@SteveITS I know it is not recommended, so I won't ask for help for my particular problem challenge. :) However, I have to manage lots of systems with different OS's, and I like to minimize the number of packages I manage them with. Luckily, except for this one, all other packages I use are in the pfSense repo.

@jimp said in another os:

Like others have said, Netgate does our best to support hardware for as long as possible.

My SG-2440 is a good example of this.
It perfect sitting in the closet as a cold backup if needed right now.

Following is my opinion:
As for the OP question, if it's out of warranty, add non-eMMC storage reinstall the latest using ZFS and use it as a cold/warm backup.

@Patch I'll definitely be looking at example configs pulled from manually-configured pfsense installs, and refining what I need to include in the config.xml. The point of what I'm doing is to fully-automate the pfsense installation, like described here in the docs by providing the installer a config.xml file to apply. This config.xml will be different for different installations on different machines, so I must generate it programatically, which is why I'm asking about the xml schema and/or other config generation tools.

@michmoor said in Patches update:

Yep. Sorry if that wasnt clear.
I am doing full MITM.

Np, I was just trying to understand :)

@michmoor said in Patches update:

If you rely only on the internal redirect then pfsense points back to itself on the management port (firewall.example.com:443) .
The problem of course is that in order to serve the page you must make your management port accessible to all LAN clients. That means making management accessible to all LAN clients. The only workaround is to use an external webserver that has php code on it to interrupt whats being sent to it from pfsense

Now I see what you meant, yes, indeed that would be a problem.. Using an external server for that solves this problem.

That error has only been reported one other time that I am aware of, and it turned out to be a corrupted alerts.log file if I recall correctly.

That error is saying that a value read from the alerts.log was NULL, but there is no way that can happen unless the file is corrupt. One possibility is a disk read or write error.

When you go to the ALERTS tab, can you display all the alerts from all Suricata configured interfaces without any problem? The exact same code is used within the ALERTS tab and Suricata Wiget, so a corrupt file would impact both. It's also possible that the error happened some time back in the past and by now the alerts.log has been rotated out and the current file may be fine. Does the error repeat every single time the widget updates, or has it only popped up once?

Normally, issues with Snort or Suricata would be posted here: https://forum.netgate.com/category/53/ids-ips.

@bmeeks said in new package / best practices:

I think the /usr/local/etc/rc.d/ path is currently hard-coded into the parts of pfSense that start packages at boot or when executing a "restart all packages" command. I do not believe it will find a script in /etc/rc.d/.

Of course, sorry, I meant /usr/local/etc/rc.d/crowdsec and crowdsec_firewall. Meaning I don't need to wrap them from another script. They are supposed to work in vanilla freebsd after all. I can just enable them in /usr/local/etc/rc.conf.d/*

I'm tagging @jimp in this thread. He is a Netgate developer and may have some helpful input.

Great, thanks

@fabricioguzzy said in Compiling from Source - Problems with "php-pfSense-module":

@bmeeks Hi Bill, Thanks for the heads up.
I have created a ticket --> Issue #14593 on redmine.
Hopefully it will be fixed. Did you open a ticket for the pfsense-repoc ?
I have noticed that it points to an internal Netgate URL, so it's impossible to compile it.
Thanks Much,
Fabricio.

No, I had not gotten around to submmitting a ticket. This issue with pointing to the internal Gitlab URL has happened with other packages in the past, and it eventually sorted itself out. Was just still waiting to see if it would get updated when I saw your post about it.

According to my tests, the valid syntax

Real-time enable/disable interface
No need for system_reboot_sync();

pfSense-repoc-5b49b75f2a3cdf2349139152b2ca52e78dcbfd18_GL0.tar.gz doesn't seem to exist in /usr/local/poudriere/ports/Kontrol_v2_7_0/distfiles/.
=> Attempting to fetch https://gitlab.netgate.com/pfSense/repoc/-/archive/5b49b75f2a3cdf2349139152b2ca52e78dcbfd18.tar.gz?dummy=/pfSense-repoc-5b49b75f2a3cdf2349139152b2ca52e78dcbfd18_GL0.tar.gz
fetch: https://gitlab.netgate.com/pfSense/repoc/-/archive/5b49b75f2a3cdf2349139152b2ca52e78dcbfd18.tar.gz?dummy=/pfSense-repoc-5b49b75f2a3cdf2349139152b2ca52e78dcbfd18_GL0.tar.gz: Host does not resolve
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/pfSense-repoc-5b49b75f2a3cdf2349139152b2ca52e78dcbfd18_GL0.tar.gz
fetch: http://distcache.FreeBSD.org/ports-distfiles/pfSense-repoc-5b49b75f2a3cdf2349139152b2ca52e78dcbfd18_GL0.tar.gz: Not Found
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/local/poudriere/ports/Kontrol_v2_7_0/distfiles/ and try again.
*** Error code 1

This is pointing to some internal netgate repository.

The 3100 is a 32-bit platform and those counters rolled over and went negative.

https://redmine.pfsense.org/issues/14440

@Gertjan Pfsense has the ability in theory to be the first firewall to compartmentalize docker os signatures apart from the host machines and actually control traffic in that manner:) wouldn't that be cool? Again, invasive nation state actors only attack walls at their weakest areas.

Hello, I came across the same topic, it was very useful for me.

This is how I decided to implement it in ansible.

@jimp super helpful - just what I needed! I'm a powershell guy and here's where I landed on this in case anyone else is in the same boat: