OPNsense Forum
English Forums => General Discussion => Topic started by: temporaryuser on March 23, 2016, 10:54:22 am
-
Hi AdSchellevis!
https://github.com/opnsense/core/issues/460 (https://github.com/opnsense/core/issues/460)
I read the discussion in the link that you provided (thank you!) and have a general question about OPNsense.
Prior changing to pfSense, I was using Endian UTM (http://www.endian.com/). The "UTM" stands for "Unified Threat Management" and it means that Endian tries to include all sorts of threat fighting tools. They say of themselves: "The Endian UTM appliance provides total network security including web and email filtering, VPN, intrusion prevention, bandwidth management and much more."
Then, I changed to pfSense (for the reasons that I did not agree with Endian's understanding of "community" & "open source" (they turned it to "open core") and because I needed more than 4 network zones, which Endian does not support) and I had to learn, that pfSense did not support many of those features, since their opinion was, that most of those "threat management" tools have no place on a firewall but should be handled by dedicated servers AFTER the firewall, e.g. scanning email. So with other words: pfSense lacked some features that I got to love on Endian due to another strategic approach that pfSense had.
So, now I read the thread of the link that you provided and realized that you plan to a) integrate HTTPS proxy and b) are not planning yet - but seem not to be opposed at all - to integrate other features such as virus scanning of webtraffic, email, FTP, etc.
So my question is: What is the strategic stance of OPNsense? Is your vision to turn OPNsense to such a "Unified Threat Management" box, as Endian does, or will you rather stick to the "lean" approach of pfSense and keep everything out of OPNsense that is not 100% firewall/gateway related?
Speaking for me, I would love seeing those advanced firewall/gateway related security features integrated into OPNsense, as Endian does, but I would not like to see any features to be integrated that go beyond this gateway-security scope and that turn the firewall into a general network server with all sorts of network services on it as e.g. Samba file server, FTP server, BitTorrent, etc., as some other projects do, e.g. Clear OS, etc.
Thank you for your time!
Cheers
temporaryuser
-
Hi temporaryuser,
I'm going to answer instead. ;)
First and foremost, OPNsense was build as an open platform that largely aligns with FreeBSD in order to offer others the tools to build their own solutions on top. We try our best to get the actual OPNsense code out of the way to let users run extra services if they want to, provide the full build tools, synced FreeBSD ports and a first stash of binary packages beyond the mere need of the project itself.
This in turn translates to OPNsense code design as well that all of these services running underneath should be easily brought into a GUI, we have plugins that can already stretch through the ACL, menu, page rendering and config.xml storage. The firmware system is easily expanded, adapted or customised. We have PHP, Python and Perl installed in the base in order to not lock out developers / solutions architects. On top of this, we as much as everybody else builds the actual GUI features.
Users will eventually decide which direction to go, if a feature is asked for multiple times it's likely a feature worth having and we try to integrate it in a way that it's maintainable and easy to use. Or if users contribute, it sets a milestone that cannot be easily anticipated. At the moment, the following direction can be said to apply:
The killer features for us are IPS/IDS (with API), proxy server (with API), VPN, Captive Portal (with API), and DNS. We improve these regularly and users always ask for more of those. One could argue that is the UTM scope, but it's really just these few on top of what FreeBSD offers or will eventually offer. There could be more plugins on the horizon for fringe features, but that largely depends on user contribution like we've talked about elsewhere.
None of these features do have to make a "fat" UTM solution, they are all individual components or building blocks. IPS/IDS and proxy came into the build system because we did not have packages anymore. Now that there are plugins, we start factoring out legacy VPNs (PPTP, L2TP, PPPoE Servers) to lighten the base install again. I don't see why this can't be done for IPS or the proxy eventually too. And if it's kept in the default install out of user's desire, one could still one day be able to remove the plugin and all of its dependencies when lean isn't lean enough.
Underneath all of this, the desire is to provide a seamless deployment of core features with the maximum amount of freshness in the form of security updates, bug fixes, new gimmicks for existing features, system security (thanks to help from HardenendBSD), and more. If you look at what we've done in the past year this has been a consistent execution although a valid roadmap is not published for more than 6 months ahead of time.
We don't have all the answers, neither do we want to. We trust that our users of today and tomorrow have valid concerns and finesse in helping guide this project. We try to provide a simplified experience in the ever-growing complexity of modern day networking. What that means in 5 years time is a mystery to be solved when we get there together. :)
Cheers,
Franco
-
Hi Franco,
Thank you very mouch for your detailed answer. I like very much what you wrote.
Maybe some day we can set up a poll for ideas for future enhancements of OPNsense so that the community can express and inspire each other?!
Cheers
temporaryuser
-
Hi temporaryuser,
Ideas are picked up from any place where they pop up: the crash reporter, GitHub, the forum, emails, Twitter and IRC. Anywhere people find it convenient to start a discussion. :)
E.g. https://github.com/opnsense/core/issues/581 which needed a bit of time to be sorted into the right release iteration in the roadmap and will make.
The disabling of NTP was asked for a dozen times in IRC (to be fair, by our one and only weust) and that finally made it in a few weeks back.
It's hard to keep track of it all and it seems confusing, but it helps to be persistent and forthcoming.
Sorry for the tangent. There were some older threads but maybe it's better to start a new thread in the 16.7 series forum. Will you start one for us?
Cheers,
Franco
-
BTW, Jos revised the brochure for OPNsense, maybe that is good to point out for this thread as well:
https://www.deciso.com/wp-content/uploads/2015/10/Deciso_About_OPNsense_v032016.pdf
-
Hi Franco!
There were some older threads but maybe it's better to start a new thread in the 16.7 series forum. Will you start one for us?
OK!
Sorry for the tangent.
Could you tell me what that means? Could not look it up anywhere :-)
Cheers
temporaryuser
-
Sorry, I like idioms... http://idioms.thefreedictionary.com/go+off+on+a+tangent
-
Sorry, I like idioms... http://idioms.thefreedictionary.com/go+off+on+a+tangent
They are what makes life interesting. :D
-
Hi Franco!
There were some older threads but maybe it's better to start a new thread in the 16.7 series forum. Will you start one for us?
Done: https://forum.opnsense.org/index.php?topic=2573.0
Cheers
temporaryuser