Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - robi

Pages: [1] 2 3 4 5 ... 63
1
Hardware / Re: Thin Client For pfSense?
« on: February 03, 2018, 02:25:24 am »
Read this topic. it's able to handle 500/500 on a single gigabit interface (it has only 1 LAN port) as a "router on a stick" using VLANs. Using actively several of these deployed in corporate environment - pretty reliable too.

2
General Questions / Re: Intel CPUs Massive Security Flaw issue
« on: January 13, 2018, 02:14:09 pm »
I'd love to see some general-purpose tool to edit BIOS files and update microcode inside them. Something that would know most BIOS formats, open the BIN file, advise which binary microcode file to choose, and compile a new image from it.
Because most manufacturers won't care to release BIOS updates for motherboards older than 1-2 years.

pfSense would also want to have a nice GUI somewhere to allow us to browse for a microcode pack we can download from Intel etc. and apply it at each boot at runtime. And write in the logs whether the runtime update was successful or not.

3
General Questions / Re: Intel CPUs Massive Security Flaw issue
« on: January 13, 2018, 04:11:27 am »
In the releasenote of the download you just provided, this is what is instructed:

Code: [Select]
-- Microcode update instructions --
This package contains Intel microcode files in two formats:
* microcode.dat
* intel-ucode directory

microcode.dat is in a traditional text format. It is still used in some
Linux distributions. It can be updated to the system through the old microcode
update interface which is avaialble in the kernel with
CONFIG_MICROCODE_OLD_INTERFACE=y.

To update the microcode.dat to the system, one need:
1. Ensure the existence of /dev/cpu/microcode
2. Write microcode.dat to the file, e.g.
  dd if=microcode.dat of=/dev/cpu/microcode bs=1M

intel-ucode dirctory contains binary microcode files named in
family-model-stepping pattern. The file is supported in most modern Linux
distributions. It's generally located in the /lib/firmware directory,
and can be updated throught the microcode reload interface.

To update the intel-ucode package to the system, one need:
1. Ensure the existence of /sys/devices/system/cpu/microcode/reload
2. Copy intel-ucode directory to /lib/firmware, overwrite the files in
/lib/firmware/intel-ucode/
3. Write the reload interface to 1 to reload the microcode files, e.g.
  echo 1 > /sys/devices/system/cpu/microcode/reload

Doesn't look too complicated. Should be feasible on freebsd too.

Linux detailed steps: https://www.cyberciti.biz/faq/install-update-intel-microcode-firmware-linux/

4
General Questions / Re: Intel CPUs Massive Security Flaw issue
« on: January 11, 2018, 10:40:45 am »
But this wasn't declared as a 100% fix to the issues!

5
General Questions / Re: Intel CPUs Massive Security Flaw issue
« on: January 11, 2018, 10:10:11 am »
I don't think a 5% performance drop would be declared as defective and not work in a court though.  If they can't declare it defective then Intel is off the hook.  Intel would lose way to much money to be a viable company if they had to pay to replace every CPU.  If the CPUs didn't work, that would be one thing but crashing a company over a 5% performance loss is something else.
It's not about the fact that you loose any percent of performance. Until now, everybody was sure that the hardware is 100% safe, only software can be the blame if it contains security holes. This time is a whole lot different: the hardware mis-design causes a security hole, and this cannot be fixed, because it's hardware... the product is defective. Software can be patched, fixed afterwards, etc, and that depends on the agreement between the software manufacturer and the customer, but hardware (specially CPUs) can't be patched. It turns out that hardware contains a defect, which can be worked around by software patching - but that requires a third party to be involved.

Certain bussinesses bought software and hardware combinations based on benchmarks and performance counts, if they are not fulfilled after the patch, who's the blame? The software, because it tried to fix a fault caused by the hardware?

Intel should either replace the faulty CPU, or pay for the software fixes to each bussiness, or pay for the bussiness quality degradation if CPU can't be changed.

6
General Questions / Re: Intel CPUs Massive Security Flaw issue
« on: January 11, 2018, 07:26:48 am »
In the future, they will have to develop new hardware that doesn't have this problem.
I'd love to see the following:
- replace all the CPUs sold last "x" years free of charge (under warranty - the product is faulty, right?)
- offer massive discounts to upgrade CPUs from affected models to fixed models outside the warranty time
- offer discounts through OEM partners for CPUs embedded in motherboards, to replace CPUs and motherboards too (for cases when CPU is soldered to the board, like atoms and such)

7
General Questions / Re: Intel CPUs Massive Security Flaw issue
« on: January 10, 2018, 09:11:44 am »
As far as I understood, Meltdown and Spectre only affects 64-bit CPUs. 32-bit CPUs are not affected, correct me if I'm wrong.

9
General Questions / Re: NTP PPS with Navisys GR-701W USB GPS?
« on: January 07, 2018, 04:24:11 am »
I run a Sure GPS serial module with an extrernal GPS antenna, runs smooth for about 4 years now on my pfSense box.

10
General Questions / Re: NTP PPS with Navisys GR-701W USB GPS?
« on: January 06, 2018, 08:26:43 am »
Just making the PPS available as DCD doesn't overcome the limitations of the USB architecture which sits between the UART and the CPU.  From the PDF you cite: "time precision will be limited by the USB polling interval, usually 0.5 millisecond".    So while you can get the PPS signal, the jitter is horrible.
Exactly.  8) It doesn't worth the effort, you're way better with public Stratum1 NTP servers from the Internet with real PPS sources, they will be more precise, no wonders your USB-based PPS source will be false sooner or later...

12
General Questions / Re: NTP PPS with Navisys GR-701W USB GPS?
« on: January 05, 2018, 04:10:26 am »
Looking to use GPS for NTP but difficult to find any out of the box USB solutions available.  I checked some of the links but none available.  Any advice would be great!
You can't use any USB GPS device for PPS signalling. USB protocol has a lot of jitter by design, your PPS will be unstable. Any USB-based GPS offering PPS signal is simply lying.
If you want PPS precision, you must use a serial port GPS module.

13
General Questions / Re: Intel CPUs Massive Security Flaw issue
« on: January 05, 2018, 02:34:24 am »
This is not a joke anymore. Really.

14
General Questions / Re: APIC Warning L1 data cache less than
« on: January 04, 2018, 01:59:40 pm »
Knock-knock - working fine since then.

15
General Questions / Re: Intel CPUs Massive Security Flaw issue
« on: January 04, 2018, 10:08:26 am »
This was true 15 years ago, can't believe they are still the same.

Pages: [1] 2 3 4 5 ... 63