Really big problem to go to 2.2.2 from 2.2.1
-
Yet another day of me be glad I am not using equipment with serial console… (-:
Actually if you have the serial console enabled, the problem won't occur. It's only where it's disabled that this can happen, on some minority of hardware.
-
I added the workaround(s) to the upgrade guide – https://doc.pfsense.org/index.php/Upgrade_Guide#pfSense_2.2.2_Upgrade_Notes
-
I had a serial port enabled, with a GPS connected to provide PPS for NTP, and it did impact me. I disabled the serial interface to get it to boot, but without it, my NTP lost the ability to sync with the GPS.
+1 here
-
I had a serial port enabled, with a GPS connected to provide PPS for NTP, and it did impact me. I disabled the serial interface to get it to boot, but without it, my NTP lost the ability to sync with the GPS.
+1 here
Apply the workaround from my last post and then you can re-enable your serial port.
-
-
Its like EVERYBODY :D
No. It's like everyone with unused serial port that doesn't KISS.
I'd say actively going into the BIOS to disable hardware (keeping in mind physical access to the machine means it's already compromised) is the exact opposite of keeping it simple.
-
Especially when that specific hardware has been bog-standard for 30+ years, and generally hasn't caused a problem with anything during that time with extremely minor exceptions.
-
Really? Physical access to the machine by authorized personnel at time of initial OS installation and configuration equates to compromised? Furthermore I would hope that whoever is setting up said machine would verify BIOS settings prior to installing OS anyway. So just KISS it then. And be down with it.
-
Note to self - always read release notes. What a painful, painful way to find out the hard way. Tyan motherboard with dual opteron 2212s is very, very unhappy with this at the moment. Here's hoping disabling serial does the trick. It'd be nice to have the update pulled or fixed if this was known about yesterday…
-
Really? Physical access to the machine by authorized personnel at time of initial OS installation and configuration equates to compromised? Furthermore I would hope that whoever is setting up said machine would verify BIOS settings prior to installing OS anyway. So just KISS it then. And be down with it.
I'm not sure what world you live in, but where I come from disabling the serial port on machines without built-in ILO is the furthest thing from "KISS" you can get.
-
I live in a modern world. KISS does not equate to disabling something you need. But how many of the people getting bit by this issue actually need the serial port. A few sure but most probably not.
-
Note to self - always read release notes. What a painful, painful way to find out the hard way. Tyan motherboard with dual opteron 2212s is very, very unhappy with this at the moment. Here's hoping disabling serial does the trick. It'd be nice to have the update pulled or fixed if this was known about yesterday…
It would be even nicer if people would practice some disciplined behavior and take responsibility for their own faults and oversights (like not bothering to read and follow instructions) rather than expecting something to be withheld from everyone else to protect their self and a minority few others at everyone else's expense.
If you're not going to read and follow the instructions then don't be expecting everyone else to be put out and penalized for the sake of yourself and a minority few others.
World needs to get over catering to LCD (lowest common denominator) and move on. It's a costly mind set to govern by and hampers progress.
Develop self discipline and other good qualities, practices and behaviors that will enable you to not be an LCD that expects everyone else to be held back to your pace and level of ability.
-
I have to admit I didn't read the notes but I'd have been surprised if "Turn of serial console" was in there.
I think that was a surprise for everyone. Am I wrong?
Not blaming the devs but also not blaming the people who got burned.
-
Notice was added yesterday. Anyone getting bit by this today or thereafter has no cause to point finger at anyone but the mirror for not being disciplined enough to read and follow instructions. And especial then also to call for pulling the upgrade when there is a viable proven easy quick workaround for a problem that only affects a minority of systems. To me that's an LCD mind set.
-
Hi jimp,
Thank you very much for this workaround. It works great. The only thing which confuses me is after applying the patch and rebooting the system when I go into System\Advanced\Admin Access - in the Serial Communications field the primary console is still set to "serial console", where my primary console should be VGA (please refer to the attachment). Is this part of the issue or it's just me not understanding the primary console option?
Thanks one more time!
Kind Regards,
Nick
 -
Thank you very much for this workaround. It works great. The only thing which confuses me is after applying the patch and rebooting the system when I go into System\Advanced\Admin Access - in the Serial Communications field the primary console is still set to "serial console", where my primary console should be VGA (please refer to the attachment). Is this part of the issue or it's just me not understanding the primary console option?
The second settings don't matter if the first is unchecked.
-
@NYOB: Given that pfSense is a firewall distribution, and most firewalls run headless, serial is much more common on equipment running pfSense than it otherwise might be. Ideally, it should not be disabled in the BIOS, it should be enabled as an alternate console if it's available or put to use other ways (e.g. NTP).
Serial isn't "old" as in outdated. It's time-tested, reliable, and still heavily used in networking gear and time keeping, among other places. USB may be easy but it's not as reliable for timing/PPS, for example.
I might recommend disabling sound cards, unneeded extra disk controllers, and so on, but I'd rarely if ever recommend disabling a serial port.
-
Who said anything about serial being old outdated etc. I say KISS it. If it ain't need, not going to be used, isn't part of a failsafe plan etc, axe it. Obviously a headless system does not fall into that category. So removing it would not qualify as KISS for such a system.
…, but I'd rarely if ever recommend disabling a serial port.
I would. Any time and every time it is not needed.
-
The second settings don't matter if the first is unchecked.
Perhaps graying it out when not selected would be in order for a future update.
-
So why do y'all have your serial port enabled if you are not using it. …
It's the same sort of philosophy as with security. Only what is needed is permitted, stored/kept, provided, etc.
First thing I did when initially setting up my pfSense machine was go into the BOIS and turn off everything not being used. .
Are you f*ing kidding me buddy? Did you crack open the machine and pull out the data cable from the cdrom drive too? Don't forget to remove the video card! Why, don't you know that every single 1337 h4x0r in the world USES A MONITOR to hack things!!! Why do they even install serial ports and video cards in machines? They are just asking for trouble. Its reckless insecurity!
Oh and make sure to disable the USB and PS2 ports. Never know when some rogue keyboard will fly into them and FUCK_SHIT_UP. You will also need to create your BIOS password by randomly mashing on the keyboard. Its not secure unless it takes a CMOS wipe to access the machine.. AMIRITE!!!
Last tip, grind down the serial port headers with an angle grinder after you turn them off. CANT BE TOO CAREFUL!!!
