. HaProxy use inside pfSense?
HAProxy would only be affected if you have it configured to accept client certificates as a form of authentication. Which is possible, but rare in practice. If you have concerns about that, move the service inside a VPN where it's much more protected. As far as we can tell so far, VPNs are not likely to be as much of an issue as there are other hurdles attackers would have to overcome before the certificates come into play (e.g. TLS key protecting OpenVPN in addition to certificate auth.), and several VPN types and configs don't use certificates at all (e.g. WireGuard). We're still checking into it and keeping an eye on what people find, though.
Sorry guys, but the new kernel module RTL8153 is unstable.
I own a Thinkpad USB adaptor and used it for months/years with the usual usbconfig & set_config line earlyshellcmd in config.xml. It was rocket stable to load standard ure driver and working several months without reboot (90 days before the latest upgrade!).
However, since upgrading to 2.5.2 the new kernel module, the network adaptor stops working after for 1 or 2 days. Link indicators are still blinking on the adaptor, but interface is down in the interface status page and console shoes no IP adress. The funny point is that existing TCP (VPN for example) connections are still working! If I unplug/plug RJ45 or USB, it doesn’t change anything and pfSense cannot reassign an DHCP IP adress.
After a reboot, network is back up and working fine... but stops working again after a few days without any reason. Honestly, I would really hope for the driver to be removed so that I can use again ure module manually without any issue.
OPENVPN client on Netgate SG-3100 issue with portfowarding traffic from OVPN interface.
I run OpenVPN on generic router box and had no issues with 2.5.x releases.
I would assume that for Netgate SG-3100 issue it'd be addressed by Netgate guys quickly. Do we have a confirmed bug for this problem in the tracking system ?
This same bug was in 2.5 DEVEL and I reported it to support, but was only told to revert to 2.4 stable. I guess I was just too exited about wireguard. Next big upgrade I'm waiting a few weeks before jumping on it.
Might as well capture my results here upgrading pfSense from 2.4.4p3 to 2.4.5...
SG-5100 - Primary Firewall - No issues with upgrade.
SG-2440 - Backup Firewall - On first boot after upgrade, no LAN or serial console access. Subsequent reboots no change. Ended up doing a memstick image install and then restoring configs from Primary. All good now.
Both systems use same trivial configuration and the packages are the same (apcupsd, arpwatch, sudo) except SG-2440 also has coreboot.
if you find some serious shit like a RCE - you call the vendor before writing some half-assed CVE. Or you post that at darknet forums to become famous and get that zero$day$$$ money. But posting it publicly without alerting the vendor? That's just bad style.