Support of packages

nimrod

Gents and Ladies,
Have a non-technical question here. I recently was on twitter and saw that there was a possible exploit within the pfblockerng package.

Just install pfBlockerNG-devel v3.1.0_4 and you are good to go. Its unaffected by this exploit.

michmoor

@nimrod I think my larger question is how does netgate handle any future exploits in the packages. That’s what I’m concerned about. Suppose it was v3 that was impacted. What’s the response

Gertjan

@michmoor said in Support of packages:

exploits in the packages

pfBlockerNG-devel 3.1.0_4 is 100 % readable 'open source' code.
"many lines' but still a small package.

I'm not from Netgate, just a user like you, but I know that Netgate does not want or enforce you to install what so ever.pfSense Packages are just extensions that add functionality and thus possibles issues.
You doubt ? Don't install. Period.

Some pfSense packages are Netgate made. If an issue arises, Netgate will update them asap.
They will use CNN, Fox-news, twitter, Facebook ( I guess ?), Redit, the RSS feed in the GUI, and maybe toktok to get you informed.
The ones on the forum will be the first to know.

About pfBlockerNG-devel 3.1.0_4 :
It isn't listening on any interface. So no way to contact it from the outside **.
You have to have access to the pfSense GUI or SSH or console to interact with pfBlockerNG-devel.
pfBlockerNG-devel, when installed, does ....... nothing.
Then the admin informs pfBlockerNG-devel to download lists.
An admin worth the title "admin" will check what pfBlockerNG-devel downloads as 'feeds' (lists with IP addresses and DNS host names).

** note entirely true.
pfBlockerNG-devel hosts a web server based on Lighttpd and listens on 10.10.10.1.
IMHO, a useless process as only DNSBL blocked host names using a webbrowser+http can get redirected to this 10.10.10.1 to tell you the domain was blocked.
The thing is : http isn't used (on the Internet) any more .....
So I disabled the build in web server used by pfBlockerNG-devel. On thing less to deal with.

Globally, PfSense security works like this :
pfSense is secure.
Then the admin logs in, start to change things, and then everything goes downhill fast ....

michmoor

@gertjan I'm not completely following what you're saying here.
Are the packages in the repositories supported or not - this is the question.
Not following what cnn or twitter has to do with the above question.

bmeeks

@michmoor said in Support of packages:

@gertjan I'm not completely following what you're saying here.
Are the packages in the repositories supported or not - this is the question.
Not following what cnn or twitter has to do with the above question.

The vast majority of the packages in the pfSense repositories are NOT supported by Netgate (the pfSense team). For example, the Snort and Suricata packages are entirely supported by me. From time to time in the past a pfSense developer that happened to also use one of the packages would submit a small fix to GitHub which I would review and approve for the pfSense team to merge.

The same is true of pretty much all of the available packages. The packages wind up in the system via community contributions. Sometimes the original contributor hangs around and supports the package, but sometimes that is not the case. I believe there are a few instances where the Netgate/pfSense team has stepped in to fix a critical issue in a now poorly supported package that has lots of users, but that is not the norm.

michmoor

@bmeeks Gotcha. Thanks, Bill for clarifying. It's really helpful.
This doesn't change my deployment structure just setting an expectation.

Gertjan

@michmoor said in Support of packages:

Not following what cnn or twitter has to do with the above question.

I meant to say : if something happens with package, or the underlying (binary ?!) code used, some one will mention that, and shortly after that every pfSense admin should be aware.

No one can tell if 'some code' is without issues and risks. Things are found as times passes, and new users try new things. What matters is : if something is found, it should be known fast, so every admin can do what he deems necessary.

@bmeeks, as a package author, is a good example. As soon as some issue is known about @snort or @Suricata- , he will kick in

Also, most packages are just php/sh/perl/ whatever scripts files that live in the protected GUI environment.

stephenw10

There is a list of supported packages:
https://www.netgate.com/supported-pfsense-plus-packages

It includes pfBlockerNG but, currently, not the dev package. That is likely to change though since almost all of the development is now in the dev package.

That page also notes any caveats in what can be supported. Like for example:

The reverse proxy and anti-virus features of Squid3 are not supported.

Steve

michmoor

@stephenw10 Ahh look at that. Thank you! This gives me the warm and fuzzies.

michmoor

@michmoor @stephenw10 Curious but what does it take to get a package to be supported by NetGate? PFblockerNG seems like a good fit considering its an exclusive plugin that cant be used anywhere else.

stephenw10

pfBlocker-NG is on that list. When it was last updated we did not support the development version of the package as that had all the bleeding edge code. However all the development has been in the dev version for some time and the developer even recommends using it. The old version will likely be retired in favour of that at which time I expect that to become the supported package.

Steve

michmoor

@stephenw10 that’s great to hear. Once again thanks for providing good info. Appreciate yah !