Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense version in configuration

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      efk
      last edited by

      Each configuration starts like so:

      
       <pfsense><version>8.0</version></pfsense>
      

      I've just installed 2.0.1, 2.0.2, 2.0.3, and 2.1 and i assume this version refers to the version of FreeBSD it's based on. Is that correct? 2.0.x seem to say 8.0, and 2.1 says version 9.8.

      In my $dayjob, i end up doing a lot of firewall configuration reviews, and I've received a couple pfsense configs recently. I cannot tell what specific version of pfsense any given configuration comes from. Would it be possible to seed the pfsense version into the configuration file?

      Anyone else think this would be helpful?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        <version>8.0</version>
        

        That is an internal config format version, not related to the FreeBSD version or anything in particular. Upgrade code uses it to know what format the config currently is and then apply all subsequent config upgrade conversions since…
        /etc/inc/upgrade_config.inc has the code that makes each upgrade conversion in turn - I guess looking at the end of this file on a particular pfSense version will tell you which internal config format version goes with which external pfSense version.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • E
          efk
          last edited by

          2.0.1, 2.0.2, 2.0.3 all say version 8.0. PFsense 2.1 is version 9.8. Since these are internal versions, this number needs to get incremented with each release.

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            Good point - from 2.0.1 to 2.0.2 to 2.0.3 no changes were needed to the config file format, so no internal version increment.
            Perhaps it would be useful to have the pfSense version explicitly set in the config file by code that runs at the end of the upgrade process?

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • E
              efk
              last edited by

              Yea, that would help guys like me that need to know what version of the OS are running when we're looking at other peoples configurations. Even if there are no major changes to the config format itself, default behaviors and settings of the OS change over time, and being able to track them to a version number is very important.

              An example would be if someone made a default tunable change in 2.0.2, I wouldn't be able to tell if this configuration came from 2.0.1 or 2.0.2 and thus may give the customer bad advice or overlook a potential problem.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The version there refers to the format of config.xml itself. That format did not change between 2.0.x versions so you could take a config from 2.0.3 and put it on 2.0 and it would work the same. If we bumped that number on each version unnecessarily, then it would break the compatibility of the config between versions that really have the same format.

                If you want to stuff purely informational items into config.xml on your own, feel free to come up with a simple script to insert (for example) the output of uname -a and /etc/version into $config somewhere and then call write_config(); Perhaps the routine that writes the revision metadata/info in write_config() itself might be a good place to put it.

                I'm not convinced it's something we'd want to do for everyone by default though.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • E
                  efk
                  last edited by

                  I know how i can do this on my own devices, the problem lies when I get other peoples configurations. It seems that pfsense configurations are becoming more common for me, so that's why I reached out.

                  There are vendors that deemed it worthwhile to add the OS version to their configuration files, for example junos:

                  version 11.4R1.6;
                  groups {
                      node0 {
                          system {
                              host-name example-srx220-node0;
                          }
                          interfaces {
                  ...snip...
                  

                  Cisco doesn't explicitly outline the version, but you can get a general ballpark because you'll see something like 12.2 in the configuration but you wont get the full version, featureset, etc.

                  So to try and shed a little more light, I do configuration reviews for people in a security context. I started writing a parser for pfsense configurations, and wanted to identify the OS based on the version so I could maintain a list of CVE's associated with that particular release of pfsenes. When i went to add support for an older version of pfsense, i found out that the version heading in the config doesn't specifically identify the OS and therefore my parser is dead on arrival.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    In that specific context I could see how it would be useful to have it automated.

                    If the code showed up as a pull request on github it would probably be accepted. Ideally it should somehow be noted that it is informational only though because otherwise people might think that it means the config could only be restored on a system that had the same information. I'd say between the pfSense version, platform and "uname -a" it should tell you enough.

                    
                            <revision><time>1389273511</time>
                    
                                    <username>admin@192.168.x.x</username>
                                    <detail-info-version><detail-info-platform><detail-info-uname></detail-info-uname></detail-info-platform></detail-info-version></revision> 
                    
                    

                    (Prefixing the fields with "detail" causes the parser to automatically wrap them in CDATA since we wouldn't want anything in those spots to potentially cause broken xml)

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • E
                      efk
                      last edited by

                      What you're talking about sounds perfect. I don't have a development environment at home, but I'll see if this is something I can pull off. Thanks for your input.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.