Main conrainer

Further (a roadmap for pfSense)

pfSense software version 2.2.1 will be out soon. Most of the fixes are related to IPsec (esp MOBIKE support), 802.11 (the entire 802.11 / Atheros stack from 11-CURRENT is in the test builds) and PHP 5.5.22.  You can follow along in Redmine.

pfSense software version 2.3 will deprecate PPTP as a supported protocol.  All PPTP support will be removed in version 2.3.  PPTP is a flawed, broken protocol.  MSCHAPv1 was broken in 1998.  Its replacement, MSCHAPv2, has been known to be weak for nearly as long. MSCHAPv2 can be brute forced in a matter of hours as was demonstrated at DEFCON in 2012.  There is even an online service to break it.

The above only deals with authentication.  The encryption used in PPTP, MPPE, uses RC4, which is today considered quite weak. Worse there is no message authentication, so it is possible for an attacker to modify your traffic in transit, quite possibly without being detected. And RC4 is getting weaker by the day.  Microsoft, for their part, recommend using L2TP or IPSec or SSTP.  OpenVPN is also a possibility.  We recommend L2TP/IPsec or OpenVPN, and the L2TP/IPsec support is one of the many reasons we upgraded the IPsec in pfSense 2.2 to Strongswan, rather than raccoon.

With version 2.3 we will also update all packages including: php 5.6, and all other ports that have new versions in the FreeBSD ports tree.

The other major change in pfSense version 2.3 will be a change of ‘package’ technology from PBIs to pkg(ng).  We are following Baptiste Daroussin’s work on src to see if we can find a way to move even the FreeBSD base to pkg.  If we can, than all components of pfSense will be available as packages, and pfSense itself can be a (meta) package.  This will allow more rapid release cycles, as individual components can be tested apart from a monolithic release.

If we find we cannot go to pkg for base, a “pfsense-update” analog of freebsd-update will be developed.   Part of what you should read here is that pfSense is moving even closer to its FreeBSD base.

Obviously, there will be changes to the build system required to accommodate these.  If you are familiar with the pfSense build system, subsystems such as “pfPorts” will be deprecated in-favor of a much more FreeBSD-like build system.  Frankly, the pfSense build system has been a hinderance to the project almost from the beginning.  While we’ve made some improvements, especially during the past two years, I anticipate moving the project to something much more like Crochet with time.

But, in the end, one way or the other, pfSense should be available as a (meta) “package” on top of FreeBSD.

Finally, we understand that some people are excited about other projects’ webGUI changes.  Frankly, we see this as less important that improving the security and performance of pfSense, but we do understand that making the GUI more appealing has some utility.  The situation would, of course, be somewhat different were pfSense a web app.  Still, we are not blind to the need.  One of the great things about pfSense is that it is Open Source. Another is that it has a large community around it.  To that end, we’ve been following a project by Sjon Hortensius and Sander van Leeuwen to convert pfSense to bootstrap.  It should be of some interest that Sjon has also recently started fixing issues in OPNsense.  Sjon and Sander do very good work. If this project can complete in-time, (and we are willing to help), we will include it in pfSense 2.3.

pfSense software version  3.0 is a longer-term project.  pfSense 3.0 is a major re-write consisting of 4 major components.

First, we will be removing all of the PHP from the system.   Yes, all of it.

The PHP code in pfSense supports two major functions.  First, it serves to generate the HTML for the WebGUI.  Second, it serves as an orchestration system, it is used to build config files for the various subsystems, (using config.xml), and serving to ensure that if a given subsystem is changed (say, an interface gets a new address) that the other systems that need to be reconfigured are reconfigured (and in certain cases, restarted).

This PHP code was, of course, inherited from m0n0wall, and has grown (organically in many cases) over the decade since pfSense was forked from m0n0wall.  As such it does not use more modern architectures (such as pub-sub) which reduce the need for the whole system to function as a single, monolithic blob.  Even Manuel Kasper (the original author of m0n0wall) has recently told me, “looking back I’m not very proud of the architectural mess that I created when I started m0n0wall as an inexperienced 19-year-old.”

Personally, I have no time for PHP, especially for a bunch of PHP that runs as root.  So, for pfSense 3.0 Python will be used to write a new configuration and orchestration system and to expose a REST API into this system.  The resulting API can be used for at least three purposes:

1) the WebGUI will be re-written to leverage this REST API.  This separation should be good for the project in a number of ways.  Principally, there will be a defined “control plane” for pfSense, allowing the WebGUI can be changed independently of the core project.

2) the REST API can be used by people in the field of devops to automate the configuration of (potentially many) instances of pfSense.  There has been a long-rumored “pfCenter” project, but no good way to implement same. With the REST API in-place, “pfCenter” can become a reality.  In addtion, plugging into other Open Source orchestration systems such as Chef, Puppet, and Ansible, or (my favorite), Saltstack (yea, python!) becomes much more possible. (If you happen to be at SaltConf next week, be sure to find me and say ‘Hi’.)

3) More automated testing can be performed.  While we’ve started on a test suite, and this has provided some early fruit.  See the paper: “Measure Twice, Code Once: Network Performance Analysis for FreeBSD” to be presented at AsiaBSDcon in March.  Of possible interest, the testing performed for this paper shows that pfSense is much faster than both FreeBSD 11-CURRENT and OpenBSD 5.6 on the same C2758 hardware.

Though the early results are good, much more can be done.  By having a REST API, we can use Conductor and similar tools to configure pfSense, generate test coverage, and then reconfigure pfSense for the next tests.  We have also recently obtained copy of Ixia BreakingPoint Virtual Edition to perform further validation of the results of each build.  We will be running this on a cluster of rack-mount Intel NUCs, purpose-built for this exercise and dedicated to semi-continuous testing.

Second, the package system from FreeBSD will be brought fully to bear.  The ideal here is that “pfSense” is, itself, a package on top of FreeBSD. Releases as installable images would still occur, but overall the large majority of users should be able to move to something with much a more rapid and granular rate of change compared to the existing mechanism.

Third, the core of pfSense (pf, packet forwarding, shaping, link bonding/sharing, IPsec, etc) will be re-written using Intel’s DPDK.

DPDK is a set of libraries and drivers for fast packet processing. It was designed to run on any processors knowing Intel x86 has been the first CPU to be supported. Ports for other CPUs like IBM Power 8 are in-progress.

We have a goal of being able to forward, with packet filtering at rates of at least 14.88Mpps.  This is “line rate” on a 10Gbps interface. There is simply no way to use today’s FreeBSD (or linux) in-kernel stacks for this type of load.   Since this work is only available on certain, select Ethernet cards (mostly 1Gbps/10Gbps/40Gbps Intel interfaces as well as various VMware and Xeon ‘virtualization’ NICs. Other vendors, including Broadcom, Myrianet, Chelsio and Cisco have shown interest.  This also means that the underlying kernel and system will be 64-bit only.

And finally, pfSense will move to use even more advanced encryption techniques for IPsec, TLS and OpenVPN.  It should be well-known by now that Netgate and the FreeBSD Foundation co-sponsored a project to enable AES-GCM for IPsec, enabling faster encryption speeds on Intel and AMD processors that support AES-NI instructions. On a pair of fast quad core Xeon systems we can run IPsec at over 2Gbps now.  More speed is possible, and I expect the first results showing this to be a port of Intel’s “QuickAssist”. On a C2758, this should provide around 8Gbps of IPsec throughput.  Other, more exotic QuickAssist hardware exists to take this throughput to 40Gbps and beyond.  Additionally, more speed can be had from better “pipelined” implementations of AES-GCM and AES-CBC on existing and near-future Intel CPUs.  In particular, SHA1 and SHA256 can be accelerated via AVX2 instructions, reducing the time required for AH processing in IPsec (and its similar processing in OpenVPN and OpenSSL) on processors that support AVX/AVX2.

The overriding goal here is to be able to provide commodity systems that can run IPsec, OpenVPN and https (TLS) at rates exceeding 10Gbps. 

Since there are a very large number of existing systems that can’t run DPDK, and that aren’t able to run 64-bit code, pfSense 2.x will continue as a separate, parallel train.  You will not be abandoned if you can’t run (or don’t want to run) the 3.0 release, and yes, we will bring the API and webGUI back to pfSense 2.x after it is implemented on 3.0, so even pfSense 2.x will eventually have all of the PHP removed.

Finally, since I mentioned OpenSSL, let me say this:  Other projects may explore alternative implementations of OpenSSL (e.g. LibreSSL), but pfSense is unlikely to do this for three reasons:

1) OpenSSL had its issues, but a good, long-time (> 30 year) friend named Rich Salz is now leading the development there.  I’ve known Rich since 1985, and I trust his leadership of the OpenSSL project.

2) Intel is focused on OpenSSL, as is the Linux Foundation, and their funding.  There will be more test path coverage and more performance work in OpenSSL than any other implementation.

3) I don’t like the attitude of the people behind the LibreSSL project.  Talking smack about the project you forked from is bad form. I’ll say no more than to quote Frank Zappa on the subject.

So, Get on the bus.  🙂

February Hangout Announcement

Our February Hang Out for Gold Members will be Friday, February 27, at 13:00 US Central time. You’ll find the link and other information under “February 2015 Hang Out” after logging in to the members area.

The February 2015 hangout will cover User Management and Privileges. We will discuss how to grant access to the GUI using the pfSense privilege system to control what users may access, SSH access and command privileges using the sudo package, and securing access to pfSense firewall management.

Mark your calendar and we look forward to seeing you!

In order to join us, you must be a pfSense Gold subscriber.

Subscribe to Gold Here!

Here is a preview of the hangout:

Donations

The FreeBSD Foundation has recently asked me to write an endorsement for FreeBSD.  I’ve done so (as Netgate, but prominently mentioning the pfSense project) and it will probably appear soon, but part of that endorsement had to do with donations.

It’s likely obvious by now that we’ve donated to the FreeBSD Foundation again this year.  We get a lot from FreeBSD, and we feel the need to give back to the FreeBSD project in many ways.  It should also be obvious that, while the pfSense project used to take donations, we no longer do.   Indeed, while similar projects ask for donations, we instead ask that, if you are inclined to donate to pfSense, that you instead donate to the FreeBSD Foundation.  For 14 years, the FreeBSD Foundation has been providing funding and support for the FreeBSD Project and community worldwide. They are fully funded by donations from people like you as well as organizations such as: VMware, NetApp, Tarsnap, Cavium, Xinuos, Netgate and others.

The reasons for this decision are too long to list here, but the most prominent reason is that we believe that your donation is better  directed at FreeBSD.  Your support of the FreeBSD Foundation advances FreeBSD so that it is a perfect research and development platform, and pfSense benefits directly from these advances.  By donating to the foundation, you are helping fund and manage projects, sponsor FreeBSD events, and provide travel grants to FreeBSD developers. You are also helping the FreeBSD Foundation represent the Project in executing contracts, license agreements, copyrights, trademarks, and other legal arrangements that require a recognized legal entity.  I know that we have leveraged the Foundation in several matters that fall under this last bit.

Of additional benefit, if you are in the US, the FreeBSD Foundation is a 501(c)3 non-profit organization.   US-based donations should be fully tax-deductible on your federal return.

Thank you for your support.

pfSense 2.2-RELEASE Now Available!

I’m happy to announce the release of pfSense® software version 2.2! This release brings improvements in performance and hardware support from the FreeBSD 10.1 base, as well as enhancements we’ve added such as AES-GCM with AES-NI acceleration, among a number of other new features and bug fixes. Jim Thompson posted an overview of the significant changes previously.

In the process of reaching release, we’ve closed out 392 total tickets (this number includes 55 features or tasks), fixed 135 bugs affecting 2.1.5 and prior versions, fixed another 202 bugs introduced in 2.2 by advancing the base OS version from FreeBSD 8.3 to 10.1, changing IPsec keying daemons from racoon to strongSwan, upgrading the PHP backend to version 5.5 and switching it from FastCGI to PHP-FPM, and adding the Unbound DNS Resolver, and many smaller changes.

Read the rest of this entry »

pfSense University On-line Now Accepting Registrations

After months of preparation and high customer demand for official pfSense training on-line, Netgate, the home of the pfSense project, is very excited to announce that we are now accepting registrations for our first on-line classes to he held in February and March, 2015. pfSense University is the ONLY place in the world to get your OFFICIAL pfSense training.

We are currently offering TWO separate classes

  • pfSense Fundamentals and Practical Application
  • pfSense Advanced Application

Each class is approximately 8 hours in length and will cover common usage scenarios, deployment considerations, step by step configuration guidance, and best practices. Both courses will enhance your skills and abilities to install, configure and support pfSense in your environment. There will be hands-on, instructor-led labs throughout the course!

Important items to note: (please read carefully)

Due to the way the curriculum and lab environment flows from the Fundamentals course to the Advanced course, the Advanced course is not being offered as a stand-alone class at this time. The Advanced class is OPTIONAL, and we encourage you to take it to enhance your skills even more. However, if you wish to take the Advanced class, you must sign up for the Fundamentals class that is scheduled for the previous Friday. The Advanced class will be offered as a stand-alone at some point in the future.

For example:

  • If you wish to take the ADVANCED class on Monday, February 9, you MUST have already signed up for the FUNDAMENTALS class on Friday, February 6.
  • If you wish to take the ADVANCED class on Monday, February 23, you MUST have already signed up for the FUNDAMENTALS class on Friday, February 20.
  • If you wish to take the ADVANCED class on Monday, March 30, you MUST have already signed up for the FUNDAMENTALS class on Friday, March 27.

If classes fill up quickly, more will be added. If the class you wanted is no longer available, keep checking the web site!

Class size is limited to 10 people. The introductory price for the Fundamentals class is $599. The introductory price for the Advanced class is $499

Introductory Discount!

Apply the corresponding code to the Fundamentals class you are signing up for to take advantage of a $100 discount. This makes your cost for the Fundamentals class only $499!

  • pfSense Fundamentals and Practical Application (February 6, 2015) $100 Discount: EBB1E63F81
  • pfSense Fundamentals and Practical Application (February 13, 2015) $100 Discount: 187585D919
  • pfSense Fundamentals and Practical Application (February 20, 2015) $100 Discount: BD9EFDEEEE
  • pfSense Fundamentals and Practical Application (February 27, 2015) $100 Discount: 6F84AC8926
  • pfSense Fundamentals and Practical Application (March 13, 2015) $100 Discount: 30A289C4C0
  • pfSense Fundamentals and Practical Application (March 27, 2015) $100 Discount: 7AC9652AA3

If the discount code for the class you select does not work, that indicates it is full. We will change the status on the web page as soon as we can to indicate that.

Students who register for classes will receive an e-mail on or around February 1 with instructions on how to connect to the virtual classroom!

All students who complete a course will receive a certificate of completion from pfSense.

CLICK HERE TO SIGN UP TODAY!

Please send any questions to university@pfsense.org

NTP Project security vulnerabilities

Today the Network Time Foundation announced 6 security vulnerabilities in the reference NTP implementation, which serves as the NTP client and server in pfSense software. These are largely not applicable here, however we’re still investigating potential impact.

  1. Weak default key in config_auth() – this applies only to old NTP versions not used in any current or recent pfSense release, and is in an area that isn’t possible to enable in pfSense.
  2. non-cryptographic random number generator with weak seed used by ntp-keygen – this also applies only to old versions, and is in an area that isn’t possible to enable in pfSense.
  3. Buffer overflow in crypto_recv() – this applies only to an area that isn’t possible to enable in pfSense.
  4. Buffer overflow in ctl_putdata() – this applies only where control messages are allowed from untrusted hosts, which isn’t possible to configure in pfSense.
  5. receive(): missing return on error – this is a bug that doesn’t appear to have any ability to affect system integrity, hence has no security impact.
  6. Buffer overflow in configure() – this is applicable, however appears to be strictly denial of service. Where you have the NTP server enabled, clients that are permitted by your firewall rules (by default, and in general, only internal hosts) could crash the NTP service.

The bug reports on ntp.org are marked as private, leaving specific, authoritative details a bit lacking. If you have any information beyond the above, or that contradicts the above, please email us at security at pfsense.org. At this time, we don’t believe this poses any significant risk for pfSense users. We’ll update this post should anything change.

2.2 Release Candidate now available!

We are proud to announce pfSense® software version 2.2 Release Candidate is now available! This should be a short release candidate cycle, so we encourage you to try it out ASAP to help us with the final push to release. Jim posted a good overview of the significant changes previously. A more comprehensive list of changes can be found on the 2.2 New Features and Changes page.

In the process of getting to an RC status for 2.2, we’ve closed out 310 total tickets, (this number includes 49 features or tasks), fixed 108 bugs affecting 2.1.5 and prior versions, fixed another 153 bugs which were introduced in 2.2 by advancing the base OS version from FreeBSD 8.3 to FreeBSD 10.1, changing IPsec keying daemon from raccoon to StrongSwan, moving the PHP backend from FastCGI to PHP-FPM, updating to PHP 5.5 and changing from dnsmasq to the Unbound DNS Resolver.

Downloads

New Installs

Upgrades

As always, every previous version can be upgraded directly to 2.2-RC. See the Upgrade Guide for general upgrade guidance applicable to all versions including 2.2-RC.

Feedback, Questions, Need Help?

Report your experiences, or get help with problems on the 2.2 board of the forum.

2.2 release status

We’re getting an increasing number of “When will 2.2-RELEASE happen?” queries.    In an attempt to answer the question for a more general audience, we’ve put together some data.

pfSense® software version 2.2 started with a few seemingly simple goals:

  1. move the base to a very recent version of FreeBSD.
  2. update the IPsec stack to include AES-GCM, and IKEv2.
  3. update PHP to something more recent than what is used in pfSense software version 2.1.

These seemingly simple goals produced a lot of work.  When we re-launched the 2.2 project in October 2013, we estimated that it would take 9-10 months, producing a release in April or May of 2014.   We had no way of knowing that we would end up producing a train of 5 additional releases based on pfSense software version 2.1, starting with 2.1.1 in early April, which was immediately followed by 2.1.2 to fix the “Heartbleed” issue, then 2.1.3, 2.1.4 and 2.1.5 during the following 139 days.  And three weeks after the 2.1.5 release, we finally got pfSense 2.2 into a BETA release.

We are now close enough to a 2.2-RELEASE that we can state with some certainty that FreeBSD 10.1-RELEASE will serve as the base for pfSense 2.2-RELEASE.  In order to transparently support both IKEv1 and IKEv2 we moved from ipsec-tools to strongSwan, taking advantage of its monolithic IKEv1/IKEv2 daemon.  And the PHP backend has been switched from FastCGI to PHP-FPM, while PHP has been updated to version 5.5(.19).

But meeting these three seemingly innocuous goals opened a plethora of issues.   BIND is no longer a part of FreeBSD, so we switched to Unbound.  While the initial work on this was done by a community member, we’ve had to fix a number of real issues with the result since entering BETA.  For the past 60 days it’s been heads down, opening tickets, and getting them resolved by fixing bugs, then re-testing the result.

Open/Closed tickets - last 90 days

Open/Closed tickets – last 90 days

Below you can find a bit more of the internal data that drives the decisions on the release process.   We are now, likely, days away from a “release candidate” for pfSense software version 2.2.  You can help by running a snapshot (several of us have been doing so since the 2.2 BETA), or the RC series and reporting any issues you find.

Past year - total tickets by status

Total Tickets by Status – Past Year.

 

Past year - open-closed percent tickets by status

Open/Closed tickets, last year

 

Past 90 days - changes by user

Changes by user – Past 90 days

November Hangout Announcement

Our monthly pfSense hangout has been scheduled! Please make note that because of the Thanksgiving holiday, we will have the event on Tuesday, November 25, 2014 at 1PM CST. Log-in to your portal account on the day of the event for details on how to join us. This month’s topic is: New and Improved Features in pfSense 2.2. Your host will be Jim Pingle

Here is a preview of the hangout: