Install older version of Packages
-
@stephenw10 so it has been four months on this and no updates on Squid fix?
-
What I'm going to say here is not supported, it can brick your firewall and there is a high chance of a reinstall being required.
So, if you choose to follow this route, do it at your own risk, backup a config first and also take a snapshot just to be safe, ok ?That being said, sometime ago I used to install a previous version of softflowd doing the following procedure: (updated for Squid).
Make sure Squid is not installed.
1- ssh to pfsense
2- go to /tmp directory
3- fetch https://firmware.netgate.com/pkg/pfSense_plus-v23_01_armv7-pfSense_plus_v23_01/All/pfSense-pkg-squid-0.4.45_10.pkg
4- fetch https://firmware.netgate.com/pkg/pfSense_plus-v23_01_armv7-pfSense_plus_v23_01/All/squid-5.7.pkg
5- pkg install pfSense-pkg-squid-0.4.45_10.pkg
6- pkg install squid-5.7.pkgTo remove this package: run pkg remove squid
Note: This version is for ARMv7 only, version 23.01.
Unfortunately, this is the latest version I found at https://firmware.netgate.com/pkg/Proceed with caution, I didn't test this with Squid, just with softflowd, so you are on your own, your responsibility !
To be honest, I'm not sure if it is a good idea to share this.. pfSense admins, feel free to remove this post if you want, it is ok by me!!
-
@ericreiss Thanks @mcury but I would like to see support resolve this properly. Others were experiencing what may be the root of the problem from a ticket https://redmine.pfsense.org/issues/14406.
So the solution is not to try to install older versions of package.
But it appears that "Marcos M" could not replicate the problem and that nothing else is being done.
He tried on release 23.09 and I am now at 23.09 whereas I was at 23.05 at the time of the problem. Maybe I should uninstall Squid and try a reinstall.
It would have been nice if it had been tried against 23.05 and 23.09 to see if there was a difference and if the problem was reproducable on 23.05 so that we would know that just going to 23.09 and then installing Squid would fix everything.
But it appears support put the least amount of effort into this and I have not checked it in months.
-
@mcury This can also work for Snort right?
-
@ericreiss said in Install older version of Packages:
https://redmine.pfsense.org/issues/14406
My redmine lists how to fix the issue, have you attempted to relink the folder, or copy it over to the empty folder?
After 23.05 update and new Squid version 0.4.46 installed errors started showing, "ERROR: loading file 9;/usr/local/etc/squid/errors/en/ERR_ZERO_SIZE_OBJECT': (2) No such file or directory" and many others the path /usr/local/squid/errors/templates is the only sub folder listed with error code. It seems Headers Handling, Language and Other Customizations settings for languages is not loading the error codes into the required subfolder. System is functional however no errors are listed Fix: cp -a /usr/local/etc/squid/errors/templates/. /usr/local/etc/squid/errors/en-us cp -a /usr/local/etc/squid/errors/templates/. /usr/local/etc/squid/errors/en seems to resolve this however for other languages there is no error codes anylonger. -
@JonathanLee said in Install older version of Packages:
@mcury This can also work for Snort right?
I didn't test, but I think it could work.. The best approach would be to wait a proper fix..
For softflowd, I tested a lot of versions and they all worked, but softflowd is much simpler than Squid or Snort.. -
@JonathanLee I had done that over the summer. It fixed the one error but there are other problems and @stephenw10 thought there might be a bigger issue since some thing were not being installed properly, it might be indicative of bigger and/or more widespread problems.
So your fix while solving some of the warnings did not resolve the other problem I was seeing.
I was trying to get Squid to do the AV Clam scanning so my needs were more involved.
-
@mcury I need the Snort .11 version, my 23.05.01 has separated layer 2 broadcast domains for Compex card Vs Marvel Switch in 23.09.01 they are all one giant broadcast domain, I have issues with Arp Storms in the past, so I am stuck until that is resolved in 23.09.01 I have an open redmine for it because that could open a possibility of VLAN hopping because it does do double MAC registrations, it also did that in 23.05.01 but the traffic between the layer 2 interfaces did not flow like it does in 23.09.01
https://redmine.pfsense.org/issues/15104
This concerns me, the intra interfaces should not require layer 2 communication between each other, they are not virtual not even on the same switch, they have different outbound NAT, they have different layer 3 IP addresses. It worked correctly in 23.05.01, I think KEA DHCP implication has something to do with it, but ISC is also showing one broadcast domain. It's weird.
-
@ericreiss Oooo I have a 2100 MAX ClamAV eats up RAM I use to run it all the time, it works still but with Snort's appID running with all my custom text rules Snort needed more RAM so TAC's recommendation was for me to just disable ClamAV because I don't have the RAM for it to run both packages.
-
@JonathanLee so we have a 6100MAX and I have it running on an old PC with lots of memory. I was using the PC to investigate using it for our small company Internet Firewall.
So the 2100MAx has 4GB RAM and the 6100MAX has 8GB. I'm not even sure what the appID function of Snort is but if we ever start using it, I will keep this in mind.
Have been busy with many other critical tasks and have not been able to check on Squid status.
I thought there would be an update and alert via email.
Not until your note to StephenW10 about wget did I decide to look again.
-
If you're still seeing the missig language issue in 23.09.1 you should add that as a comment on the bug. Currently it's in feedback state after we could no longer replicate the problem in 23.09 and the only feedback is positive.
However any development effort on Squid/Squidguard is likely to be minimal at this point after the deprecation notice. Unless the outstanding upstream bugs are fixed.
Additionally I would expect pkgs compiled against older version to fail. Anything that works there is more by luck than anything!
Steve
-
@stephenw10 Thanks for the information. I have not been paying the attention needed to have noticed the deprecation notice. I just read it.
Is there a pfSense package that replaces Squid's AV capabilities?
Thank you.
-
Not yet. If the upstream issues are fixed we may be able to bring it back. My personal opinion is that would be the best outcome since anything else is likely to be a feature reduction. But we cannot continue offering it indefinitely with the known issues still present.
-
@stephenw10 Pretty Please fix it upstream :)
