New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pfsense null configuration XML tag format has changed #2282

Open
redshiftzero opened this Issue Sep 11, 2017 · 4 comments

Comments

Projects
None yet
3 participants
@redshiftzero
Copy link
Member

redshiftzero commented Sep 11, 2017

Description

It looks like there have been some changes to the XML null configuration tag format used by pfSense, now requiring <tag></tag> instead of the <tag/> format currently used in the templates that SecureDrop is shipping.

Upstream issue: https://redmine.pfsense.org/issues/6893

Steps to Reproduce

  1. Download firewall templates.
  2. Attempt to load.

Expected Behavior

Template loads obviating the need for manual config.

Actual Behavior

The template does not load.

Comments

This necessitates the templates to be regenerated using the (latest) updated format.

Given the tight timeline until 0.4.3 is released, I suggest that we push the resolution of this into 0.4.4 to give sufficient time to generate and test the updated firewall templates. In the meantime, people installing SecureDrop will need to fall back to the manual configuration, and the documentation should indicate that manual configuration is necessary to avoid frustration in current users.

@freddymartinez9 discovered this while testing #2281 on hardware.

@b-meson

This comment has been minimized.

Copy link
Contributor

b-meson commented Sep 12, 2017

I realized yesterday that I am in the middle of a fresh install with the latest pfSense. When I have a SD install complete with a clean (factory reset device pfSense) I can do an export of their configurations, so we won't have to manually fix these tags.

@b-meson b-meson self-assigned this Sep 12, 2017

@b-meson

This comment has been minimized.

Copy link
Contributor

b-meson commented Sep 13, 2017

pushed this commit ac4ce01 but it requires a fresh pfSense firewall reset. I will try to test this week

@b-meson

This comment has been minimized.

Copy link
Contributor

b-meson commented Sep 14, 2017

I tested my commit ac4ce01 just now using a working SecureDrop install. Here is what I did:

  1. Manually install SecureDrop and the firewall
  2. Factory reset the pfSense firewall router
  3. Using the clearnet web browser (Unsafe browser) I went to my branch and downloaded the .xml files as "raw" from GitHub (note: this won't work using Tor due to the clearnet user chroot in Tails).
  4. Confirmed the factory reset was successful, no firewall rules were in the pfSense admin GUI. Also the admin user's password is reset.
  5. Follow the steps in our docs up to "SecureDrop Configuration"
  6. Restore the xml files for each section.
  7. Reboot the firewall (important step)
  8. Test connectivity to the .onion using both Tor Browser and ssh.

The rules work as expected. I will test further using a fresh SD install next week.

b-meson pushed a commit that referenced this issue Sep 15, 2017

@redshiftzero redshiftzero modified the milestones: 0.4.4, 0.4.5 Oct 12, 2017

@redshiftzero redshiftzero referenced this issue Oct 12, 2017

Closed

Docs firewallxml #2317

1 of 1 task complete
@redshiftzero

This comment has been minimized.

Copy link
Member

redshiftzero commented Oct 12, 2017

Moved this to 0.4.5 as there is a pending PR (#2317) that is unlikely to be merged in time for the 0.4.4 release

@redshiftzero redshiftzero modified the milestones: 0.6, 0.7 Feb 27, 2018

@eloquence eloquence removed this from the 0.7 milestone Mar 19, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment