pfSense Digest

Well, after there was not too much love for my last theme I tried to do something more masscompatible this time trying to take all the critics in consideration that I earned so far:

• less colorful, stick with the original pfSense-colors (grey/red)
• don’t waste too much space for the header/footer
• kind of corporate look
• static menu, that doesn’t scroll away (I guess that at least was something everybody liked about the hackathon theme)
• more lightweight on graphics

So here is what I came up with so far. This is still in the making so (like always) your feedback is appreciated and might influence the final result.

Update 1:

I worked on some bits so here‘s an updated screenshot for you.

• Menutext changed to white
• Who needs a footer anyway?  Found a way to present the copyright information without getting into the way with content. Netbookusers will love it
• Made the alerter a bit less “agressive” (it’s showing notices too, not only “end of the world alerts”)

So there is one thing left: changing the alerter completely and displaying the hostname at the same time. I have looked into this and it is only a minor code change in PHP, however all other themes need some css-fixing then as the hostname gets out of place when the alerter is displayed. Not sure if we want to do that and if so, if this will be a change that only would affect the 2.0 branch or gets backported to 1.2.x as well (as the themes that are in 1.2.x are a bit different from the themes in 2.0 css-wise).

Stay tuned, we are not there yet…

Update 2:

Lots of small changes on lots of elements that you probably will only notice when comparing older screenshots…

Here‘s a screeny with alerter

and one without.

Update 3:

Tonight I worked out lots of browser- and os-compatibility issues. It now looks the same on all the browsers that I have tested so far (Firefox, Opera, Safari and I got reports on IE and Chrome too). Also tweaked some fontsizes again and added a shadoweffect to the dropdownmenus. Only some 2.0 specific things left open and maybe redoing the alerter as this seems to be a frequent request in the comments.

Screenshot here.

Update 4:

Guys, we listen closely to all your suggestions and there are some news especially on the alerter topic: Erik Kristensen, the original author of the themesupport in pfSense just rejoined the team after being away for a few years. I already had some discussions regarding the alerter and other theme topics with him. Atm it looks like the theme will come to the 1.2.x-branch like shown on the screenshots (no alerter change for this version) though we won’t make it the defaut theme for now but it probably will be part of the 1.2.3 release.

However for 2.0 (and here comes the great news) Erik will work on improving the theme support as well as on a new alert system. We already have some great ideas for this:

• different levels of alerts e.g. critical, notice,…and maybe different treatments of these alerts
• being able to not only display alerts locally in the webgui but to email them, maybe even growl them away or whatever might be useful
• alerts dashboard widget
• different presentation of alerts in the webgui (looks like the scroller is anoying too many people)
• …

Like always: keep the comments comming. We already got some good suggestions from you here

Update 5:

Perry has added the theme to the Fit123 package (thank you Perry!). It’s pretty final (at least for the 1.2.x branch). Please note that you will get some other addons by installing this package, so have a look at the package description before bumping the install button.

My presentation from DCBSDCon is now available on YouTube. Network Perimeter Redundancy with pfSense

Hope it turned out decent, public speaking isn’t one of my strengths.

Lots of other content from DCBSDCon and other BSD conferences on the BSD Conferences YouTube channel for those interested. A couple in particular from DCBSDCon that I really enjoyed:

A Narrative History of BSD, Dr. Kirk McKusick

Network Security Monitoring with FreeBSD, by Richard Betjlich.

There were a number of other good ones too, check out the BSD Conferences channel for more.

1.2.3-RC1 is now making its way to the mirrors. This is primarily a maintenance release on the 1.2.x series, bringing an updated FreeBSD 7.1 base, and a few bug fixes.

Change list

The primary changes are:

IPsec connection reloading improvements – When making changes to a single IPsec connection, or adding an IPsec connection, it no longer reloads all your IPsec connections. Only the changed connections are reloaded. That wasn’t a big deal in most environments, but in some it meant you couldn’t change anything in IPsec except during maintenance windows. This is being used in a critical production environment with 400 connections, and works well.

Dynamic site to site IPsec – because of the above change, it was trivial to add support for dynamic DNS hostnames in IPsec. While 1.2.x will not receive new features, this became an exception.

IPsec NAT-T support has also been added.

Sticky connections enable/disable – sticky connections were previously only changed status at boot time for the server load balancer. 

Upgrade to FreeBSD 7.1 – The FreeBSD base version has changed from 7.0 to 7.1. This brings support for new hardware, and seems to fix a number of hardware regressions between 6.2 and 7.0. A number of users have reported that hardware that worked fine on 6.2 stopped working on 7.0. In every case we’re aware of, 7.1 fixed that problem.

Wireless code update – Sam Leffler, one of the primary developers of wireless on FreeBSD, was kind enough to point us to the latest wireless code back ported from FreeBSD 8.0 to 7.1. This is included in 1.2.3-RC1. There are companies shipping access points on this code base. Several users have reported considerable improvements in compatibility, stability and performance.

Dynamic interface bridging bug fix – the bridging bug fix in 1.2.2 introduced a problem with bridging any dynamic/non-Ethernet interface, such as VLANs, tun, tap, etc. which has been fixed.

Ability to delete DHCP leases – A delete button has been added to the DHCP leases page, and when adding a static mapping, the old lease is automatically deleted.

Polling fixed – polling was not being applied properly previously, and the supported interfaces list has been updated.

ipfw state table size – for those who use Captive Portal in large scale environments, ipfw’s state table size is now synced with pf’s state table size.

Server load balancing ICMP monitor fixed.

UDP state timeout increases – By default, pf does not increase UDP timeouts when set to “conservative”, only TCP. Some VoIP services will experience disconnects with the default UDP state timeouts, setting state type to “conservative” under System -> Advanced will now increase UDP timeouts as well to fix this.

Disable auto-added VPN rules option - added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.

Multiple servers per-domain in DNS forwarder overrides - previously the GUI limited you to one server per domain override in the DNS forwarder, you can now put in multiple entries for the same domain for redundancy. 

Download

New installs

Upgrades

Note: At the time of this post, most, but not all of the mirrors have the files. It may be close to 24 hours before they all have the files. If you find one that does not, choose a different one.

Upgrade Guide

Make your plans now to attend BSDCan 2009. The schedule is available, including a session on pfSense (more info here). Register now.