The rule order in the configuration file is supposed to reflect both the rule processing and rule position (i.e. what's shown in the GUI) order. Ultimately, the processing itself is determined by what gets put into /tmp/rules.debug. As for the rule position in the GUI, there are multiple factors involved. With the latest fixes (referenced in the thread linked above), what does happen should finally match what is supposed to happen.

@techpro2004 FFS.

@antoine2711 said in Can’t compile a port software. Error: Unable to determine OS version. Either define OSVERSION, install /usr/include/sys/param.h or define SRC_BASE:

Hi @bmeeks, I was able to retreive the pkg in the cache folder of my FreeBSD (/var/cache/pkg).

Thanks for your help again. I’m ok for now.

Best Regards, Antoine

The risk with installing packages from the stock FreeBSD repo (or any other repo except the official pfSense repo for your version) is that the versions of various shared library dependencies may differ from what is currently used by pfSense. The pkg utility will automatically attempt to download and install any shared library dependencies needed by the package you are installing. So long as those are the same ABI and shared library versions as what already exists on the pfSense installation, you are fine. It's when they differ that your pfSense installation can get broken - and sometimes irretrievably broken.

@stephenw10 I don't think kernel debug symbols are really going to be of much use to me. And Xdebug is a php debugger, but I need debug symbols for php83-pecl-radius (and php-fpm I suppose).

@LamaZ This looks to have been going on for many years glad it made it. Secure Time!! Quizzes, Tests, Exams, etc all are now a bit more secure.

@guiambros said in pfSense compile requirements for 3rd party software:

Using the default devel branch I can finish the poudriere jail, but can't compile packages due to missing pfSense-pkg-zabbix-[agent4|proxy4] pre-reqs. If I use the RELENG_2_7_2 branch, jail creation fails with make[4]: don't know how to make aes-586.S. Stop.

For anyone having this issue, you just need fork the FreeBSD-src then merge this pull request into your branch.

@encrypt1d: it seems Netgate made it (intentionally?) impossible to compile or do anything with CE.

I do not believe this is an intentional sabotage. The commits that led to this issue can be found here and here.

I don't really understand why these commits were made, but I suspect it was because netgate wanted to upgrade OpenSSL to version 3.0.9 on pSense 2.7.2. This version was not yet integrated into FreeBSD 14, hence the custom commits.

As for "netgate made it harder to build pfSense"..yes, possibly, but it's not impossible. See this repo.

Also: WITHOUT_LIB32=y is absolutely not needed to my knowledge. I don't know why people keep referencing it.

I spent some time yesterday learning how to build from ports, and I was able to create Zabbix 7.0.6 proxy and agent binaries using a fully updated FreeBSD 14.2 VM. I didn't use Poudriere jails or anything, just ran

cd /usr/ports/net-mgmt/zabbix7-server/ && make

I copied the binaries to a pfSense 24.11 box for testing and so far they work perfectly.
This is not a proper build and testing process, but it's a good indication that Zabbix 7.0 should work fine on pfSense 24.11.

I'm not a developer and don't have a Github repo, so I guess this doesn't help anyone unless I setup an account and submit a PR for my binaries to be included?

Also, is there a guide of what the statuses mean on Redmine? The Zabbix 7.0 package request is "Confirmed", "In Progress", and target is 25.01. Does this mean that Zabbix 7.0 will NEVER be released for 24.03 or 24.11? Is Netgate staff working on the packages to include with 25.01, or is it waiting on someone in the community to submit it?

If 24.11 is the currently supported version of pfSense, and assuming the Zabbix package doesn't require modifications to pfSense, then it should be possible for an official package to be released for 24.11, right? As far as I can tell, it can 7.0 behaves exactly the same as 6.4.

I think my test port uses different default paths for the config, log, and pid files than pfSense does, but the log and pid paths can be set in the config file, and the the config file path is given as a parameter to the binary. Or someone with more knowledge than me could just set those correctly in the build.

KvY6SmgB4s.png

@marcosm said in Multiple instances of repeatable:

Sounds like it'd be best to go with a single input field for each section.

Yea, I think you're right. Enhancing the javascript could end up as a lifelong project for me.

You are trying to do this using some custom php script in pfSense directly?

@Viper_Rus said in How to create patch against 2.7.x code:

https://redmine.pfsense.org/issues/855

You can apply the change referenced in the bug via a system patch: 30d46b63834444e9a7a4af310a5d8aaf94baf01a

But you also need this previous changeset: 4bbbcc368bf1da815025fa51268d5de96fa73220

YMMV! But if you do have issues you can just revert the patches.

Steve

Updated due to porkbun change, moving apis from porkbun.com to api.porkbun.com

--- a/src/etc/inc/dyndns.class 2023-10-13 16:00:47.738058000 -0400 +++ b/src/etc/inc/dyndns.class 2023-10-13 16:39:40.614111000 -0400 @@ -71,6 +71,7 @@ * - Namecheap (namecheap.com) * - No-IP (no-ip.com) * - OpenDNS (opendns.com) + * - Porkbun (porkbun.com) * - SelfHost (selfhost.de) * - SPDYN (spdyn.de) * - SPDYN IPv6 (spdyn.de) @@ -141,6 +142,7 @@ * ODS - Last Tested: 02 August 2005 * OpenDNS - Last Tested: 4 August 2008 * OVH DynHOST - Last Tested: NEVER + * Porkbun - Last Tested: 13 October 2023 * SelfHost - Last Tested: 26 December 2011 * SPDYN - Last Tested: 02 July 2016 * SPDYN IPv6 - Last Tested: 02 July 2016 @@ -309,6 +311,13 @@ if (!$dnsZoneID) $this->_error(8); if (!$dnsTTL) $this->_error(9); break; + case 'porkbun': + case 'porkbun-v6': + if (!$dnsUser) $this->_error(3); + if (!$dnsPass) $this->_error(4); + if (!$dnsHost) $this->_error(5); + if (!$dnsDomain) $this->_error(5); + break; default: if (!$dnsUser) $this->_error(3); if (!$dnsPass) $this->_error(4); @@ -337,6 +346,7 @@ case 'name.com-v6': case 'noip-free-v6': case 'noip-v6': + case 'porkbun-v6': case 'route53-v6': case 'spdyn-v6': case 'yandex-v6': @@ -464,6 +474,8 @@ case 'ods': case 'opendns': case 'ovh-dynhost': + case 'porkbun': + case 'porkbun-v6': case 'route53': case 'route53-v6': case 'selfhost': @@ -948,6 +960,73 @@ $server = "https://api.nic.ru/dyndns/update?hostname={$this->_dnsHost}&{$iptype}={$this->_dnsIP}"; curl_setopt($ch, CURLOPT_URL, $server); break; + case 'porkbun': + case 'porkbun-v6': + // API documentation: https://porkbun.com/api/json/v3/documentation + $porkbun_api = "https://api.porkbun.com/api/json/v3/dns/retrieve/{$this->_dnsDomain}"; + $record_type = $this->_useIPv6 ? "AAAA" : "A"; + // Check if a record already exists for this host. + $post_data['apikey'] = $this->_dnsUser; + $post_data['secretapikey'] = $this->_dnsPass; + curl_setopt($ch, CURLOPT_URL, "{$porkbun_api}"); + curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data)); + curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json')); + curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST"); + $response = json_decode(curl_exec($ch), true); + $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); + if ($http_code != "200") { + log_error(gettext("Error message: ") . $response); + return false; + } + if (!is_array($response["records"])) { + log_error(gettext("Unexpected response: ") . $response); + return false; + } + foreach($response["records"] as $record) { + if (($this->_dnsHost == "@" || $this->_dnsHost == "") && + ($record["name"] == $this->_dnsDomain) && + ($record["type"] == $record_type)) { + $record_id = $record["id"]; + break; + } + else if (($record["name"] == "{$this->_dnsHost}.{$this->_dnsDomain}") && + ($record["type"] == $record_type)) { + $record_id = $record["id"]; + break; + } + } + // No record exists for this host, add one. + if (!$record_id) + { + $porkbun_api = "https://api.porkbun.com/api/json/v3/dns/create/{$this->_dnsDomain}"; + if ($this->_dnsHost == "@" || $this->_dnsHost == "") + $post_data['name'] = ""; + else + $post_data['name'] = $this->_dnsHost; + } else { + $porkbun_api = "https://api.porkbun.com/api/json/v3/dns/edit/{$this->_dnsDomain}/{$record_id}"; + $post_data['name'] = $this->_dnsHost; + } + $post_data['type'] = $record_type; + // Porkbun doesn't allow you to "update" an existing record with the same IP + if (($record_id) && + ($this->_forceUpdateNeeded == true) && + ($this->_dnsDummyUpdateDone == false)) { + $post_data['content'] = $this->_useIPv6 ? "fd00:d::1" : "127.0.0.1"; + $this->_dnsDummyUpdateDone = true; + $log_message = 'Dynamic DNS %1$s (%2$s): '; + $log_message .= 'Performing forced update. '; + $log_message .= 'IP temporarily set to %3$s'; + log_error(sprintf(gettext($log_message), $this->_dnsService, $this->_dnsHost, $post_data['content'])); + } else { + $post_data['content'] = $this->_dnsIP; + } + if (intval($this->_dnsTTL)) $post_data['ttl'] = $this->_dnsTTL; + curl_setopt($ch, CURLOPT_URL, "{$porkbun_api}"); + curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data)); + curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json')); + curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST"); + break; case 'yandex': case 'yandex-v6': // https://yandex.com/dev/connect/directory/api/concepts/domains/dns-records-via-pdd.html @@ -2927,6 +3006,16 @@ log_error($status_intro . gettext("PAYLOAD:") . " " . $data); $this->_debug($data); break; + } + break; + case 'porkbun': + case 'porkbun-v6': + $result = json_decode($data, true); + if ($result['status'] == 'SUCCESS') { + $status = $status_intro . $success_str . gettext("IP Address Updated Successfully!"); + $successful_update = true; + } else { + log_error($status_intro . " ( " . gettext("Error message: ") . $result['status'] . " )"); } break; default: --- a/src/etc/inc/globals.inc 2023-10-13 16:01:01.023284000 -0400 +++ b/src/etc/inc/globals.inc 2023-10-13 16:12:09.816744000 -0400 @@ -222,7 +222,7 @@ "descr" => 'Default Check IP Service' ); -$dyndns_split_domain_types = array("namecheap", "cloudflare", "cloudflare-v6", "gratisdns", "cloudns", "godaddy", "godaddy-v6", "linode", "linode-v6"); +$dyndns_split_domain_types = array("namecheap", "cloudflare", "cloudflare-v6", "gratisdns", "cloudns", "godaddy", "godaddy-v6", "linode", "linode-v6", "porkbun", "porkbun-v6"); /* pf tokens from FreeBSD source sbin/pfctl/parse.y (plus our custom entries at the end)*/ global $pf_reserved_keywords; --- a/src/etc/inc/services.inc 2023-10-13 16:01:14.103456000 -0400 +++ b/src/etc/inc/services.inc 2023-10-13 16:13:41.295138000 -0400 @@ -26,8 +26,8 @@ */ -define('DYNDNS_PROVIDER_VALUES', 'all-inkl azure azurev6 citynetwork cloudflare cloudflare-v6 cloudns custom custom-v6 desec desec-v6 digitalocean digitalocean-v6 dnsexit dnsimple dnsimple-v6 dnsmadeeasy dnsomatic domeneshop domeneshop-v6 dreamhost dreamhost-v6 duiadns duiadns-v6 dyfi dyndns dyndns-custom dyndns-static dyns dynv6 dynv6-v6 easydns easydns-v6 eurodns freedns freedns-v6 freedns2 freedns2-v6 glesys gandi-livedns gandi-livedns-v6 godaddy godaddy-v6 googledomains gratisdns he-net he-net-v6 he-net-tunnelbroker hover linode linode-v6 loopia mythicbeasts mythicbeasts-v6 name.com name.com-v6 namecheap nicru nicru-v6 noip noip-v6 noip-free noip-free-v6 onecom onecom-v6 ods opendns ovh-dynhost route53 route53-v6 selfhost spdyn spdyn-v6 strato yandex yandex-v6 zoneedit'); -define('DYNDNS_PROVIDER_DESCRIPTIONS', 'All-Inkl.com,Azure DNS,Azure DNS (v6),City Network,Cloudflare,Cloudflare (v6),ClouDNS,Custom,Custom (v6),deSEC,deSEC (v6),DigitalOcean,DigitalOcean (v6),DNSexit,DNSimple,DNSimple (v6),DNS Made Easy,DNS-O-Matic,Domeneshop,Domeneshop (v6),DreamHost,Dreamhost (v6),DuiaDns.net,DuiaDns.net (v6),DY.fi,DynDNS (dynamic),DynDNS (custom),DynDNS (static),DyNS,Dynv6,Dynv6 (v6),easyDNS,easyDNS (v6),Euro Dns,freeDNS,freeDNS (v6),freeDNS API Version 2, freeDNS API Version 2 (v6),GleSYS,Gandi Live DNS,Gandi Live DNS (v6),GoDaddy,GoDaddy (v6),Google Domains,GratisDNS,HE.net,HE.net (v6),HE.net Tunnelbroker,Hover,Linode,Linode (v6),Loopia,Mythic Beasts,Mythic Beasts (v6),Name.com,Name.com (v6),Namecheap,NIC.RU,NIC.RU (v6),No-IP,No-IP (v6),No-IP (free),No-IP (free-v6),One.com,One.com (v6),ODS.org,OpenDNS,OVH DynHOST,Route 53,Route 53 (v6),SelfHost,SPDYN,SPDYN (v6),Strato,Yandex,Yandex (v6),ZoneEdit'); +define('DYNDNS_PROVIDER_VALUES', 'all-inkl azure azurev6 citynetwork cloudflare cloudflare-v6 cloudns custom custom-v6 desec desec-v6 digitalocean digitalocean-v6 dnsexit dnsimple dnsimple-v6 dnsmadeeasy dnsomatic domeneshop domeneshop-v6 dreamhost dreamhost-v6 duiadns duiadns-v6 dyfi dyndns dyndns-custom dyndns-static dyns dynv6 dynv6-v6 easydns easydns-v6 eurodns freedns freedns-v6 freedns2 freedns2-v6 glesys gandi-livedns gandi-livedns-v6 godaddy godaddy-v6 googledomains gratisdns he-net he-net-v6 he-net-tunnelbroker hover linode linode-v6 loopia mythicbeasts mythicbeasts-v6 name.com name.com-v6 namecheap nicru nicru-v6 noip noip-v6 noip-free noip-free-v6 onecom onecom-v6 ods opendns ovh-dynhost route53 route53-v6 selfhost spdyn spdyn-v6 strato yandex yandex-v6 zoneedit porkbun porkbun-v6'); +define('DYNDNS_PROVIDER_DESCRIPTIONS', 'All-Inkl.com,Azure DNS,Azure DNS (v6),City Network,Cloudflare,Cloudflare (v6),ClouDNS,Custom,Custom (v6),deSEC,deSEC (v6),DigitalOcean,DigitalOcean (v6),DNSexit,DNSimple,DNSimple (v6),DNS Made Easy,DNS-O-Matic,Domeneshop,Domeneshop (v6),DreamHost,Dreamhost (v6),DuiaDns.net,DuiaDns.net (v6),DY.fi,DynDNS (dynamic),DynDNS (custom),DynDNS (static),DyNS,Dynv6,Dynv6 (v6),easyDNS,easyDNS (v6),Euro Dns,freeDNS,freeDNS (v6),freeDNS API Version 2, freeDNS API Version 2 (v6),GleSYS,Gandi Live DNS,Gandi Live DNS (v6),GoDaddy,GoDaddy (v6),Google Domains,GratisDNS,HE.net,HE.net (v6),HE.net Tunnelbroker,Hover,Linode,Linode (v6),Loopia,Mythic Beasts,Mythic Beasts (v6),Name.com,Name.com (v6),Namecheap,NIC.RU,NIC.RU (v6),No-IP,No-IP (v6),No-IP (free),No-IP (free-v6),One.com,One.com (v6),ODS.org,OpenDNS,OVH DynHOST,Route 53,Route 53 (v6),SelfHost,SPDYN,SPDYN (v6),Strato,Yandex,Yandex (v6),ZoneEdit,Porkbun,Porkbun (v6)'); /* implement ipv6 route advertising daemon */ function services_radvd_configure($blacklist = array()) { --- a/src/usr/local/www/services_dyndns_edit.php 2023-10-13 16:01:32.710407000 -0400 +++ b/src/usr/local/www/services_dyndns_edit.php 2023-10-13 16:20:58.885037000 -0400 @@ -154,7 +154,7 @@ } elseif (($pconfig['type'] == "cloudflare") || ($pconfig['type'] == "cloudflare-v6")) { $host_to_check = $_POST['host'] == '@' ? $_POST['domainname'] : ( $_POST['host'] . '.' . $_POST['domainname'] ); $allow_wildcard = true; - } elseif (($pconfig['type'] == "linode") || ($pconfig['type'] == "linode-v6") || ($pconfig['type'] == "gandi-livedns") || ($pconfig['type'] == "gandi-livedns-v6") || ($pconfig['type'] == "yandex") || ($pconfig['type'] == "yandex-v6")) { + } elseif (($pconfig['type'] == "linode") || ($pconfig['type'] == "linode-v6") || ($pconfig['type'] == "gandi-livedns") || ($pconfig['type'] == "gandi-livedns-v6") || ($pconfig['type'] == "yandex") || ($pconfig['type'] == "yandex-v6") || ($pconfig['type'] == "porkbun") || ($pconfig['type'] == "porkbun-v6")) { $host_to_check = $_POST['host'] == '@' ? $_POST['domainname'] : ( $_POST['host'] . '.' . $_POST['domainname'] ); $allow_wildcard = true; } elseif (($pconfig['type'] == "route53") || ($pconfig['type'] == "route53-v6")) { @@ -367,8 +367,8 @@ 'he.net tunnelbroker: Enter the tunnel ID.%1$s' . 'GleSYS: Enter the record ID.%1$s' . 'DNSimple: Enter only the domain name.%1$s' . - 'Name.com, Namecheap, Cloudflare, GratisDNS, Hover, ClouDNS, GoDaddy, Linode, DigitalOcean: Enter the hostname and the domain separately, with the domain being the domain or subdomain zone being handled by the provider.%1$s' . - 'Cloudflare, Linode: Enter @ as the hostname to indicate an empty field.%1$s' . + 'Name.com, Namecheap, Cloudflare, GratisDNS, Hover, ClouDNS, GoDaddy, Linode, DigitalOcean, Porkbun: Enter the hostname and the domain separately, with the domain being the domain or subdomain zone being handled by the provider.%1$s' . + 'Cloudflare, Linode, Porkbun: Enter @ as the hostname to indicate an empty field.%1$s' . 'deSEC: Enter the FQDN.', '<br />'); $section->add($group); @@ -434,6 +434,7 @@ 'Godaddy: Enter the API key.%1$s' . 'Cloudflare: Enter email for Global API Key or (optionally) Zone ID for API token.%1$s' . 'NoIP: For group authentication, replace semicolon (:) with pound-key (#).%1$s' . + 'Porkbun: Enter the API key.%1$s' . 'For Custom Entries, Username and Password represent HTTP Authentication username and passwords.', '<br />'); $section->addPassword(new Form_Input( @@ -454,6 +455,7 @@ 'DNSimple: Enter the API token.%1$s' . 'Linode: Enter the Personal Access Token.%1$s' . 'Name.com: Enter the API token.%1$s' . + 'Porkbun: Enter the API secret.%1$s' . 'Yandex: Yandex PDD Token.%1$s' . 'Cloudflare: Enter the Global API Key or API token with DNS edit permisson on the provided zone.%1$s' . 'deSEC: Enter the API token.', '<br />'); @@ -633,6 +635,8 @@ case "name.com-v6": case "onecom": case "onecom-v6": + case "porkbun": + case "porkbun-v6": hideGroupInput('domainname', false); hideInput('mx', true); hideCheckbox('wildcard', true);

Since 24.03 there is packet flow data exporting available which could meet this requirement:

https://docs.netgate.com/pfsense/en/latest/firewall/pflow.html

Steve

Bump, issue persists. This seems to disrupt ipv6 connectivity on prefix rotation by upstream entirely.
The new prefix does not propagate further then a new slaac address on the wan interface itself. All tracked interfaces don't update, ra keeps announcing deprecated prefixes, "LAN" looses internet connectivity.

Issue opened https://redmine.pfsense.org/issues/15625

A final harrumph from an old-time C programmer on UNIX systems... I quote from "Advanced UNIX Programming" by Marc J. Rochkind, first edition 1985, page 112: "The cost of a fork [system call in C] is enormous". I suppose this book dates me, but it was a classic in its day.

Modern PHP code is doing the C sequence of fork/exec/wait for the UNIX command under the covers (maybe with the modern advantages of COW memory management), so an "exec" in PHP is a really expensive operation. So minimize exec calls, especially in loops. If you can get the same data by accessing memory or reading a file someplace, then do it.

I found something on MACsec

https://www.synopsys.com/blogs/chip-design/what-is-macsec-protocol.html

And ECMA-393 ProxZzzy on some intel cards

https://ecma-international.org/publications-and-standards/standards/ecma-393/

There are also intel vpro features on NICs and RYZEN DASH remote access control features on ECC capable ryzen pro cpus.

Aww yeah for "pros"

I am sure a combination of the default deny rule and L2 rules protect these features, but I'd also like to secure them all with snort/suricata and use them accordingly without investing into even more proprietary tech.

Is there a steamlined way of identifying all of these features with opensolaris or with nmap or ptrace/dtrace? Their corresponding kernel module necessities etc?