pfSense and OPNSense

[flat4 79]

I have not had a chance to setup my pfsense box to connect strickly to airVpn.

 

I have been trolling the pfSense forums and read the wiki and seen where a few developers split from pfSense because it was becoming too commercial.

 

I downloaded the image and installed in a VM but have not done much to it.

 

 

Just wanted to know how many here would move to this version of firewall in leu of pfSense.

 

Dont get me wrong im sticking with pfsense since pfSense_fan did one heck of a job on the guide, i was just wondering.

[zhang888 1066]

pfSense is commercial - for commercial environments.

Actually the OpenVPN business model is somewhat the same.

If you need professional support, technical services and patches that are fixed very quickly (like in other big name Firewalls), that costs money.

 

I didn't see any developers leaving the project lately, and I didn't see any license changes for non-commercial use.

 

A fork is always nice, as long as they maintain their own set of goals and roadmap, and not just the same thing without the copyright mark and another theme, imho.

 

OPNSense has still a long way to proove itself in terms of community, stability, etc.

[flat4 79]

I miight have misread the developers leaving.

 

Looking thru there forums some other guy has started another project called smallwall.com based of m0n0wall

 

its confusing for the noob.

never the less i like to tinker and  learn.

[pfSense_fan 181]

I too am intrigued by OPNSense but my takeaway as well is that it is not quite where I need it to be. If I JUST needed a firewall, then my opinion might change, but I need a UTM (Unified Threat Management)

 

pfBlockerNG with DNSBL, to me,  is the best thing before or after sliced bread, and I would not be able to use OPNSense in the same way I have been accustomed to with pfSense. Using Ublock Origin or Adblock Plus is one thing for a browser, but everything else on a network is not afforded such protection. DNSBL allows that, and I have had days where my network blocked just shy of 50,000 requests for ad, tracker or otherwise less than reputable servers. It's eye opening seeing how active IoT (Internet of Things - web aware appliances/tv's/media players etc)  and portable personal devices are. After setup it's all automated save for the occasional manual update to bring it back into sync.

 

If I didn't need or feel safer with pfBlockerNG/DNSBL I would give OPNSense a go in a heartbeat.

 

If you or someone else does not care to use packages such as that, I would say give it a go and let us know how it feels. Setup should be similar to pfSense.

[rickjames 106]

I don't use either but still play around with OpenSense vm's when I have time.

 

Mostly because they've got a version of OpenSense that is based on HardenedBSD.

https://hardenedbsd.org/content/projects

 

There's a box around here somewhere running a hardenedbsd desktop. But I haven't had the time to use or update it lately. Imo the project really has a lot of potential

[flat4 79]

i re-downloaded it and they have improved is not pfSense yet but its coming along. Like pfSense_fan stated if you just need a simple firewall its nice. One caveat is that their recommended hardware is pretty heavy. For example they recommend a 120GB SSD and multi core chip.

 

i'm, waiting for pfsense to drop php and make it more smooth

[rickjames 106]

i re-downloaded it and they have improved is not pfSense yet but its coming along. Like pfSense_fan stated if you just need a simple firewall its nice. One caveat is that their recommended hardware is pretty heavy. For example they recommend a 120GB SSD and multi core chip.

 

i'm, waiting for pfsense to drop php and make it more smooth

 

OpenSense runs fine on next to nothing hardware wise. I think those recommended specs are there to stop people from bitching about performance issues after installing it on hardware with less processing power than my toaster. Either way, gui's aren't my thing.

 

Imo if you're looking for a simple firewall use OpenBSD.

All these bloated gui based firewalls are train wrecks just waiting to happen.

 

It only takes one compromised system behind the firewall that has access to the GUI to pooch your entire network. Now your once sexy perimeter firewall is a platform they'll likely use to comprise others. from your ip. Ditch the bloat.

[zhang888 1066]

A compromised system with administrative access to any firewall will lead to the same bad circumstances.

So there is nothing in here where pfSense falls short compared to other firewalls - OPNsense and others.

 

The WebGUI in pfSense can be completely turned off if you wish to do so, however if you see my above statement,

there is nothing new here. You should both trust your own OS and your administrators whom you provide the

credentials to run the network, it just can't work any other way in any environemnt.

 

I personally don't see any threat here. Indeed the WebGUI runs PHP and this is a -potential- security nightmare,

but as long as you provide the credentials to trusted parties you almost completely eliminate the PHP memory

corruption and serialization attacks, and at the best case the attacker will have an unprivileged PHP session before

the login. I do wait for pfSense to move to Python WebUI (probably they will use Django framework) but this is not

going to happen anywhere before 2.4 release. And we are just expecting 2.3 with bootstrap around the corner.

 

Regards

[rickjames 106]

A compromised system with administrative access to any firewall will lead to the same bad circumstances.

So there is nothing in here where pfSense falls short compared to other firewalls - OPNsense and others.

 

The WebGUI in pfSense can be completely turned off if you wish to do so, however if you see my above statement,

there is nothing new here. You should both trust your own OS and your administrators whom you provide the

credentials to run the network, it just can't work any other way in any environemnt.

 

I personally don't see any threat here. Indeed the WebGUI runs PHP and this is a -potential- security nightmare,

but as long as you provide the credentials to trusted parties you almost completely eliminate the PHP memory

corruption and serialization attacks, and at the best case the attacker will have an unprivileged PHP session before

the login. I do wait for pfSense to move to Python WebUI (probably they will use Django framework) but this is not

going to happen anywhere before 2.4 release. And we are just expecting 2.3 with bootstrap around the corner.

 

Regards

 

I Just don't run firewalls with that type of allowed access. It's just personal preference, I have no need for the gui what so ever.

For the most part I trust the admin's, but it takes very little for someone to click a link containing bad code.

 

disclaimer.

This really has nothing to do with pfsense nor opensense. It's just another aspect that should be considered.

[cm0s 118]

yeah man guard the pup treatz