pfSense Support Subscription

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - doktornotor

Pages: [1] 2 3 4 5
1
General Discussion / Where is the pfSense 2.4.x FreeBSD OS source code
« on: October 25, 2017, 02:59:25 am »
I'm seriously disappointed that this topic needs to be revived once again.

Reference:
- https://forum.pfsense.org/index.php?topic=137636.0
- https://forum.pfsense.org/index.php?topic=137940.msg755071#msg755071

P.S. Please leave the "Franco's waterboy" out of this thread. I've contributed 0 lines of code to OPNsense, I'm not on their forum and I've refused to join them after the fork. Per GitHub, I've contributed 1,545 commits to pfsense-packages, 211 commits to pfsense/pfsense and 527 commits to pfsense/FreeBSD-ports


I simply cannot keep recommending/implementing open-source solutions that are no longer open-source. And you cannot keep advertising something as open-source when it isn't.


3
2.4 Development Snapshots / What's up with 2.4 RC/release/snapshots?
« on: September 13, 2017, 10:21:58 am »
Someone re-branched the whole thing to 2.4.1-DEVELOPMENT by accident again, or...  ???

https://snapshots.pfsense.org/amd64/pfSense_master/installer/?C=M;O=D

4
2.4 Development Snapshots / Where did the login error go?
« on: August 30, 2017, 04:30:36 am »
I mean, this line from auth.inc

Code: [Select]
/etc/inc/auth.inc:1818:                 $_SESSION['Login_Error'] = "Username or Password incorrect";

Just cannot see it when I put in wrong credentials.

5
It points to some super-outdated junk, just confusing people.

6
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
http://securityaffairs.co/wordpress/57003/hacking/wi-fi-connected-cameras-flaws.html

If you have any if these crappy IoT things (see first link above for hundreds of OEM re-brands), kindly dispose of them properly.


7
Development / Regular expression generator
« on: February 18, 2017, 01:49:05 pm »
When you are just about to start pulling your hair out...

https://txt2re.com/index-php.php3

8
2.3.3 Development Snapshots / LDAP fallback/timeouts suckage
« on: February 11, 2017, 06:37:17 pm »
You might want to sort this out before final 2.3.3, guys. Incredibly annoying. Used to work fine.

https://redmine.pfsense.org/issues/7253

9
Development / [Solved] Where the do_input_validation() source code?
« on: February 02, 2017, 11:20:35 am »
I must be blind, cannot find it anywhere...  ???

10
3.1.3_1 won't install properly due to screwed include. Uninstall (ignore the noise on uninstall as well) and wait for 3.1.3_2.

https://github.com/pfsense/FreeBSD-ports/pull/282

And no, you cannot hack around it locally in any easy way. If you really insist, run from SSH:

Code: [Select]
sed -i -e 's/service-utils/service-utils.inc/' /usr/local/pkg/darkstat.inc

and browse to http(s)://your.pfsense.domain/pkg_edit.php?xml=darkstat.xml manually and Save. You cannot fix the missing menu entries.

11
Feedback / ACB backup server not working again
« on: January 29, 2017, 03:10:03 pm »
Fails ~90% of time.

Code: [Select]
An error occurred while uploading your pfSense configuration to portal.pfsense.org () -

12
Cache/Proxy / [PATCH][TESTREQ] Squid package 0.4.29 SSL/MITM proxy fixes
« on: December 27, 2016, 06:14:29 pm »
Anyone using the SSL/MITM "feature" with Squid and either 2.3.3 or 2.4 snapshots:

0/ Make a configuration backup!!!

1/ Make sure you have upgraded Squid to the latest version (0.4.29 ATM)

2/ Install System Patches package if not installed yet

3/ Add a new patch in System - Patches:

Description: whatever
Patch Contents:
Code: [Select]
--- a/usr/local/pkg/squid.inc   2016-12-28 11:01:34.520896000 +0100
+++ b/usr/local/pkg/squid.inc   2016-12-28 11:00:43.933881000 +0100
@@ -1138,7 +1138,7 @@
        $conf = "# This file is automatically generated by pfSense\n";
        $conf .= "# Do not edit manually !\n\n";
        // Check ssl interception
-       if (($settings['ssl_proxy'] == 'on')) {
+       if ($settings['ssl_proxy'] == 'on') {
                squid_check_ca_hashes();
                $srv_cert = lookup_ca($settings["dca"]);
                if ($srv_cert != false) {
@@ -1539,15 +1539,11 @@
        $conf = <<< EOD

 # Setup some default acls
-# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
-# acl localhost src 127.0.0.1/32
+# ACLs all, manager, localhost, and to_localhost are predefined.
 acl allsrc src all
 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 {$webgui_port} {$port} {$ssl_port} 1025-65535 {$addtl_ports}
 acl sslports port 443 563 {$webgui_port} {$addtl_sslports}

-# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
-#acl manager proto cache_object
-
 acl purge method PURGE
 acl connect method CONNECT

@@ -1557,6 +1553,28 @@

 EOD;

+       if ($squidsettings['ssl_proxy'] == 'on') {
+               $conf .= <<< EOD
+
+# SslBump Peek and Splice
+# http://wiki.squid-cache.org/Features/SslPeekAndSplice
+# http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
+# Match against the current step during ssl_bump evaluation [fast]
+# Never matches and should not be used outside the ssl_bump context.
+#
+# At each SslBump step, Squid evaluates ssl_bump directives to find
+# the next bumping action (e.g., peek or splice). Valid SslBump step
+# values and the corresponding ssl_bump evaluation moments are:
+#   SslBump1: After getting TCP-level and HTTP CONNECT info.
+#   SslBump2: After getting SSL Client Hello info.
+#   SslBump3: After getting SSL Server Hello info.
+acl step1 at_step SslBump1
+acl step2 at_step SslBump2
+acl step3 at_step SslBump3
+
+EOD;
+       }
+
        $allowed_subnets = preg_replace("/\s+/"," ", sq_text_area_decode($settings['allowed_subnets']));
        if (!empty($allowed_subnets)) {
                $conf .= "acl allowed_subnets src $allowed_subnets\n";
@@ -1609,9 +1627,7 @@
 http_access deny CONNECT !sslports

 # Always allow localhost connections
-# From 3.2 further configuration cleanups have been done to make things easier and safer.
-# The manager, localhost, and to_localhost ACL definitions are now built-in.
-# http_access allow localhost
+http_access allow localhost

 EOD;

@@ -1743,12 +1759,6 @@

        $conf = '';

-       // SSL interception acl options part 1
-       if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])) {
-               $conf .= "always_direct allow whitelist\n";
-               $conf .= "ssl_bump none whitelist\n";
-       }
-
        // Package integration
        if (!empty($settingsconfig['custom_options'])) {
                $co_preg[0] = '/;/';
@@ -1840,10 +1850,13 @@
                }
        }
        if ($auth_method == 'none') {
-               // SSL interception acl options part 2 without authentication
+               // SSL interception ACL options without authentication
                if ($settingsconfig['ssl_proxy'] == "on") {
-                       $conf .= "always_direct allow all\n";
-                       $conf .= "ssl_bump server-first all\n";
+                       $conf .= "ssl_bump peek step1\n";
+                       if (!empty($settingsnac['whitelist'])) {
+                               $conf .= "ssl_bump splice whitelist\n";
+                       }
+                       $conf .= "ssl_bump bump all\n";
                }
                $conf .= "# Setup allowed ACLs\n";
                $allowed = array('allowed_subnets');
@@ -1897,10 +1910,13 @@
                // Custom User Options after authentication definition
                $conf .= "# Custom options after auth\n" . sq_text_area_decode($settingsconfig['custom_options2_squid3']) . "\n\n";

-               // SSL interception acl options part 2
+               // SSL interception ACL options with authentication
                if ($settingsconfig['ssl_proxy'] == "on") {
-                       $conf .= "always_direct allow all\n";
-                       $conf .= "ssl_bump server-first all\n";
+                       $conf .= "ssl_bump peek step1\n";
+                       if (!empty($settingsnac['whitelist'])) {
+                               $conf .= "ssl_bump splice whitelist\n";
+                       }
+                       $conf .= "ssl_bump bump all\n";
                }
                // Onto the ACLs
                $password = array('localnet', 'allowed_subnets');


Path Strip Count: 1

Save, Test, Apply.

4/ IMPORTANT: Save Squid configuration. (Services - Squid Proxy Server - click Save on the General tab.)

5/ Test and report back any regressions. (Regression: Something was working before this patch and is not working any more after applying it. If something was not working before this patch and it's still not working, than there's no regression anywhere.)

References:
- https://github.com/pfsense/FreeBSD-ports/pull/242
- https://redmine.pfsense.org/issues/6527

------------------------------
NOTE #1: If your configuration was NOT working before this patch, this thread is NOT the place to moan about it.
NOTE #2: I have no idea whether this patch applies to and works with 2.3.2-p1 and the Squid version available there. This thread is NOT the place to request backporting if that does not work.

13
Development / [SOLVED] Unable to submit PRs in FreeBSD-ports repo
« on: December 10, 2016, 05:12:22 am »
Trying to submit a bunch of PRs with this being the only result since yesterday:



Status: All systems reporting at 100%. WTF?!?!  >:( >:( >:(

14
pfBlockerNG / pfBNG DNSBL + HTTPS
« on: November 28, 2016, 07:09:51 am »
Recently, I'm seeing pretty much nothing logged any more when it comes to blocked HTTPS requests... Apparently, with newer browsers' versions, the lighttpd debug trick no longer works. So, here's a bunch of ideas:

- the self-signed cert should definitely be SHA2, not SHA1
- it'd probably help to let people select their own cert from those installed on pfSense

15
So, I have pfSense GUI behind haproxy (haproxy https/tcp on 443, the webgui on 4443). This works pretty well except when I keep messing with suricata. Some actions which result in rules rebuild/reload take quite some time to get processed. When connected via haproxy, after about ~30 seconds I get an empty response. This is not a problem when connected directly to the webgui on port 4443.

How can I avoid this? I tried

Code: [Select]
timeout server 60000
on the webgui backend, did not help.

 ??? ??? ???

Pages: [1] 2 3 4 5