YMMV but for people wanting a firewall you'd be much better off with pfSense, stock OpenBSD, or stock FreeBSD. To get involved in OS work or BSDs you're much better off with Free/Open/Net/TrueOS. Those are communities filled with competent people to support the code and that you can learn from.
Could you explain whats bad about that comparison? Or point to an example of their "rudimentary grasp of C" ?
Can anyone point to a paper showing where HBSD successfully prevented an attack over FreeBSD?
So they generate a lot of noise. Instead of learning from the larger communities that are filled with extremely talented security people like Colin "cperciva" Percival, Robert Watson, Theo de Raadt, Maxime Villard, etc Shawn seems hellbent on being an exemplar of Dunning-Kruger effect. Unfortunately he is towing others along for the ride.
Anyway, even there, we can read : "ASLR aims to prevent an attacker from using previous knowledge of the address space to gain an advantage and execute malicious code. This has proven extremely effective in “raising the bar” of exploitation and is one of the most significant research challenges"
So, back to square one, why ASLR is obsolete? Its one of the main security features.
Recap: OPNsense uses HardenedBSD as base OS, which have ASLR, along with other BSDs. pfSense uses FreeBSD, which don't have ASLR/ASR.
These are context sensitive things that aren't learned by reading a comment thread, if you can't read that article and understand that it shows a multitude of exploits that bypass ASLR and that almost every exploit and contest includes or relies on existing ASLR bypass I don't really know what to tell you other than to keep reading and researching. The answers you seek are linked from TFA.
I expect you backing up your statement that ASLR is obsolete. So far all we have is a URL and advice to research ourselves.
What stops you from giving a direct answer? Hint: "ASLR is useless, because I can, for example, do this: ..."
Oh, and note the passive aggressiveness here: https://docs.opnsense.org/fork/thefork.html#so-why-did-we-fo...
The web server runs as root, and so do all the pages (PHP, etc).
And for pfSense and OPNsense common ancestor was m0n0wall.
pfSense forked m0n0wall
Opnsense forked pfSense.
Projects like pfSense, OpnSense and other GUI-on-top-of-OS systems are only sensible for more end-user applications and community driven approaches. I switched from pfSense to OpnSense not because of any real diffrence between the two, but because of the backing community, which is more for the users than it is for me personally; most people using this stuff are in the home of SMB markets and are much more serviced by a Web UI and a community than some commercial entity.
Once you go commercial or deep technical, none of the projects make sense as you are almost always better of going current with a configuration management based system (like plain pf on a BSD in combination with something like SaltStack, Ansible, or Chef) or go classic with one of the larger vendors like Cisco and Juniper.
pfSense is shooting itself in the foot by being (petty) d.cks, OpnSense is shooting itself in the foot by (and this is hearsay afaik) technical deficiencies in the primary backing team. On top of that, prosumer vendors are now getting the hang of it and are releasing affordable, supported, yet not too-expensive hardware for most of the setups you'd see those BSD-based WebUIs in. (i.e. UBNT)
I'm predicting that pfSense will try very hard to go full-on commercial, perhaps using the open core model like GitLab does, but probably failing at the commercial side because the advantages (that that goes for OpnSense too) vs. a prosumer/entry-level device from an existing brand are getting smaller and smaller. Most of the advertised stuff (again, goes for both) that you'd get for using open source software isn't really that much of an advantage anyway, most users never report bugs, write patches, inspect the OS, or check checksums. For OpnSense, they are probably going to try to not make a split product, but instead try the vendor network model where you make money by selling support and perhaps pre-configured hardware for people that are stuck between prosumer and home gear needs.
What I personally would like (and I'm still using a mix of pfSense and OpnSense for all GUI-needing systems) is an API-first system, with either no GUI at all, or an optional GUI. Maybe in the direction of VyOS (https://vyos.io/), which is linux based, and currently API-only. This would perhaps have to compete with OpenWRT, but at that point we're getting pretty far away from the capabilities of BSD.
A lot of the setups where there was no budget, or the firewall/router had to be virtual are currently only running pfSense/OPNSense because of a lack of better alternatives, the paid systems are not 'better' by any means, and their past USP was always with the hardware (which at some point became obsolete as well as packet processing in software became fast enough).
For now, I'd suggest anyone who needs a software router/firewall/gateway with a GUI and reasonable OS to first check OPNSense, as for most uses a healthy community is important. For everyone else, it's probably not really an issue in the case of cloud networking as they all have API-driven (and a GUI to drive the API) firewalling which covers almost all SMB use cases. So far I've only seen three cases where the box-with-a-firewal-and-GUI approach still matters: home, smb, on-prem with no investment in skill. As soon as you have the skill and infrastructure to go without a GUI, none of the sense/ wrt and prosumer systems matter, and as soon as you go beyond the 'need to buy stuff because we don't know or want to do it' stage you get in MSP/Cloud territory.
Editing (mostly for my own update regarding what's out there) for some extra projects:
There seems to be a number of 'other' projects in various states of integration, support and maintenance;
1. https://bsdrp.net which looks like a much more 'embedded' CLI router, has configuration abstraction
2. https://securityrouter.org which uses open everything except the nice backend which does paid upgrades for features
3. Floodlight Controller has a REST API for configuration, which does mostly firewalling and switching, not really a gateway or something like that, lives mostly in the SDN realm, mostly found on Linux systems instead of BSD, but it's a model that comes closer and closer to the model you get on providers like AWS. CloudFirewall is an (older) example of letting one device do the packet and frame forwarding, but some other service do the rules and control of one or more of those devices (be it hardware or software devices).
Yup. Have you looked at TNSR?
It’s what we’re doing (in addition to pfSense).
API (be sure to hit Nav -> Modules)
As for your prediction that we will take pfSense “full on commercial”,...
Well, frankly, you’re wrong.
1. a big banner with angry text about commercial and trademark stuff
2. a widget about Netgate selling you stuff
3. A Netgate Device ID so you can track pfSense and no way to remove that
Basically, pfSense is Netgate's b!tch, and almost none of the FOSS community spirit is left.
You don't see this with other projects, it's clearly a direction chosen by Netgate and the paid people. It's about money, and about being commercial. The community forum is a commercial outlet, and anything that might even come close to not giving netgate sales is censored.
About TNSR, it does look like a neat set of features for the much more integrated cloud world, and SDN setups, but there is no easy to find information about the state of licensing, cost, sources etc. It's very easy to buy this stuff already, the only interesting things for most members of our implementors forum is having a FOSS solution with paid support and perhaps enterprise extras to buy like Elastico's X-Pack. Even if TNSR were to come out on top in terms of features and compatibility with existing infrastructures, it wouldn't have any space to operate in, at least not in the current markets we are servicing (which is pretty much eurasia except china and russia, plus brazil and canada).
They are giving you the software for free under permissive licenses. If you want to take it, remove the ID, and make money using their exact business model, you can do that if you call it something else. That is exactly what OPNSense is. Being permissively licensed it's generous to the point that you can take the code, turn it into a proprietary product, and make a fortune without ever communicating or doing anything for the parent. By respecting the trademark they aren't asking for much at all.
There is no reason to be assholes as other projects work fine using the same free open core + paid enterprise version, this is something Netgate-specific, probably due to the hardware business where you have physical things that lose value unless you unload them quickly.
Now, don't get me wrong here, I'm not saying commercial business of trying to sell hardware/software is inherently bad, but being pissy because someone else does it too is just weak.
Netgate deserve some credit for their effort, but not so much that we should turn a blind eye when they get bitchy and malicious about the use of open source code.
I’ve said for a long time now that the whole AES hardware requirement would prove to be little more than a red herring to dampen open hardware sales; it’s pretty hard to argue otherwise now.
There is a reason why people install pfSense and not stock BSD, its called GUI :)
And pfSense was playing with licences before, some think it's getting ready to do it again.
FUD much? 'some' might think, but I know, and we're not.
Btw, OPNsense is using BSD 2-Clause "Simplified" license. The "permissive", non-copyleft one, same as FreeBSD uses, not psSense's Apache 2.0.
I just heard of OPNsense today. Also, there  is a thing about pfSense hoarding OPNsense's domain ...
I say this not to brag (it would be a terrible brag, like playing up my Turbo C++ bona fides) but as context for a question:
What are people doing with these things?
When is it making sense for people to be deploying what appears for all the world to be the Kali Linux of Defensive Network Security? I'd be confused to hear about a client deploying Suricata at all --- but Suricata on a dedicated firewall box with a PHP interface? What problem is this solving?
Among the top 10 questions startups ask us when we talk to them about what we do is, "we got this self-assessment questionnaire from a big client and it asks what our IPS is, what IPS should we use?" And we laugh and say "these SAQs were written in the 1990s and lovingly handed down from generation to generation of network security engineers and nobody actually expects you to install an IPS because doing that in a 2018 production environment would be silly, just tell them you only expose ports 80 and 443". And that answer always works. How are people finding a different answer? I'm genuinely asking.
Are there other ways to solve this problem? Of course, most problems in tech have a large number of solutions, each with their own trade offs. If I were to set my network up again, I would probably go with an edgerouter pro or similar - but since I already had a low power server I could repurpose as the router, it was $0 vs $400.
I started using pfSense on old hardware to get rid of Verizon's router, however I plan to replace it with a brand new box that will likely be $250-500.
I have gigabit FiOS coming into the ONT outside, and from there I get an Ethernet port that comes straight to the pfSense box. No Verizon router present at all.
Besides pfSense, what other open source options do I have to run a firewall that can handle gigabit ethernet with VPN? DD-WRT? Tomato?
Sure, I can setup a Debian box with iptables in my sleep, but pfSense is much nicer.
PFSense really is targeted at the prosumer market. If your happy to haul a screen out on every upgrade or minor hardware change, PFSense is fine. Otherwise, going Openwrt is a solid choice as you can actually debug it remotely.
What I found was a mess of PHP and poor quality plugins. The init scripts were written in PHP, and the plugins modified the init scripts. So plugins could, and did, break the init process, preventing the firewall rules from loading.
I don't think people are using pfSense in production environments, I see this class of solution being used by IT at small companies. Think about big corporate networks, where you might have a device from Palo Alto Networks, or a Cisco ASA for a remote access VPN. Then imagine you are at a 20 person company, a decade ago before SaaS really took off, and you think you need a VPN, but can't afford something from a big company, and don't want to glue together a bunch of open source tools. I think that is when people reach for pfSense.
I don't think it makes much sense these days. Small companies can use much dumber (and better) gateway devices. With SaaS and things like Google IAP and Cloudflare Access there is little need for VPNs. As for IPS, I have trouble imagining IPS being needed or even working at a small company. Big companies can have sophisticated detection systems and teams to deal with them. Hopefully big companies were never using pfSense.
Really, really, not my experience and I've been using it for 7~ years.
>I don't think people are using pfSense in production environments
I was running 1% of all internet traffic through dual pair of pfSense firewalls running on some HP 2U servers during Christmas 2011.. (interface was slow as shit with that load though to be honest).
I wouldn't discount it's power. Mostly when you buy something like a Juniper SRX it's similar underneath. It's not like there are common ASICs for firewalls.
Its come a long way since you did.
People are using pfSense in production too.
(though I have my quibbles with NetGate, who owns pfSense).
The same as every other feature bullet - checking off a box so the product doesn't get "out-checked". Only this time it involves tinkerers, who might set the thing up because it sounds cool, before really asking why. Presumably the package was already in some repo, and it tickled someone's fancy to do the little bit of integration work. But that doesn't mean these types of packages are driving the adoption of pfSense. That said, I don't really need MRTG graphs but if I can get them by clicking a few boxes, I just might.
As other people have said, the main driver is (NAT) routers. Soon in need of a faster router, I'm personally considering trying out the pfSense route rather than straightforward (for me) Debian+iptables. Both for a bit of kernel diversity, and sometimes it's nice to just click away.
> Especially since I'd have to park it behind my ISP's prem box, which is the thing that is actually going to get owned up on my home network.
Your ISP's equipment is not part of your home network - you're better off viewing its ethernet port as the service demarc. In fact, given the straightforward business interest in say enumerating the devices on your home network, I'd characterize it as a persistent attacker. Protocol wise, there's little drawback to just lumping it with the ISP's overtly-hostile DPI gear. About the only trust I'm willing to grant that thing is that it's unable to draw untoward amounts of power say mining crypto coins, and if it's already fed by fibre that it won't create its own electrical surges.
If you go walk the floor of a commercial data center, you will see tons of sonicwall, Ubiquiti, etc. Basically these are an open source version of those.
Now a subset of these projects might have some serious implementation smells, but I wouldn't really pass judgement on the users of any of those things. Just about any business can benefit from technology, not everything is well suited for services/hosted approaches, and there is clearly a need for simplified IT equipment.
This server costed me about $100 since I salvaged most parts from a broken server I bought of some company back in 08, been running really solid and tried to replace it with highend prosumer routers a few times when I were upgrading my Wi-Fi but they never kept up, I’m now using UniFi Ac PRO for Wi-Fi since my last tplink router/ap broke.
Price does not matter. Botnets are created on consumer grade routers, of any price range. Asus, Netgear and the like. None of them are x86 based, and most run outdated busybox linux on low power SoC chips.
> Unix server as a router is more likely to go wrong
That is exactly why you install pfSense/OPNsense.
I looked pretty seriously at using it when I was considering building a outgoing firewall product, when people could share blocklists for IoT devices and things like SmartTVs.
It's pretty well suited for building things like that on top of.
Maybe people are building things like site blockers for schools on top of it?
Maybe it's just a hobbyist/prosumer play?
I'm shocked this is a common statement on this.
Because its great. Its a fast firewall and router. Its perfect for not overpaying for something like a Cisco ASA.
If you are running a SME office, then there are plenty of decent firewall appliances which are much cheaper than Cisco ASA, and have much lower support overhead than Sense.
If people are doing it for fun or as a hobby great. But given that you can get perfectly good appliances at $500/$1000/$2000 pricepoints, where is th price tradeoff where is makes sense to use Sense?
Also, when or where would you recommend installing an IPS product? As part of a corporate firewall?
The reason this stuff is useless is bc I have never met someone with sufficient experience to act on it for any context, bc people think the tools magically bring educated talented people.
With Suricata, or with pfSense?
Suricata is used when you want to block internal clients that do something suspicious (like join a botnet), or to notice something unwanted (like using a banned application, such as dropbox).
Ease of use with out overpaying for the same feature seat. I'm surprised you think there isn't a problem its solving, to be honest.
home routers ?
PfSense is also popular as a firewall appliance in cloud deployments. Demand for running pfSense was one of the drivers for Microsoft to add FreeBSD support to Azure.
Some time ago I looked at this sort of thing (simple management + status GUI for a router), and pfsense & friends are just huge, bloated pieces of mess that I really don't want on critical infra. Securityrouter OTOH came across as one of the very few frontends actually designed for security (see their docs). (Also it doesn't include a the full B/S suite)
In the end I didn't choose any GUI and just put a Debian on a box. I don't really know any of the BSDs and it certainly wasn't worth more of my time to fool around with a small piece of infra that's going to be ignored >99.99 % of the time.
AFAIK it is not.
What does "detecting a windows server attack from 2013" have to do with ANYTHING? The primary purpose of the OPNSense and PFSense projects is to be a better home router replacement. Now PFSense has "moved up" if you will into the SMB space, and has further ambitions in the routing space, but the basics still come down to that goal.
Suricata and Snort aren't even installed by default, much less required. So why do you keep harping on that functionality? It's irrelevant. These are ROUTERS that can be extended to do IPS if you so choose, but is in no way required.
OPNSense describes itself as a firewall. A firewall is generally something you deploy along with a router. Does the term "firewall" just mean something else among the community of people repurposing old Dell towers to build complicated home networks?
Some vendors have moved towards calling their SPI functionality the "firewall" portion, but that debate is about a decade too late.
I'm not sure you need to do the netgate device unless you want support, you can use literally any x86-64 box you have lying around. Another good option if you're looking for an "all encompassing" solution would be ubiquiti. If you went that route you'd likely want to dump the airport extreme though and just go all-in on ubiquiti.
> A firewall is generally something you deploy along with a router. Does the term "firewall" just mean something else among the community of people repurposing old Dell towers to build complicated home networks?
That's an unfair characterization IMHO. In the commercial market, there are tons of "firewall appliances" that are used as router/firewall combinations: Sophos UTM, Watchguard boxes, Fortigate, ...
pfSense and OPNsense play in roughly the same space: a box you plug your WAN interface in that will do (primarily static) routing, firewalling with multiple zones, act as a VPN server. And typically have some amount of security checkboxes a la IDS, WAF, ..., although the commercial ones with the opertunity to sell subscriptions emphasize this more.
Also, the word ROUTER doesn't even appear on the linked page.
I was banned from their forum for saying I wouldn't pay for Gold if they were going to sunset a range of CPUs when their explanation of why was less than clear. I then apologized for offending them, and they said its a life ban so too bad.
Just read their forum or the reddit. Look for Ivor comments specifically.
One of the things that OPNSense has over pfSense is the ease-of-use factor. This firewall/router will be used in a school, by non-technical people, it needs to be pretty and easy to make simple changes to. Things like blacklisting/whitelisting a site, and adding a static IP for a printer, are activities that are commonly done by a teacher or administrator. If it's hard to do then I get a call and that's no good for me. :)
- Sophos phones home too much, is not open source.
OPNsense in comparison to pfSense:
- using better BSD, with ASLR (the only check I did so far)
- licensed under BSD 2-Clause, vs Apache 2.0
- nicer GUI :)
- not running PHP as a root user
Looks like OPNsense is true hacker's stuff, check this out for DNS over TLS:
- people who start with their credentials, 'I'm experienced ..' - are making least sense.
- people who use the word 'FUD' are actually trying to shut down sensitive for them topic.