Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's wild that you need a firewall just to stop OS features from phoning home every file you preview on your computer.


Just replaced my router with OPNsense and starting to get some sense for all the egress traffic.


Simple instructions how to do this?


You already got some good answers. For me, the most inconvenient part of the transition was that I had to replace one device (a FritzBox 7590) with four devices: DrayTek DSL Modem, Protectli Hardware Firewall [1] with OPNsense, a 5-Port Netgear Switch, and a BrosTrend Wifi Plug (altogether, 21 Watts instead of only 10).

Regarding the Hardware Part: Instead of the Protectli, I would recommend looking into the Pc engines APU4d4 (or similar) [2], I had very good experiences with the predecessors of this board.

The OPNsense configuration is really not that difficult, it is possible to start slowly with the defaults and extend. I already had experiences from running pfSense for 5 years on another site.

[1]: protectli.com

[2]: e.g. dynfi.com/en/appliances/dynfi-apu4d4/


I recommend browsing the install guide here to get an idea of how opnsense works: https://docs.opnsense.org/manual/hardware.html

You'll need to make a few choices and gather some details before you can start. First of all, hardware:

Simplest, but most expensive: buy an opnsense device that comes preloaded with the right software

Cheaper, but still not too hard: buy one of those aliexpress routers that are supported by opnsense

Harder, less efficient, and requires the right hardware: find an old computer that's supported enough by FreeBSD, chuck in a few ethernet cards supported by FreeBSD, and install opnsense.

Installing opnsense and setting it up as a basic ethernet to ethernet router is relatively straightforward. You can run it from a flash drive if you want, but a small SSD won't wear out as far if you enable logs and such (16GiB will be far more than enough for an install without additional packages!).

If you're planning on replacing your ISP router, you'll need to find the documentation your ISP or random forum users provide for connecting. If you have a separate modem you may need to find PPPoE credentials somewhere, or you may just be able to use basic DHCP to get it to work.

If you don't have a separate modem, your best bet is to put your router+modem into bridge mode; that will often be enough to get the basics up and running. If your ISP doesn't provide such a mode, you may use addin cards to get the right connector into your system (RJ11/fiber/whatever) but you'll need to find devices with FreeBSD support so I would use this as a last resort.

Also of note: many opnsense solutions don't include great WiFi. You can likely reuse the ISP modem as a wireless access point, but if you can't, consider investing in a separate access point to keep your WiFi coverage.

The kind of hardware you need will depend on your wishes. If you just want a router with some customisable routes and if you don't have fiber Internet, chances are a cheap aliexpress box will be more than enough to get you going. If your Internet connection is faster than 100 or 200mbps, you should check the ratings (and be sceptical of the price). If you also intend to go full deep packet inspection/security monitoring/etc, you will likely need desktop class hardware with plenty of RAM, CPU horsepower and storage. If you're really going high-end, a server chassis may also work.

For simple routing, small router boxes are often way more energy efficient than full desktop power supplies because of hardware accelerated routing supported on some chipsets. I personally run a full desktop as a router(+server etc) and it works quite well, but it eats at least 10 times the energy a small router should need.

Lastly, if you're planning on running a home lab already, you may be able to virtualise opnsense if you add (a) dedicated network card(s) forwarded to the VM. Setup sill be a bit trickier, but it can save on costs if you're planning on buying them together.


This is so helpful thank you. I'm assuming opnsense competes with OpenWRT? What are the pros and cons?


I believe OpenWRT is intended as alternative firmware for your average off-the-shelf router, whereas pfSense/OPNSense are more intended as enterprise firewalls/network appliances. Take a look at the official OPNsense store (https://shop.opnsense.com/) to get an idea about the types of devices and customers this tool is oriented at.

Most OPNSense hardware is likely to be more powerful than your average OpenWRT router. OpenWRT can use a variety of interfaces and has many packages you can install, but the UI is less well-integrated with tools like intrusion detection and network traffic analysis. OpenWRT is supposed to be flashed to devices with 16MB (or less) of storage whereas OPNsense can take advantage of much larger install disks.

On a technical level: OpenWRT is Linux-based, OPNSense is FreeBSD-based. This has an impact on hardware and software support, though I've rarely seen people running into software limitations with OPNSense.

In terms of pros and cons:

- Personally, I much prefer the OPNsense GUI over the OpenWRT one.

- OPNsense comes with way more software out of the box; whether you need all that is an entirely different question, though.

- OpenWRT often runs on routers you may already own

- OpenWRT is generally easier to set up and use. It's comparable to an advanced stock router UI.

- Because OpenWRT is built around WiFi-routers rather than security appliances, OpenWRT is much better for managing things like WiFi

- OpenWRT is Linux-based so it potentially has much better WireGuard support. OPNsense can also host a WireGuard server, but the WireGuard protocol was originally developed around the Linux kernel implementation. OpenVPN and IPsec+L2TP are supported in both.

- OPNsense has some very useful traffic shaping tools in the GUI for things like limiting the throughput of a guest network, though that will take some know-how to set up.

- OPNsense provides enterprise features in the web GUI like failovers and multi-WAN that require editing config files over SSH and installing packages on OpenWRT.

- OpenWRT does some quality-of-life tricks for you. For example, port forwarding is a lot easier on OpenWRT than it is on OPNsense as the necessary firewall rules are all generated for you, whereas in OPNsense you may need to add separate firewall and NAT rules depending on your setup. The learning curve for OPNsense is much steeper, however it allows more flexibility in its web UI than OpenWRT (you can pretty much get the same features through SSH on either platform, though)

- If you intend to run this stuff for a business, OPNsense has business support available whereas OpenWRT runs most off of community support. You can pay external parties to help you with OpenWRT of course, but there is no direct support contract available as far as I'm aware.

If you want to add more features to your already-owned router, I would recommend OpenWRT. If you want to drill down and experiment with networking, I would recommend OPNsense.

You can see the difference for yourself if you set up a couple of VMs. For example, set up two small Linux/Windows VMs and a router VM, attach the router VM to both your own network as well as a virtual network, and then attach the two Linux VMs to that virtual network as well. You've then basically virtualised your network and can experiment with settings, firewall rules, port forwards, whatever you need. Both OpenWRT and OPNsense can be run as virtual machines (https://www.sunnyvalley.io/docs/network-security-tutorials/h..., https://openwrt.org/docs/guide-user/virtualization/virtualbo...).

You won't be able to test support for directly hooking up to your ISP through a VM, so that part is still a bit more difficult, but if you want to see how easy/hard it is to manage your network through these, I recommend setting

As a side note, OPNsense is a fork of Pfsense, another popular network appliance distribution. This has led to some beef between the Pf/OPNsense communities, as both Pfsense and OPNsense make money selling dedicated hardware and their user base was divided after the split. Personally, I see it more as a choice of preferred GUI as most features can be found in both. Pfsense has a longer history and therefore more old support threads if you need to troubleshoot something, though I find their interface a bit clunky in comparison. Not all modules/packages are available for both platforms so take that into account if you're looking for specific features.


Or just turn off "Siri Suggestions" in System Settings as stated in the article.


I'd probably stick with the firewall just to be safe, thorough, and future-proofed...


Using a firewall to protect your privacy from the company that designed the hardware and wrote the software for your computer is kind of like putting on a raincoat before going swimming.


I believe the firewall is not supposed to be protection against Apple doing an attack on you, but against them collecting data because you forgot to change some setting to opt out somewhere.


You actually have to opt in to this, but most people do because they don't care or understand what it is they are doing. In some cases, data shared features have to be re-opted-in during major OS upgrades (maybe because the processes that process the data are divided differently or using different API endpoints.. who knows).


If you don't trust Apple with your data, a firewall will not protect you. They can collect data at any time and have many options for extracting it from your computer. A firewall will only really help with "above the table" behavior.


That's what I said.


Why do they deserve any trust when they're phoning home?


Why do you have any less trust for what they're doing with your data on their servers versus what they can already do with it on yours? If you don't trust them to have access to your data, you should not use their hardware and you should not use their software.


The person you are replying to is saying that at some level you have to trust someone and “open source” is not the answer.

There have been plenty of latent bugs in Linux that took years to discover that could have led to information extraction


No, that's not what I'm saying. I think it's conceivable that with a great deal of effort you could build an open source system that is highly trustworthy. What I'm saying is that the gradient between "highly trustworthy" and "untrustworthy" is extremely steep.

To use another analogy, someone using a firewall to keep a MacBook from phoning home is like a person who invests in a really high-quality lock on their jewelry box to keep their housecleaner from stealing from them.


How much “effort” do you think it would take to build a system that is completely open source down to the firmware?


"Every platform has RVEs eventually" is a pretty lazy answer.

The answer is to stop normalizing telemetry and data exfiltration even if it's 'the good guys' doing it. It's not your "cloud" therefore it's not your data.


So if you are not going to trust anyone are you going to stop using computers?


No. Just don't use "cloud" "services" like this or LassPass.


You’d need a network level firewall for that - the OS can circumvent any firewall you run on your computer. That would imply that you’re unprotected once you leave your home network. The firewall would also need to inspect all network traffic, including TLS secured connections.


Apple allows itself to bypass the OS firewall so you will need something at the network level.


.. on every single network you connect your computer to.

Maybe there is such a thing as a portable battery powered wireless travel router with proper firewall rules, that can also do VPN etc. Must admit that's something I never looked into.


Well... macOS is hardly the worst IoT offender. Roku is unbelievable. ;) Many good reasons to set up a Pi-Hole...


What if an auto update adds something similar new, and defaulted on like this one was?


As if apple would have their services obey firewall restrictions.



Right. Because preventing the computer from talking to Apple where it finds out if there are updates or new malware definitions in addition to the documented thing it’s doing is a much better option than turning off the option in settings.


Yes, firewalls often prevent this from happening, waiting to read about some new setting on HN does not. Firewalls also aren’t going to block legitimate traffic unless they’re badly configured.


You have to think about the problem in context: if abuse were happening, which to be clear is not true, you couldn’t trust a computer made by the company running the program you disagree with. They control the software stack and network endpoints, so they could exempt their own services from the local firewall and avoid a network firewall by using something like their network update service to receive queries.


Right. They make the hardware (including CPU), the OS (and firmware), and there is a decent chance they make the app you’re using like Preview.

Apple is the keys to the kingdom. They have full access to your decrypted data because they encrypt/decrypt it for you.

If you don’t trust them to not go behind your back this is the least of your concerns.


I’d also add that this is an area where we’re predisposed to think of technical solutions but it seems more appropriate for a regulatory one: trusting Apple is not a bad idea for a lot of people (just a single party for many things) but a robust public audit would make that easier. Unfortunately if your threat model includes the U.S. government you’re basically hoping that the EU is willing to apply pressure.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: