ISC DHCP (and OpenVPN) update
-
@michmoor I am not aware of these being auto updated in any way. I do believe you have to run it by hand. I run it now and then when messing around updating other stuff.. I like to tool around now and then and make sure everything is on the latest and greatest ;)
Its pretty rare to actually find something that needs updating.
-
@johnpoz
Its been explained to me but im just not getting it.
So these updates here are different then whats in system patches?
Are these updates pulling from the pfsense repo or from freeBSD?Firewall: NetGate,Palo Alto-VM,Juniper SRX
Routing: Juniper, Arista, Cisco
Switching: Juniper, Arista, Cisco
Wireless: Unifi, Aruba IAP
JNCIP,CCNP Enterprise -
I ran
pkg updatejust now and everything on mine was already up-to-date, including ISC. I do have all patches applied, so they may have drawn in a dependancy but I don't think any of them are germane.
️ -
@RobbieTT said in ISC DHCP (and OpenVPN) update:
I guess there is no question, or an and..., or a so-what here.
I would like to know too what that update is correcting in dhcpd ...
-
@michmoor said in ISC DHCP (and OpenVPN) update:
So these updates here are different then whats in system patches?
yes these are different, then what you would see in the patches package. Those are normally "patches" to code to correct something. These are actual changes to packages installed in pfsense, for example the openvpn going from version 2.6.7 to 2.6.8
They are in the pfsense repo.
@fireodo the update to the dhcpd from my understanding is fixing the issue people were seeing where dhcp would answer from some other port than 67.. This was problematic for some users. There are a few threads about talking about it.
@RobbieTT not sure how your could of been current, I just ran it this morning and pulled the 3 updates. Did you run "upgrade"?
[23.09-RELEASE][admin@sg4860.local.lan]/root: pkg update Updating pfSense-core repository catalogue... Fetching meta.conf: 0% pfSense-core repository is up to date. Updating pfSense repository catalogue... Fetching meta.conf: 0% pfSense repository is up to date. All repositories are up to date. [23.09-RELEASE][admin@sg4860.local.lan]/root: pkg upgrade Updating pfSense-core repository catalogue... Fetching meta.conf: 0% pfSense-core repository is up to date. Updating pfSense repository catalogue... Fetching meta.conf: 0% pfSense repository is up to date. All repositories are up to date. Checking for upgrades (3 candidates): 100% 3 B 0.0kB/s 00:01 Processing candidates (3 candidates): 100% 3 B 0.0kB/s 00:01 The following 3 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: isc-dhcp44-relay: 4.4.3P1_3 -> 4.4.3P1_4 [pfSense] isc-dhcp44-server: 4.4.3P1_3 -> 4.4.3P1_4 [pfSense] openvpn: 2.6.7_1 -> 2.6.8_1 [pfSense] Number of packages to be upgraded: 3 3 MiB to be downloaded. Proceed with this action? [y/N]: y [1/3] Fetching isc-dhcp44-server-4.4.3P1_4.pkg: 100% 2 MiB 1.7MB/s 00:01 [2/3] Fetching openvpn-2.6.8_1.pkg: 100% 350 KiB 358.4kB/s 00:01 [3/3] Fetching isc-dhcp44-relay-4.4.3P1_4.pkg: 100% 1 MiB 1.0MB/s 00:01 Checking integrity... done (0 conflicting) [1/3] Upgrading isc-dhcp44-server from 4.4.3P1_3 to 4.4.3P1_4... ===> Creating groups. Using existing group 'dhcpd'. ===> Creating users Using existing user 'dhcpd'. [1/3] Extracting isc-dhcp44-server-4.4.3P1_4: 100% [2/3] Upgrading openvpn from 2.6.7_1 to 2.6.8_1... ===> Creating groups. Using existing group 'openvpn'. ===> Creating users Using existing user 'openvpn'. [2/3] Extracting openvpn-2.6.8_1: 100% [3/3] Upgrading isc-dhcp44-relay from 4.4.3P1_3 to 4.4.3P1_4... [3/3] Extracting isc-dhcp44-relay-4.4.3P1_4: 100% ===== Message from openvpn-2.6.8_1: -- Note that OpenVPN now configures a separate user and group "openvpn", which should be used instead of the NFS user "nobody" when an unprivileged user account is desired. It is advisable to review existing configuration files and to consider adding/changing user openvpn and group openvpn.If you run say pkg info - what do you see for these 2 packages?
[23.09-RELEASE][admin@sg4860.local.lan]/root: pkg info | grep openvpn openvpn-2.6.8_1 Secure IP/Ethernet tunnel daemon openvpn-auth-script-1.0.0.3 Generic script-based deferred auth plugin for OpenVPN openvpn-client-export-2.6.7 OpenVPN Client Export pfSense-pkg-openvpn-client-export-1.9.2 pfSense package openvpn-client-export pfSense-pkg-openvpn-client-import-1.2_1 pfSense package openvpn-client-import [23.09-RELEASE][admin@sg4860.local.lan]/root: pkg info | grep isc avahi-app-0.8_1 Service discovery on a local network isc-dhcp44-client-4.4.3P1 The ISC Dynamic Host Configuration Protocol client isc-dhcp44-relay-4.4.3P1_4 The ISC Dynamic Host Configuration Protocol relay isc-dhcp44-server-4.4.3P1_4 ISC Dynamic Host Configuration Protocol server [23.09-RELEASE][admin@sg4860.local.lan]/root:An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz said in ISC DHCP (and OpenVPN) update:
@fireodo the update to the dhcpd from my understanding is fixing the issue people were seeing where dhcp would answer from some other port than 67.. This was problematic for some users. There are a few threads about talking about it.
Thank you!
-
@johnpoz said in ISC DHCP (and OpenVPN) update:
@RobbieTT not sure how your could of been current, I just ran it this morning and pulled the 3 updates. Did you run "upgrade"?
As said, I just did this:
[23.09-RELEASE]/root: pkg update Updating pfSense-core repository catalogue... Fetching meta.conf: 0% pfSense-core repository is up to date. Updating pfSense repository catalogue... Fetching meta.conf: 0% pfSense repository is up to date. All repositories are up to date. [23.09-RELEASE]/root:I presumed that would tell me if something needed to be updated. I have now run
pkg upgrade- I had 5 updates.️ -
@RobbieTT said in ISC DHCP (and OpenVPN) update:
I have now run pkg upgrade - I had 5 updates.
yeah its not the same as with say apt, where after you run an update it tells you there are actually upgrades available.
root@i9-win:/home/user# apt update Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB] Hit:2 https://developer.download.nvidia.com/compute/cuda/repos/wsl-ubuntu/x86_64 InRelease Hit:3 http://archive.ubuntu.com/ubuntu jammy InRelease Get:4 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB] Hit:5 https://ppa.launchpadcontent.net/isc/bind/ubuntu jammy InRelease Hit:6 https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu jammy InRelease Hit:7 http://archive.ubuntu.com/ubuntu jammy-backports InRelease Fetched 229 kB in 1s (272 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done 1 package can be upgraded. Run 'apt list --upgradable' to see it. root@i9-win:/home/user# -
@johnpoz said in ISC DHCP (and OpenVPN) update:
yeah its not the same as with say apt, where after you run an update it tells you there are actually upgrades available.
Didn't understand at first, but now I get it : that's must be an Ubuntu gadget.
I'm running the original OS here : example : one of my backup MX servers :root@mail2.bhf.fr:~# apt-get update Hit:1 http://deb.debian.org/debian bullseye InRelease Hit:2 http://deb.debian.org/debian bullseye-updates InRelease Hit:3 http://deb.debian.org/debian bullseye-backports InRelease Hit:4 https://security.debian.org/debian-security bullseye-security InRelease Reading package lists... Done root@mail2.bhf.fr:~# apt-get upgrade Reading package lists... Done Building dependency tree... Done Reading state information... Done Calculating upgrade... Done The following packages were automatically installed and are no longer required: linux-image-5.10.0-23-amd64 linux-image-5.10.0-24-amd64 Use 'apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.My OS :
root@mail2.bhf.fr:~# cat /etc/debian_version 11.8also called Bullseye.
So 'my OS' behaves as a FreeBSD.
Note the : apt-get update does what it does : it updates [something].
Not the system, software or packages, but the system's packages cache with contains only the name and some other minimal info./
apt-get upgrade will do the actual "compare installed with available" and propose an action.@johnpoz said in ISC DHCP (and OpenVPN) update:
Maybe he forgot the PSA: in front of his title.
Impossible. Don't even know what PSA means.
But confident that I will very soon ^^
If you think it's needed : please do.I was just posting here because not everybody knows that there is more then what the pfSense packages GUI interface shows us.
There is a script here somewhere on the forum that executes a apt update for you (cron it), and mails you when updates are available - GUI packages included. Even if there is an pfSense upgrade.For the less luck among us : no, please, don't upgrade "openvpn" remotely ;)
And no, these don't auto install, as that would mean that pfSense could upgrade itself, which is a big nono, something that was mentioned already on the forum.
@RobbieTT said in ISC DHCP (and OpenVPN) update:
I do have all patches applied
The GUI Patches package ?
That one can only modify GUI 'text file' (mostly PHP) files.
"Patches" can't change binary files like pfSense (FreeBSD) packages. -
@Gertjan said in ISC DHCP (and OpenVPN) update:
But confident that I will very soon ^^
https://encyclopedia.thefreedictionary.com/Public+Service+Announcement
apt-get is a bit different than just apt update ;)
root@NewUC:/home/user# apt-get update Hit:1 http://us.archive.ubuntu.com/ubuntu jammy InRelease Hit:2 http://us.archive.ubuntu.com/ubuntu jammy-updates InRelease Hit:3 http://us.archive.ubuntu.com/ubuntu jammy-backports InRelease Hit:4 http://us.archive.ubuntu.com/ubuntu jammy-security InRelease Hit:5 https://ppa.launchpadcontent.net/isc/bind/ubuntu jammy InRelease Reading package lists... Done root@NewUC:/home/user#root@NewUC:/home/user# apt update Hit:1 http://us.archive.ubuntu.com/ubuntu jammy InRelease Get:2 http://us.archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB] Get:3 http://us.archive.ubuntu.com/ubuntu jammy-backports InRelease [109 kB] Get:4 http://us.archive.ubuntu.com/ubuntu jammy-security InRelease [110 kB] Hit:5 https://ppa.launchpadcontent.net/isc/bind/ubuntu jammy InRelease Get:6 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1,212 kB] Get:7 http://us.archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [1,185 kB] Get:8 http://us.archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1,010 kB] Get:9 http://us.archive.ubuntu.com/ubuntu jammy-updates/universe Translation-en [224 kB] Fetched 3,968 kB in 2s (1,632 kB/s) Reading package lists... Done Building dependency tree... Done Reading state information... Done 3 packages can be upgraded. Run 'apt list --upgradable' to see them. root@NewUC:/home/user#My point was just running pkg update - prob isn't going to show you or tell you or actually upgrade anything.. It will tell you if it found updates to its list of stuff. But if its current, it won't tell you hey there are X number of things in my list that need to be upgraded.. It just updates the list ;)
-
@michmoor said in ISC DHCP (and OpenVPN) update:
Its been explained to me but im just not getting it.
So these updates here are different then whats in system patches?
Are these updates pulling from the pfsense repo or from freeBSD?The System Patches package only patches the PHP source files that make up the pfSense GUI. System Patches cannot patch binary executable files. Those are precompiled and must be installed by the
pkgutility.For example,
dhcpdis a precompiled binary executable that must be installed by thepkgutility. The precompiled binary is pulled down from the pfSense pkg repo appropriate for your pfSense version. But the pfSense GUI creates the text-based configuration files thedhcpdbinary uses to load its configuration. The GUI creates those files using interepreted PHP.System Patches applies a
diffpatch to PHP source code files using the matchingpatchutility. The GUI on pfSense is written in PHP. PHP is an interpreted language. That means the code is not precompiled. Instead, the text-based PHP source code modules are loaded into the PHP binary interpreter program and then compiled and executed on-the-fly. -
@bmeeks Ah ok got it.
So when do the binaries get updated then? When i install a new version of pfsense?Also, because its pulled into the pfsense repo i assume its safe to upgrade pkgs that require it. Is that right?
Firewall: NetGate,Palo Alto-VM,Juniper SRX
Routing: Juniper, Arista, Cisco
Switching: Juniper, Arista, Cisco
Wireless: Unifi, Aruba IAP
JNCIP,CCNP Enterprise -
@michmoor said in ISC DHCP (and OpenVPN) update:
o when do the binaries get updated then? When i install a new version of pfsense?
Generally, yes. But it depends on the binary and whether or not it's in a dedicated package. For example, when a Snort or Suricata update is available many of those carry binary updates along with them. Nearly all packages consist of both binary and GUI parts with the GUI parts written in PHP. The binary pieces are pre-compiled executable code.
But core binaries used on pfSense such as the
dhcpddaemon,unbound, and others pretty much only come with new pfSense versions. Or that was the case in the past. I think some changes are just starting as it appears there is a move to split some pfSense core pieces out to individual packages that are easier to update. I believe that is just getting going with the recent release. For example, in the past if an update was needed for the DNS Resolver,unbound, then the issuance of a new pfSense version was required becauseunboundwas included in the big bundle of pfSense core components and you could not easily update it. -
@michmoor said in ISC DHCP (and OpenVPN) update:
Also, because its pulled into the pfsense repo i assume its safe to upgrade pkgs that require it. Is that right?
Anything you install from the pfSense repo associated with your current pfSense version is safe and compatible. Folks get themselves into trouble by not being on the current RELEASE version of pfSense before updating some optional package they installed. Package binary pieces are compiled against whatever is the "current" version of pfSense.
-
@michmoor AFAIK the System Patches package is only PHP or other non binary changes. It applies a +/- patch to change text in a file.
Tbh I wasn’t aware until last month one could update binaries between pfSense releases but the DHCP fix was mentioned in the Redmine for that. (It wasn’t available the next day). I assume (?) they are slipstreaming it in for anyone who hasn’t upgraded yet.
I also saw a reference in Redmine to 23.09.1 so presumably that’s not far off.
-
curl 8.5 released, it is already available through pkg update and pkg upgrade
https://curl.se/changes.html#8_5_0It is a very big release notes.. Already updated here.
Two vulnerabilities fixed:
low
mediumBut, it is not clear to me if these apply to pfSense use case or if you should update it.
-
pfSense 23.09.1 (and pfSense 2.7.2 CE) uses the pfSense (Netgate) repositories.
So, if Netgate incorporated these upgrades into the pfSense repository, then you can be pretty sure they are meant to be used.Installed packages to be UPGRADED: curl: 8.4.0 -> 8.5.0 [pfSense]So, its console time, option "13" or option "8" and then
pkg update pkg upgrade
