Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    1. Home
    2. Tags
    3. security
    Log in to post
    • All categories
    • XSIVX

      Interested

      Watching Ignoring Scheduled Pinned Locked Moved Official Netgate® Hardware internet security vpn firewall ipv6
      2
      0 Votes
      2 Posts
      288 Views
      stephenw10S

      Did you have a specific question?

      If you're unsure I would first try installing CE on whatever hardware you have to test it.

      Steve

    • H

      CVE-2024-3596 / Radius client msg authenticator attribute

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions cve-2024-3596 security vulnerability radius
      2
      0 Votes
      2 Posts
      351 Views
      stephenw10S

      If you have set that I would expect no issue since the server would reject any unauthenticated requests.

    • JonathanLeeJ

      13 security vendors flagged this IP address / Active Treat Showing During Windows 11 Updates

      Watching Ignoring Scheduled Pinned Locked Moved Firewalling snort ipv4 security firewall
      1
      0 Votes
      1 Posts
      351 Views
      No one has replied
    • S

      Using RADIUS server but on which device?

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions radius authentication security vpn connection
      5
      0 Votes
      5 Posts
      1k Views
      S

      @nogbadthebad said in Using RADIUS server but on which device?:

      Out of interest how many access-points do you have ?

      I have a total of 5 Cisco 1700 Series access points connected to the controller

    • T

      pfSense: Certificate Export only using Legacy SHA1 or MD5 exports/signatures

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions security certificates openssl
      5
      0 Votes
      5 Posts
      965 Views
      jimpJ

      @teward said in pfSense: Certificate Export only using Legacy SHA1 or MD5 exports/signatures:

      @jimp I assume then that this will hit pfSense Plus, so for $FULLTIME_JOB I'll need to get us a pfSense+ license for commercial / corporate use. Because I don't know when CE will (if ever) receive the patch.

      The code is in the upcoming Plus 23.01 release.

      The code is also in CE 2.7.0 snapshots.

      You can apply the patches to CE 2.6.0 or Plus 22.05 and get it on existing systems if you prefer.

      When the OpenVPN client export changes are ready they will also be available on 2.6.0 and likely 22.05 in addition to 23.01 and 23.05/2.7.0

    • S

      PING vulnerability in FreeBSD: are we affected? Mitigations or updates available?

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions security vulnerability freebsd
      5
      0 Votes
      5 Posts
      880 Views
      johnpozJ

      @stepinsky you would need to edit the subject (ie your first post) then you can edit that and add a tag of solved, etc.

    • S

      Security of Vlan on WAN with Send options

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions security vlan wan
      19
      0 Votes
      19 Posts
      2k Views
      stephenw10S

      And logins to other more remote sites will be encrypted with https or similar.

    • B

      TСP-port -135

      Watching Ignoring Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion tсp-port -135 security remote access
      3
      0 Votes
      3 Posts
      2k Views
      MarGM

      If I understood your question correctly. Ports can be opened or closed to allow or deny data transfer between devices. If you do not close them, an unauthorized user can access the data.
      Here you can see the details link text

    • S

      OpenSSL vulnerabiltiy: pfSense affected?

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions openssl security vulnerability
      3
      0 Votes
      3 Posts
      864 Views
      johnpozJ

      @stepinsky said in OpenSSL vulnerabiltiy: pfSense affected?:

      I cannot judge the relavance of the vulnerability for pfSense users.

      That is the big question for sure.. The analysis is still underway at nist

      https://nvd.nist.gov/vuln/detail/CVE-2021-3712
      This vulnerability is currently awaiting analysis.

      The key really being
      "If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit."

      Would that be something that could be done with how and when pfsense uses openssl? And it seems there is a patch for freebsd
      https://www.freebsd.org/security/advisories/FreeBSD-SA-21:16.openssl.asc

      So when netgate/pfsense feels its prudent sure they will make it available.

      edit: Well this openssl thing was in one of the many newsletters I get ;) In one today.. Doesn't seem like it is too much of a concern to be honest.

      Here is the article if interested
      https://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm/

    • Sergei_ShablovskyS

      How to prevent users from LAN to know the external local WAN IP ?

      Watching Ignoring Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion multi wan cloudflare external ip security
      41
      0 Votes
      41 Posts
      8k Views
      Sergei_ShablovskyS

      @kiokoman said in How to prevent users from LAN to know the external local WAN IP ?:

      in the 90's i remember there was this conspiracy theory that antivirus computers create viruses in order to sell antivirus software... say no more ... now that your isp know your fear it will ddos you to take your money ... big fish eat small fish !

      Because amateur may be You newer come under real DDoS.

      P.S. Another perfect example of new attacks vectors, that You may newer know https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/

    • T

      CVE-2019-14899

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions security vulnerability
      3
      0 Votes
      3 Posts
      511 Views
      T

      Sorry there is another thread on this:
      https://forum.netgate.com/topic/148713/cve-2019-14899

    • T

      CVE-2019-14899

      Watching Ignoring Scheduled Pinned Locked Moved IPsec security
      9
      0 Votes
      9 Posts
      2k Views
      S

      The CVE was way way way more hyped than it should be. 100% a routing issue and not a "fault" at VPNs. https://github.com/stryngs/hysteria << For the answers

    • E

      Firewall Advice

      Watching Ignoring Scheduled Pinned Locked Moved Firewalling firewall security
      4
      0 Votes
      4 Posts
      955 Views
      A

      @eddiemcdiarmid said in Firewall Advice:

      Hmm interesting. I don’t have any rules but the managed of the network I’ve named ‘external network’ can see my router. Is there a rule I can add to block them being able to access my network?

      Seeing your network and accessing your network are two very different things. You say both in your reply post above. The default block/deny rules on every pfsense install for the WAN interface, like @johnpoz talks about above, keeps people/hosts from accessing your network.

      You don't need to do it, but if you're really paranoid about that external network, you could set a specific block rule in your WAN interface to block/deny it's IP addresses. Again, you really don't need to do it, however.

      This is an example of the default settings and wording from an old version of pfsense, but I think the current versions still look like this on the WAN interface:

      alt text

      Jeff

    • T

      A Few General Questions about pfSense ..

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions n00b security pfsense
      5
      0 Votes
      5 Posts
      954 Views
      S

      @thehermit Hardware encryption will probably be a requirement for v 2.5