Archive for the ‘Industry’ Category

Security flaws in Universal Plug and Play

Wednesday, January 30th, 2013

Rapid7 released a paper today covering new security flaws in UPnP. These findings have lead to the US Department of Homeland Security recommending everyone disable UPnP.

These flaws aren’t applicable to pfSense users, as long as you’ve stayed up to date, or at least haven’t gone out of your way to make yourself insecure. The flaws identified in miniupnp were fixed over two years ago, and we always ship releases with the latest version. So these could only be applicable if you haven’t updated to any 2.x version. You would also have to add a firewall rule on WAN to permit the traffic in for the Internet-reachable scenario, so you would really have to go out of your way to make yourself vulnerable if running pfSense.

It’s arguable whether you should ever enable UPnP at all, ever. It’s a security vulnerability by design, really, allowing things to arbitrarily open ports on your firewall. We’ve argued against it since the inception of this project, but make it available for those who have no alternative. Of course we disable it by default.

If you’re running any other kind of router or firewall, things may not be so good. A shocking number of vendors are still building old miniupnp versions into their products (Rapid7 identified 332 such products), and shipping them with extremely insecure defaults (over 80 million unique IPs answer UPnP from the Internet). If you’re not sure whether your router is vulnerable, it’s safest to disable all UPnP functionality on devices connected to the Internet. Rapid7 has released a ScanNow tool that will scan your local network for exploitable devices.

This is also a nice example for the small number of people who still think open source solutions are somehow less secure than commercial alternatives. We’ve done things right again in this instance from day one, where a shocking number of commercial vendors have massively failed to follow basic security best practices.

OpenVPN client now available on Apple iOS!

Friday, January 18th, 2013

Great news for many pfSense users today, as OpenVPN Technologies in collaboration with Apple have released an OpenVPN client for iOS.

Within hours of its release, Jim Pingle updated our OpenVPN Client Export package’s inline export option to be compatible with iOS (and retaining its Android compatibility). The inline export is available for 2.0.x and 2.1 versions. Upgrade your package under System>Packages to the latest version and use the inline export option, which can be imported into the iOS client via iTunes amongst other methods. I had my iPhone connected to OpenVPN within 5 minutes, it’s a quick, easy process.

Our thanks to OpenVPN Technologies and Apple for making this happen!

FreeBSD Foundation Year-End Fundraising Campaign

Monday, December 10th, 2012

The FreeBSD Foundation has put out their year-end fundraising campaign. The FreeBSD Foundation sponsors development of the underlying OS that pfSense is based on. We made a donation as we do every year, and we encourage our users to do the same. They are a 501(c)3 non-profit organization, so US contributors may be able to deduct contributions on their taxes.

pfSense could also use your direct donations to fund general expenses, project development and needed equipment. You can donate directly to us here, though note we’re not a 501(c)3.

Happy World IPv6 Launch Day!

Wednesday, June 6th, 2012

Today is World IPv6 Launch day, when many major websites have permanently added AAAA records to make their sites accessible via IPv6. All our sites have been IPv6-enabled (on native connectivity thanks to bluegrass.net) since last year, running behind pfSense 2.1. Many others are using the current snapshots in production networks.

We’d hoped to have 2.1 released in time for today, but getting to the point we consider full IPv6 support has taken far more work than anticipated. As has become the norm for us over the last several years, we do much more than put a GUI on things, having to implement and/or fix things in the underlying software to meet the needs of our users. There was far more to implement and fix in the underlying software than we anticipated. We have the last major piece addressed this week with CARP IPv6 support now functional. We’re just validating things at this point and fixing some last issues, with the official release coming roughly in the next 1-2 months.

IPv6 isn’t yet a critical need for most every network, but it will be getting to that point quickly. I know many IT professionals have been ignoring it, but it’s time to get up to speed for those who haven’t yet. I encourage everyone to at least start experimenting with it at home if you haven’t yet. For the bulk of us who don’t have an option for native IPv6 at home, our Using IPv6 on 2.1 with a Tunnel Broker document will get you going.

FreeBSD PF updated to 4.5 for FreeBSD 9

Wednesday, June 29th, 2011

As our commercial side has grown to the point we employ multiple full time people dedicated to working on the project and related customer needs, we’ve also gotten much more involved in upstream development in FreeBSD. Today Bjoern Zeeb committed PF 4.5 into FreeBSD HEAD for the 9 release (which will be the basis of pfSense 2.1), ported by Ermal Luci with help from Bjoern and Max Laier. Much of this work was funded by us, aside from volunteer efforts from Bjoern and Max providing some guidance along the way and Bjoern especially for review and assistance.

4.5 is the last version of PF before the syntax changed in OpenBSD, and the consensus amongst FreeBSD developers was to not break everyone’s ruleset who is running PF in stock FreeBSD just by doing an OS upgrade, hence why 4.5 was the version of choice.

Where does PF in FreeBSD go from here? We’ve had discussions on this topic already amongst several FreeBSD developers, as well as including some of the OpenBSD guys, and have some rough plans in place for the next steps.  More information on that will come later.

Thanks to Ermal, Bjoern and Max for getting this done!

The FreeBSD Foundation needs donations

Tuesday, December 29th, 2009

The FreeBSD Foundation needs donations to meet their 2009 goal. They provide very important funding to the FreeBSD project, which serves as the base of the pfSense project. They are a not for profit organization, so your contribution may be tax deductible.

FreeBSD Foundation call for donations

Sunday, August 2nd, 2009

Passing on an email from The FreeBSD Foundation:

Millions of systems run FreeBSD. Hundreds of volunteers contribute to FreeBSD’s success. But what is the size of FreeBSD’s user base? This simple question is very hard to answer, but its answer is vital to the cause of promoting FreeBSD. It is extremely difficult to convince businesses to invest time and money to add FreeBSD support to their products based solely on vague estimates of the size of our community. We should know – working to make FreeBSD a more widely supported platform is a task the FreeBSD Foundation has worked on since its inception.

Please help us in our fight to promote FreeBSD. A donation to the FreeBSD Foundation helps fund our work, but it also gives us strength in numbers. Our count of unique donors is a vital indication of the size and buying power of our community. However, we have never broken even one thousand donors in any year. We know in our hearts that this is a small fraction of our user base and of those who want to help expand FreeBSD’s presence.

So stand up and be counted! Make a donation. Encourage other FreeBSD users to donate as well. No donation amount is too large or too small. Just by becoming a donor you are making a powerful statement about the strength of FreeBSD!

As the base operating system of this project, much of the work the FreeBSD Foundation sponsors directly benefits pfSense users as well. You can donate here. The FreeBSD Foundation is a non-profit 501(c)3 charity, so your contributions may be tax deductable.

BSD Magazine lives on

Wednesday, July 8th, 2009

Karolina, editor of BSD Magazine, has left a comment here on our blog on my previous post that BSD Magazine will continue to be published!  This is great news, but of course it still needs the support of the BSD community.

So if you’re one of those who commented previously that you wished you had heard of it previously, you can still subscribe now.

Cisco killing off IPsec VPN Client, forcing even more licensing fees

Thursday, July 2nd, 2009

Doesn’t come as a surprise to me given that the client is still flaky on Vista and Windows 7 to this day, there is still no version compatible with 64 bit Windows (and never will be), but Cisco has ceased development of their IPsec VPN client. They’re forcing users to their SSL VPN product, which comes along with per-user licensing fees – something that did not apply to the IPsec VPN client. Cisco customers are paying an arm and a leg for the ASA and/or IOS hardware, and ought to have continued to be able to use any VPN without additional licensing fees on top of that.

But thanks Cisco, from a Cisco certified professional now making a good chunk of his living off replacing Cisco hardware with pfSense. I’m sure you’ve just driven a lot of folks to look at lower cost options, especially open source.

Can’t say I really care for the Cisco VPN Client anyway, it has blue screened Windows on me more in the past couple years than everything else combined (though the Mac version has never caused me any trouble).

Shrew Soft IPsec client is a nice, free alternative that’s proven to be more stable in my experience.

Help save BSD Magazine

Wednesday, July 1st, 2009

I have been a subscriber since the inaugural issue, and hope they can still make a go of it. Passing along an email from the editor of BSD Magazine.

I am sure most of you already heard that BSD magazine is going to be closed,
due to much lower benefits than expected and the economy in general…

There is one last chance thought – if I somehow manage to increase the sales
figures in stores the magazine will be published. I was given only one week
(till Monday). Not much, but better than nothing. I think it is worth trying!

I can’t do it alone -so I am asking you for your help and support. I know most
of you are already helping and I am really thankful for that.

If you could help me to promote the magazine on all forums, portals, blogs or
anywhere else I would be really grateful.

I have attached the cover of the most current issue of BSD magazine if you
would like to use it.

Please spread the word about BSD magazine!