@nogbadthebad said in Using RADIUS server but on which device?:

Out of interest how many access-points do you have ?

I have a total of 5 Cisco 1700 Series access points connected to the controller

@teward said in pfSense: Certificate Export only using Legacy SHA1 or MD5 exports/signatures:

@jimp I assume then that this will hit pfSense Plus, so for $FULLTIME_JOB I'll need to get us a pfSense+ license for commercial / corporate use. Because I don't know when CE will (if ever) receive the patch.

The code is in the upcoming Plus 23.01 release.

The code is also in CE 2.7.0 snapshots.

You can apply the patches to CE 2.6.0 or Plus 22.05 and get it on existing systems if you prefer.

When the OpenVPN client export changes are ready they will also be available on 2.6.0 and likely 22.05 in addition to 23.01 and 23.05/2.7.0

@stepinsky you would need to edit the subject (ie your first post) then you can edit that and add a tag of solved, etc.

And logins to other more remote sites will be encrypted with https or similar.

If I understood your question correctly. Ports can be opened or closed to allow or deny data transfer between devices. If you do not close them, an unauthorized user can access the data.
Here you can see the details link text

@stepinsky said in OpenSSL vulnerabiltiy: pfSense affected?:

I cannot judge the relavance of the vulnerability for pfSense users.

That is the big question for sure.. The analysis is still underway at nist

https://nvd.nist.gov/vuln/detail/CVE-2021-3712
This vulnerability is currently awaiting analysis.

The key really being
"If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit."

Would that be something that could be done with how and when pfsense uses openssl? And it seems there is a patch for freebsd
https://www.freebsd.org/security/advisories/FreeBSD-SA-21:16.openssl.asc

So when netgate/pfsense feels its prudent sure they will make it available.

edit: Well this openssl thing was in one of the many newsletters I get ;) In one today.. Doesn't seem like it is too much of a concern to be honest.

Here is the article if interested
https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm/

@kiokoman said in How to prevent users from LAN to know the external local WAN IP ?:

in the 90's i remember there was this conspiracy theory that antivirus computers create viruses in order to sell antivirus software... say no more ... now that your isp know your fear it will ddos you to take your money ... big fish eat small fish !

Because amateur may be You newer come under real DDoS.

P.S. Another perfect example of new attacks vectors, that You may newer know https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/

Sorry there is another thread on this:
https://forum.netgate.com/topic/148713/cve-2019-14899

The CVE was way way way more hyped than it should be. 100% a routing issue and not a "fault" at VPNs. https://github.com/stryngs/hysteria << For the answers

@eddiemcdiarmid said in Firewall Advice:

Hmm interesting. I don’t have any rules but the managed of the network I’ve named ‘external network’ can see my router. Is there a rule I can add to block them being able to access my network?

Seeing your network and accessing your network are two very different things. You say both in your reply post above. The default block/deny rules on every pfsense install for the WAN interface, like @johnpoz talks about above, keeps people/hosts from accessing your network.

You don't need to do it, but if you're really paranoid about that external network, you could set a specific block rule in your WAN interface to block/deny it's IP addresses. Again, you really don't need to do it, however.

This is an example of the default settings and wording from an old version of pfsense, but I think the current versions still look like this on the WAN interface:

alt text

Jeff

@thehermit Hardware encryption will probably be a requirement for v 2.5