MaxMind DB URL Changing

DefenderLLC · Mar 13, 2024, 1:41 PM

Just received this e-mail from MaxMind. This could potentially break some of the pfSense packages that use it:

mcury · Mar 13, 2024, 1:43 PM

@DefenderLLC https://forum.netgate.com/topic/186704/pfblockerng-v3-2-0_9/1

DefenderLLC · Mar 13, 2024, 2:39 PM

@mcury Thanks, I did not see that post; however, I do believe that that are several other pfSense packages that also use MaxMind such as ntopng.

bmeeks · Mar 13, 2024, 2:45 PM

The Suricata package was modified to take this change into account with the most recent update back in February.

The Suricata package uses MaxMind's permalink URL internally for the download. There is a new field on the GLOBAL SETTINGS tab where you must enter your Account ID in addition to your License Key for authentication.

JeGr · Mar 14, 2024, 12:36 PM

@DefenderLLC said in MaxMind DB URL Changing:

@mcury Thanks, I did not see that post; however, I do believe that that are several other pfSense packages that also use MaxMind such as ntopng.

Antworten

AFAIK no core package uses MaxMind, only additional packages bring it, so that should be addressed to the individual package maintainer/thread as it's probably not 24.03 (core) related?

DefenderLLC · Mar 14, 2024, 12:46 PM

@JeGr said in MaxMind DB URL Changing:

@DefenderLLC said in MaxMind DB URL Changing:

@mcury Thanks, I did not see that post; however, I do believe that that are several other pfSense packages that also use MaxMind such as ntopng.

Antworten

AFAIK no core package uses MaxMind, only additional packages bring it, so that should be addressed to the individual package maintainer/thread as it's probably not 24.03 (core) related?

My apologies. I just wanted to share the information because of the upcoming May 1st deadline for this change.

Cool_Corona · Mar 14, 2024, 1:02 PM

Is it a plan to update older versions of pfblocker and suricata to take this into account??

Currently hating the thought of upgrading from a very stable 2.5.2 to any of the new releases since every test I have performed on the same hardware the new releases just dont have the performance as 2.5.2 does.

So just wondering...

bmeeks · Mar 15, 2024, 1:19 PM

@Cool_Corona said in MaxMind DB URL Changing:

Is it a plan to update older versions of pfblocker and suricata to take this into account??

Currently hating the thought of upgrading from a very stable 2.5.2 to any of the new releases since every test I have performed on the same hardware the new releases just dont have the performance as 2.5.2 does.

So just wondering...

No. As has been stated on the forum numerous times, packages are locked to a specific pfSense version due to kernel versioning issues. The package repo for a given pfSense version is compiled using the kernel components and libraries for that specific version. They will rarely work in a different pfSense version. Notice I said "rarely work" and not "never work" because there are a tiny handful of exceptions, but not many at all.

So with the above out of the way, nobody wants to expend the effort required to go back and update old package code and recompile everything against an old pfSense kernel. This is especially true if there were known security issues with components of that old version. Also remember what the cost of pfSense CE is. It's $0.00 (also known as free). Developers are not interested in going back and working on old stuff for nothing .

The short answer is that if you want current package code and features and fixes, you MUST stay current with the most recent pfSense CE or pfSense Plus release.

If you want to stay on 2.5.2 for some reason, and you are worried about package updates for Suricata and pfBlockerNG, then you need to stand up your own FreeBSD-ports tree package builder server and maintain/update those packages yourself. You can easily copy/clone the PHP source code and any required binary code patches from the pfSense FreeBSD-ports repo here: https://github.com/pfsense/FreeBSD-ports.

JeGr · Mar 15, 2024, 5:50 PM

@Cool_Corona said in MaxMind DB URL Changing:

Currently hating the thought of upgrading from a very stable 2.5.2 to any of the new releases since every test I have performed on the same hardware the new releases just dont have the performance as 2.5.2 does.

With 2.5.x being not one but already 4 releases behind and running EOL FBSD-12, you'll be on a sinking ship soon. What performance is THAT abysmal that one would forcefully strangle yourself to such an old release?

Cool_Corona · Mar 16, 2024, 7:02 PM

@JeGr Throughput and stable VLAN's....

ahking19 · Mar 16, 2024, 7:02 PM

@Cool_Corona I think @JeGr was trying to ask for a quantifiiable number on "abysmal" throughput performance loss. Is that 40%, 30%, 25%...?

Cool_Corona · Mar 17, 2024, 8:22 PM

@ahking19 Seeing average of 15-18% on busy uplinks.