Packages wishlist?



  • @hongkonger:

    Would really love an implementation of either of the following

    • Freenas
    • Bacula Server
    • Simple FTP server for file storage
    • Samba (with UI)

    Most of the above are already available in some adhoc way on pfsense (except bacula server and Freenas) , but really appreciate a UI based installation and management.

    thanks

    I second this. A FTP Server and Samba in particular. If a store bought consumer router can do it, why not pfsense? Surely it can do it better, more secure, and faster. :)



  • @msanangelo:

    If a store bought consumer router can do it, why not pfsense?

    Maybe because pfSense is a more serious contender in the firewall business and not one of the flaky consumer routers you better throw as far as your aching back lets you?


  • Moderator

    @jahonix:

    @msanangelo:

    If a store bought consumer router can do it, why not pfsense?

    Maybe because pfSense is a more serious contender in the firewall business and not one of the flaky consumer routers you better throw as far as your aching back lets you?

    http://thehackernews.com/2017/05/samba-rce-exploit.html
    https://lists.samba.org/archive/samba-announce/2017/000406.html
    https://www.shodan.io/report/FoqqpNmw



  • @jahonix:

    @msanangelo:

    If a store bought consumer router can do it, why not pfsense?

    Maybe because pfSense is a more serious contender in the firewall business and not one of the flaky consumer routers you better throw as far as your aching back lets you?

    Really? it's been a stellar firewall so far. it will more than happily block things but I have to fight it to allow things. can't even forward port 80 that worked fine on the tp-link it replaced and also worked on a VM behind the main pfsense router. the data usage stats are practically useless without an added package. So far, ddwrt worked better and wasn't so annoying. I might enjoy pfsense more if it wasn't so featureless. All I'm asking is a couple programs to make it a bit more useful on the LAN side. Also, is it too much to ask for some critical software patches around here? I've got 4 vulnerable packages in 2.3.3 and my only hope is to wait for 2.4. whenever that'll be released.  >.>

    @BBcan177:

    http://thehackernews.com/2017/05/samba-rce-exploit.html
    https://lists.samba.org/archive/samba-announce/2017/000406.html
    https://www.shodan.io/report/FoqqpNmw

    I'm aware of that. I'm not dumb enough to put samba or ftp on the wan. I just want it for the lan.



  • @msanangelo:

    is it too much to ask for some critical software patches around here?

    If you need the feature and know how to configure it under console/config files, you can enable freebsd repo and install the packages you need.

    Also, pfSense has a great GUI framework that you can use to create your own packages with xml files and php script to check selected options and create config files.

    What packages from 2.3.3 are vulnerable?



  • @msanangelo:

    Also, is it too much to ask for some critical software patches around here? I've got 4 vulnerable packages in 2.3.3 and my only hope is to wait for 2.4.

    What packages? And is there a reason that you haven't installed the 2.3.4 update?



  • Given that the freeradius2 port is expiring the end of June 2017 (this month) I'd be interested in seeing freeradius3 make it in to PFSense
    https://www.freshports.org/net/freeradius2
    https://www.freshports.org/net/freeradius3


  • Rebel Alliance Developer Netgate

    @gerby123:

    Given that the freeradius2 port is expiring the end of June 2017 (this month) I'd be interested in seeing freeradius3 make it in to PFSense
    https://www.freshports.org/net/freeradius2
    https://www.freshports.org/net/freeradius3

    That's been on my to-do list for a while. It's just a lot of work, having to go through and rearrange everything to the 3.x directory layout and changes in the config.



  • I have no experience writing PFSense packages but I'd be willing to contribute.

    @jimp:

    @gerby123:

    Given that the freeradius2 port is expiring the end of June 2017 (this month) I'd be interested in seeing freeradius3 make it in to PFSense
    https://www.freshports.org/net/freeradius2
    https://www.freshports.org/net/freeradius3

    That's been on my to-do list for a while. It's just a lot of work, having to go through and rearrange everything to the 3.x directory layout and changes in the config.



  • @jahonix:

    @vagnyj:

    Virtual Box

    No.
    This is your firewall, not a hypervisor.
    However, you can install a virtual pfSense on a hypervisor.

    …and ASR's, NCS's, PTX's etc are not routers? :)


  • Rebel Alliance Developer Netgate

    @gerby123:

    I have no experience writing PFSense packages but I'd be willing to contribute.

    @jimp:

    @gerby123:

    Given that the freeradius2 port is expiring the end of June 2017 (this month) I'd be interested in seeing freeradius3 make it in to PFSense
    https://www.freshports.org/net/freeradius2
    https://www.freshports.org/net/freeradius3

    That's been on my to-do list for a while. It's just a lot of work, having to go through and rearrange everything to the 3.x directory layout and changes in the config.

    FreeRADIUS 3 package is available on 2.4 snapshots for testing now, try it out and post feedback here: https://forum.pfsense.org/index.php?topic=131883.0



  • @jahonix:

    @vagnyj:

    Virtual Box

    No.
    This is your firewall, not a hypervisor.
    However, you can install a virtual pfSense on a hypervisor.

    Well, this reminds me about the old joke about a catholic and a protestant priest: The former starts to smoke his pipe while reading the prayerbook, when the latter interrupts him and asks: "Excuse me, I don't want to be nosy, but I asked my bishop if it's OK to smoke while praying, and he answered me, I should not be distracted from paying through smoking. What's the catholic's stance on this matter?"
    To which the catholic priest answers: "Very interesting! See, I asked my bishop if it's OK to pray while smoking, and he answered, it's always OK to pray."

    So, of course, a firewall isn't a hypervisor. But assume you have a server box at a colocation provider, you pay per rack space. So, you can either just run the server protected only by whatever mediocre protection the host OS allows for, or you run pfSense and run the server in VirtualBox within. So, you see, this is all a matter of perspective.

    Having a hypervisor box, that runs both pfSense and the server OS is theoretically possible, but much harder to administer, and it requires rather expensive, bare-metal hypervisor software, while pfSense community edition and VirtualBox are both available free for people running small services on a limited budget.

    In my case, I have somewhere a pfSense unit at a colo provider, to allow me some specialized VPN type applications. The system is, in terms of CPU power, underutilized, because it's rather low traffic. With the coming requirements for pfSense, I'll have to upgrade to an even more powerful CPU. Needless to say, running a web server or some other small services on the same box would not be undesirable, given that I already pay for the rackspace. vhost has gone the way of the dodo, so VirtualBox would get a lot more utility out of the whole thing, without in any significant way affecting security negatively.

    pfSense is useful for a whole lot more than just a plain vanilla firewall; if it's just the latter I'd need, I could use a much simpler system…



  • Hi

    it would be nice to have:

    • bacula client
    • icinga2 client (yes I know there is nrpe)

    Greetz



  • Hi all,

    it would be great to get Ufdbguard as a package for Pfsense.
    Is there a way I can contribute / facilate with that request?

    Regards



  • Hi!

    I'd Love to have the Ocsinventory-Unix-Agent package available, so I could install it and keep my firewall inventoried with the rest of my computers and servers.



  • How about the latest ntopng package?..:)



  • PassiveDNS

    Something like this: https://github.com/gamelinux/passivedns

    I find the idea so simple, the potential quite big.



  • ZNC for  2.4.X


  • Rebel Alliance

    Been mentioned before - some time ago I believe - Webdav package. - Great for IoT devices.



  • Package for CUDA installation and compile Suricata with support CUDA.
    This will allow even an inexpensive video card to increase the performance without increasing processor power



    • bacula client
    • icinga2 client (yes I know there is nrpe)

    Bacula / If you install a soft mirror of two SSDs as RAID1 and one disk is failing you could easy swap it over
    and rebuild the system, and during that phasis the second or slave unit from your pfSense HA cluster will do
    the entire job within.

    Incinga2/ Is a monitoring software and works great together with MySQL on FreeBSD and yes Netgate is
    also offering little small computer units such the MinnowTrurbot that you are able to run it there with ease!
    Alternately I can say a small unit with CACTI & MRTG will do this job well too! Or did you hear about ELK?
    ELK, ElasticSearch, Logstash & Kibana It is more to you to write code to get flavor working sensors on
    your Incinga2 platform then a packet in pfSense.

    it would be great to get Ufdbguard as a package for Pfsense.
    Is there a way I can contribute / facilate with that request?

    Please have a look at their pricing list and ask them to do this job it self, based on the commercial
    concern it should be in their interest first! Price list

    PassiveDNS

    Would be nice to see how it works on a firewall.

    ZNC for  2.4.X

    This is not an IRC bouncer or?

    Been mentioned before - some time ago I believe - Webdav package. - Great for IoT devices.

    Is this not more for NAS devices available as a packet?

    Package for CUDA installation and compile Suricata with support CUDA.

    Would be Intel Xeon Phi, Intels QuickAssist or DPDK matching better to snort or suricata?
    Or a small miniPCIe or PCIe card with an ASIC or FPGA likes the Xilinx Spartan 6 on it?



  • I have seen some post about Samba and NTLM for Squid, but I would also like to see Samba included for ntlm_auth in FreeRADIUS 3.x for PEAP authentication against Active Directory.

    http://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto



  • +1 for privoxy



  • @heimdalx:

    My wish is very simple . . .  fail2ban or equivalent.  Where I could setup arguments to scan the logs and modify firewall rules based off those.

    Currently running fail2ban on many downstream devices paired with IPtables and it works great.  It would be nice to have the package scan remote logs as well; for instance, scan Apache logs and make changes at the firewall when an attack is happening.

    +1 for this as well I think this is a really good idea.



  • @hornetx11:

    @Tom7141:

    @planetinse:

    Updated Postfix please :)

    • 1 for this
    • 1 for this too

    +1 for this as well as instructions for a backup MX



  • @biggsy:

    An updated postfix package isn't going to happen.  That was announced on GitHub.

    What I resorted to was creating a new FreeBSD VM and installing postfix on that - as suggested in the postfix thread.

    When that was working I put fail2ban on there as well.  I'd often thought about using those two together.  fail2ban updated a local pf table to block the spammers but I wasn't happy with the spammers getting past pfSense to the postfix/fail2ban server.

    Then I found that I could have fail2ban call OpenBGPD to update an alias table on pfSense.  A feedback loop.  Who knows why the authors of OpenBGPD put that feature in but I'm sure glad they did.

    In the end it's a better solution than postfix on pfSense but it was far from a trivial exercise for me  ;)

    Could you share how you did this because I currently run fail2ban on my sme server, but am interested in setting up a backup mx and thought I could do it with pfsense, but your way doesn't seem too bad especially being you are passing the rules to pfsense.



  • I would like to see an MQTT broker like https://mosquitto.org/ (sonething that handles local MQTT) available in pfSense.

    Reason is that there are many scenarios where IOT devices need to be run locally and not in the cloud.

    I am currently working on such a product.

    Currently we need the consumer to buy a Micro Appliance device running pfSense and then a separate hub to manage MQTT. But MQTT is all about packets, security and network management so putting this on the pfSense device means one less device to manage and better packaging and safety for the consumer.



  • @oben:

    The big ones for me are:

    privoxy  - a configurable http proxy - ad blocker

    tor  - needs no expl.

    dante  - a SOCKS proxy

    I have compiled this on a ubuntu box with proxHTTPS proxy
    This means it can filter https sites, and use onion network
    But there is a but :)
    As firefox can use it`s own proxy it is easy to point to the box,but for the whole network to redirect traffic to that box (80,443) i can not figure out (eighter by NAT or by squid (external)



  • Hi all,

    I don't know if it was already mentioned  before, but I just realized something is missing.

    This should be a package, or be build into pfSense :

    • Do nothing (the default).

    • Notify in the GUI and/or by mail the presence of an upgrade of an installed package.

    • Or, why not : a notification a not-installed package has been upgraded.

    • And while where at it : a notification a new package is made available - or a package was removed.

    Probably some support on the other side will be needed - the presence of a xml file with the current state of all package, maintained by the "pfSense build engine".
    The first two possibilities could be handled by pfSense right now, as it actually already does : the Packages widget does a good job although not very visible (the yellow marker).



  • Hi,

    +1 for mqtt broker

    and:

    For kvm virtualised pfSenselike we have in Open-VM-Tools for VmWare: (debian package Name): qemu-guest-agent

    Markus



  • @tdi:

    Filebeat - https://www.elastic.co/products/beats/filebeat.

    Anyone working on this?

    @robertfranz:

    @tdi:

    Filebeat - https://www.elastic.co/products/beats/filebeat.

    Anyone working on this?

    I though at one time that I wanted this too.

    Just now getting back to working on my Elk stack, and I'm not really sure what it would do for us that syslog-ng won't do already, as syslog-ng answers the issues of udp transport by offering tcp.

    We still have to parse the log entries to put them into a form we find useful.

    Was there some other factor I'm now forgetting?

    @AR15USR:

    Another vote for Filebeat.

    Need it to ship the Snort log file to my ELK machine..

    I would like to see filebeat as well. There is a FreeBSD package for filebeat that can be installed however having an approved package with GUI configuration options would be superior and could be backed up using the built-in backup feature.

    For integrating with ELK filebeat is suprior to trying to make syslog properly output to logstash and filter everything. Additionally using TCP and monitoring specified files we know that everything is properly captured and shipped to our collector.



  • ClamAV is on 0.99.2  there is already 0.99.4 and 1.00 that seems a whole lot better.  shouldn't upgrading the engine be a priority security update?



  • I'd like to see this as well.



  • Hi all!

    Security: I wish to see way less bruteforce attacks on my systems.

    Automatic blacklisting of IP's hitting on an expressely opened set of standard ports that are really not belonging to our protected systems rather are specifical bait to the standard port scanners.

    I believe this is the concept of Honeypot and Guerrilla package seems to do that just fine just it isn't integrated in pfSense.

    Any implementation of such a smart system on pfSense (of course automatically freeing up ports present in rules)?

    Best



  • WireGuard VPN

    It was freshly ported to FreeBSD in may 2018.

    Better performance than OpenVPN and easy to configure.

    https://www.wireguard.com/
    https://www.freshports.org/net/wireguard/
    https://lists.freebsd.org/pipermail/freebsd-ports/2018-May/113434.html


  • Rebel Alliance Developer Netgate

    @juppin said in Packages wishlist?:

    WireGuard VPN

    It was freshly ported to FreeBSD in may 2018.

    Better performance than OpenVPN and easy to configure.

    This does not inspire confidence:

    About The Project
    Work in Progress

    WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.

    However, if you're interested in helping out, we could really use your help and we readily welcome any form of feedback and review. There's currently quite a bit of work to do on the project todo list, and the more folks testing this out, the better.

    So maybe in the future when it's stable and proven to be secure. Performance means very little if it is insecure.



  • How about a simple package to control the LED's on the front of some NetGate hardware devices? I.e., Gateway status lights, update available, etc.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy