General Questions

I just saw that a new exploit was found in FreeBSD.

http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071686.html

I posted in the pfsense forums about that here

http://forum.pfsense.org/index.php/topic,20959.0.html


My question is simple... I really like the fact that m0n0wall is smaller and does what I need without anything that isn't really useful (for me)

I am not even really talking about that specific problem

But the pfsense team seems push patches pretty fast according to what they say...

Any plans on fixing this flaw? How long does it normally takes to update the freebsd and all the other software in m0n0wall when there is exploits found???



My last question: Is there a list of the versions and software used in m0n0wall ? Well, an up-to-date list?? There is one, but it still says that it uses FreeBDS 4....

thanks

Alex

m0n0wall uses FreeBSD 6.4 (for 1.3) and 4.11 (for 1.23), which aren't affected as far as I know. And this bug wouldn't affect m0n0wall anyway since it doesn't make use of non-root local users.

well, my concern is that there is not a lot of pfsense updates... So it is not updated when there is FreeBSD (and all other software) security patches.

Is it just because there is no patches? Or because m0n0wall just isn't updated often?....

I am still trying to make my mind between pfsense and m0n0wall

m0n0wall gets updated quite quickly (= within a couple of days) if there's a security issue that actually affects it. It rarely happens though, since m0n0wall doesn't use a full-blown FreeBSD system.

Right now I'm contemplating releasing an update for the SSL renegotiation issue (today's FreeBSD security advisory), which could in theory be used on HTTPS webGUI connections.

Thanks Manuel

It is great to see a little more activity here... From my first look, it seemed somewhat dead... But I was wrong, it isn't! And more that that, the 1.3 just came out and it looks great!

I was looking at the changelog, and there is not a lot of updates! The 1.3 beta had a lot of activity, but it was in beta for like 3 years!!!


When there is a little thing like a security patch, is everything updated? I mean, is it an installable patch only? Or is it also available quickly on the cd-rom and other builds?

Because I want to use m0n0wall with a bootable cd and a usb drive or floppy for the configuration.



You should also update this page: http://m0n0.ch/wall/software.php

It is a little out of date 


Thanks a lot

Alex

Thanks Manuel

It is great to see a little more activity here... From my first look, it seemed somewhat dead... But I was wrong, it isn't! And more that that, the 1.3 just came out and it looks great!

I was looking at the changelog, and there is not a lot of updates! The 1.3 beta had a lot of activity, but it was in beta for like 3 years!!!

Compared to the 1.2X series, there are a lot of changes. You are right though, maybe not a lot near the end. Long beta maybe, but I'm glad because when I upgraded from the 1.2X release series to the 1.3 release there were no hiccups or problems. Everything worked right away and has been since the release a few days ago. A big relief for me since the future will be a lot of "upgrading" to the new version with hopefully little to no side-effects.

When there is a little thing like a security patch, is everything updated? I mean, is it an installable patch only? Or is it also available quickly on the cd-rom and other builds?

Because I want to use m0n0wall with a bootable cd and a usb drive or floppy for the configuration.

I think the best way to describe the security patches is really an entire release. Each release is the full version, so yes, everything is updated including any CD or other builds that carry the 1.2X or new 1.3 version numbers. That doesn't mean that each release has 100 security patches applied, only those that affect m0n0wall. M0n0wall, while yes technically an OS with a web based GUI, isn't really setup to be a machine where clients are going to web surf or play music off of the machine. So *usually* any security exploits would have to get past the login screen first.  I don't worry myself about a worm/virus/hacker coming right into the system and taking over without at least having to clear the administrative login hurdle first. Of course, if my system password is 123 then I have bigger issues to worry about than exploits when the hacker can just guess my password in a few tries instead to get total control.

Don't get me wrong though, everything you've said is a very valid concern, especially in a business environment. The last thing we all want to read is a security bulletin with "m0n0wall rooted by silly exploit ABC". But the m0n0wall team is always on top of their game when it comes to serious security here.

You know what, this is a REALLY good answer 

I think I will use m0n0wall 

Thanks again! Oh... and don<t forget about that page I talked about...


Hey, while I am here... How good is the documentation available ? Is it really up to date?? The first thing I noticed is the year 2008 written at the top...

Hey, while I am here... How good is the documentation available ? Is it really up to date?? The first thing I noticed is the year 2008 written at the top...

m0n0wall hasn't really changed at all since 2008, what's there is up to date.

well, my concern is that there is not a lot of pfsense updates... So it is not updated when there is FreeBSD (and all other software) security patches.

That's not true. Both pfSense and m0n0wall release updates for security fixes when needed and do so promptly - with "when needed" being the key part. Very few FreeBSD security updates are applicable to pfSense or m0n0wall. They either relate to things that only local users can do (which isn't relevant, as if you have local access you have root), or things that aren't applicable to a firewall, or components that aren't included in the minimal FreeBSD versions that both use.

With that said, both projects will have updates out soon for the SSL/TLS renegotiation advisory that came out this week. The last FreeBSD security advisory that was applicable was so long ago I don't remember when.

Thanks

Well, it does seems really great!

I really don't know a thing about freebsd so I was concerned it might be harder to use and maintain...


What scares me it things like the "software used" page that is still showing FreeBSD 4... If this isn't updated... you know... what says that other things will...


Anyways

Thanks

Alex