pfSense pkg from FreeBSD ports or repo

Hello,

I want to know if it is able to realise to get a package from
the FreeBSD repo 12.3 as well by pkg add or pkg install?

Gertjan

Short answer : do yourself a favour, don't do this.
pfSense doesn't use a 'vanilla' FreeBSD kernel onto which you can install whatever you want.
It's a specially build FreeBSD (12.3) using different, non default, paths.

Detailed answer from the pfSense manual : Using Software from FreeBSD.

stephenw10

That.

But, yes, it's possible using 'pkg add'.

Steve

Ok thank you both for the quick input and the link to the
right place.

johnpoz

@dobby_ what package are you looking to add, I would stress again @Gertjan warning of not doing it. I might be fine if something standalone little tool, but any sort of complex package with dependencies and the like could be problematic.

What package(s) are you looking to add, in the past they have been nice enough to add stuff to the pfsense repo, I believe nano got added to the repo like that.

Gertjan

@johnpoz said in pfSense pkg from FreeBSD ports or repo:

I believe nano got added to the repo like that.

That's the one I installed using the "do not do that" procedure

Small packages that do not have dependencies - or dependencies that do not mess up the system, are probably fine.

There won't be any GUI support for native FreeBSD package you install. You have to work with it from the command line, set up parameters, config files, etc, manually.

@Dobby_ : please, don't take me wrong here, but the simple fact you ask the question tells me you shouldn't do it.
But, for the experimenting sake : why not.
Get yourself a copy of the config.xml file.
Get yourself a USB stcik with the version of pfSense you use right now.
You should always have these two at any time anyway, as they permit you to get back online within 15 minutes after whatever disk crash or system fault.

Now you're ready !
Install wherever 'package' you want.
If you notice that pfSense doesn't behaves as before : re install from scratch/USB, import the config and your back at square one.

And one last thing : pfSense is a firewall. What the impact will be on your security depends on what you do / what you installed, how you've set it up. pfSense is already to gadget rich ;)

johnpoz

@gertjan said in pfSense pkg from FreeBSD ports or repo:

That's the one I installed using the "do not do that" procedure

why its in the pfsense repo

mer

@johnpoz I read that as @Gertjan added nano before it became available in pfSense repo.
I could be wrong, I'll accept "forty lashes" for being wrong :)

johnpoz

@mer not sure when he added it, but its been part of the repo for multiple years that is for sure.. I sort of recall the thread where it was asked for, I think I might of even asked for it ;) Maybe not, but I know for sure nano has been part of the pfsense like way back in 2.2 versions.. If not before..

mer

@johnpoz Yep. I understand the temptation to cross repos, but have personally avoided doing it.

Gertjan

@johnpoz said in pfSense pkg from FreeBSD ports or repo:

why its in the pfsense repo

My last and first pfSense install was during 1.0.x, waaaaaay back - like close to 10 years ?
edit : the packet manager was something else back then.
I've been upgrading the same system, the one I use @ work, since.
This system is now 'standby' with a 2.6.0 .....

Now I have my new 4100, received last June, as it came with 22.01 I pulled in Nano without the previous hassle.
I had to use "the trick" to pull in Munin-node, which I use because I "know it" and all my systems, mostly Debian, use also Munin.

It is only a test system what is not setup in productive
environment. Only at home.

I was only thinking of installing two "packets" on pfSense
I would be interested in for "play" around with.

With Kismet from SSH console scanning for rough WiFi hosts, APs or potential unwanted WiFi devices
Scan, find, put them on a "ban" or ignore list.
Kismet
Public IPs on pfSense directly, private IPs on the servers, and then between the pfSense and the DMZ
lightsquid as a reverse proxy was in my thinking. So would be nice to set up once fail2ban on pfSense was the idea behind.
centralized_fail2ban

Gertjan

@dobby_ said in pfSense pkg from FreeBSD ports or repo:

Kismet

Doesn't belong on a firewall. But that's just IMHO.
Btw ; scanning your own LAN devices ?

@dobby_ said in pfSense pkg from FreeBSD ports or repo:

fail2ban

Yeah, I under stand.
fail2ban will use the logs of your servers, and then centralize all BANs into the upstream firewall.

I'm using myself fail2ban a lot, and for years now.
But just on a dedicated host, no firewall, no nothing in front of it.
fail2ban will inject rules into the 'pf' firewall using tables or anchors, but 'pf' is under complete control of pfSense (hence the pf in pfsense). Tis will break at worst, gets very messy at best.
You'll have to redo a lot of pfSense's GUI and underlying glue-ware.

Doesn't belong on a firewall. But that's just IMHO.

Only with a script it should scan from time to time
for rough WiFi APs put them on a ignore or own
made blacklist list not to serve them with WiFi,
a that`s it.

Btw ; scanning your own LAN devices ?

No, only scanning the near local area for other devices in AP mode and put them then on a ignore list.

stephenw10

That's really only any use if you have wifi hardware in the firewall. And we are all familiar with the issues there.

Unless you run kismet in server/drone config. But in that setup running the server part on some other host would probably be better. With the drone part running on an AP. Been many years since I did that....

@stephenw10 said in pfSense pkg from FreeBSD ports or repo:

That's really only any use if you have wifi hardware in the firewall. And we are all familiar with the issues there.

Unless you run kismet in server/drone config. But in that setup running the server part on some other host would probably be better. With the drone part running on an AP. Been many years since I did that....

Ok thanks for clarifying this, I would set up it then better
on an small RAPI and combine there kismet and fail2ban
for rough hosts in AP mode.