 Update your PF Sense packages to protect against EngineX, LibZ, MQ4, and Curl round abilities. And more than updating, I wanted to talk a little bit about what this is, what does it mean, and what are some of the problems related to it. So this is a little bit unusual because it's a fairly good flaw found in EngineX. And that's documented here. They have all the, I love that they linked all the vulnerability details that are easy to read, easy to go through. Now, these are all out of memory problems with EngineX and some of the other ones. And one of them is a downgrade attack on one of the other tools. But all of these, before you panic, the good news is, if you don't have your PF Sense public facing in terms of the web interface to it, because the web interface of PF Sense runs on EngineX. So if you have that public facing, you should be panicking. You shouldn't have it that way by the way, by default out of the box, PF Sense does not expose itself on the WAN side. That's a good thing. That's how it should be. I know people do this. I know people open it up for remote management. And if you do that, one of the ways you can help mitigate this risk is maybe filtering it for a single IP address so you can create a filter. So once again, you're not exposing EngineX to the world because that's not always a good idea to expose your management face on whatever you're doing. The other thing I wanted to talk about is going to be how you should be securing this on some of your internal networks and not necessarily exposing your management interface because people have mentioned to me one particular person and thank you for that, brought up the fact that I had not implicitly said to do that and that is correct. I probably made assumptions that people maybe would disable management interface on the other interfaces, but it is something I think you should do, but it is fair to say that I have not mentioned it in my previous videos. So first we're gonna cover the update which is arbitrarily simple to do. So they have the instructions right here. You simply do a package update. Now, because PF Sense is based on BSD, they use the PKG tool. So it's package update and then package upgrade. So I'll show you how that looks. Over here to the console, this is a virtual system that I have set up my lab that I've used for many of the demos on here. Just go to the shell, you can SSH in however you wanna get into your PF Sense, PKG update. And you can do this as one command like they strung them together, but I'm just showing you concurrently how they work. So package update means go pull the latest packages and then we just do package upgrade. And it lets you know these are new packages that are being pulled. Now, it's a little different because PF Sense, if I'm not mistaken, is pulling all the packages directly from PF Sense. It's not like you have access to every package. It's the packages that PF Sense maintains and that's where they have the repository set up. Now, one of the important things you can do, I believe you can just restart engine accident would work, but I always out of my own habit, reboot the firewall. Now, I didn't just show doing this, but obviously before you do any of these things, back up your system just in case everything goes wrong. It's easy to restore PF Sense. I've covered this before in other topics. You just use the restore file. If you don't have the restore file, you have a big headache because you probably have to set it up again. Anyways, so the rule I wanted to talk about that prevents all these little CVEs from being a bigger concern for clients. And like I said, they have links to all of them so you can look at the actual vulnerability and dig into the details in depth if you're interested in it. But this is the rule you need on the non-LAN networks. Now, this is this demo I set up where I had a LAN and an IoT. This is common for a lot of home user setups. Corporate networks may have more, but the concept is the same. This one is particularly on port 443. You want to block port 443 because that's where the web management interface is. By default, the web management interface is open to each of the LAN interfaces you create. Well, technically it's not open at all until you create at least one rule to allow traffic to pass. But if you create like an all rule, which is the default for LAN, that means you can access the web interface. It's not really a security risk on the LAN side, but that's also why your LAN side needs to be where your secure devices and things you trust are. And then you create these separated networks where you can do things like, I don't think people on IoT networks should even have access to Nginx. And this is just a simple block. I'll edit the rule so you can see it in a little more detail. Action is block. Name of this interface is IoT, TCP because that's the port it's on. HTTPS 443, because that's the listening port that is default for Nginx and on PfSense. If you change the port, which a lot of people do, including myself, I frequently choose to see odd, higher number port. That way I never have to worry about things even looking at that port. But whatever port you change it to, you also have to make sure you block it. So if you do decide to do that, make sure it's blocked. That's the important part on there. Butternet, that's it. Load the update, restart the server. We've pushed this to a handful of servers and had no issues at all. It's kind of an arbitrary, really minor change because you're not really changing out anything really big in the packages. You're changing out the very minor version that just basically closed a little bug. So it's not like it's a functionality change to the system. This is why it wasn't pushed as an entire system update and this is why it's handled just with a package, update package upgrade. So go ahead and get going. But don't worry, unless you are someone who is exposing this to the greater internet, they could cross some headaches for you because if this exploit gets out in the wild, it does seem to shut down Nginx. So you lose access to that management interface, which could lead into some type of exploit. It doesn't appear based on what I read here that there's any out in the wild, but that is now, an hour from now, that could be wrong. There could be someone exploiting it and it hasn't found it yet. So definitely patch it, but definitely don't put things out on the public. And thanks if you want to carry on discussion, this will be over in the forums too. All right, thanks. Thanks for watching. If you liked this video, give it a thumbs up. If you want to subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you want to hire us for a project that you've seen or discussed in this video, head over to laurancesystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us. Also, if you want to carry on the discussion further, head over to forums.laurancesystems.com where we can keep the conversation going. And if you want to help the channel out in other ways, we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you next time.