Messages

Thanks azdps, that helps put the nail in the coffin.

Hey Franco, I'm sorry you had to go through that. I just spent the last two hours going through all the tweets by the troll known as "htilonom". Reading his Twitter history, it looks like he has a long history of trolling others as well. I wish I could have simply said "ignore him, don't feed the trolls", but Jim Thompson joined in the absolutely disrespectful and unprofessional bashing. I'm much more disappointed by Jim's behaviour than a random troll on the Internet. IMHO, leaders in the open source community should be an example to look up to, not only in computer coding, but especially in human interactions. I have hope that he will stop this line of bashing, and apologize for his disrespectful behaviour.

Regarding Wikipedia, I went through all of the back-and-forth edit wars. We have to commit an effort to get the Wikipedia pages and references back up by working with the Wikipedia editors, starting with https://en.wikipedia.org/wiki/List_of_router_and_firewall_distributions . We should also mention OPNsense as a fork of pfSense on https://en.wikipedia.org/wiki/PfSense . I don't think we need to mention OPNsense on the m0n0wall page, since OPNsense has much more in common with pfSense.

Regarding the supposed copyright infringement

https://github.com/opnsense/core/commit/ed6c71d6a31b64a220d4bf89ba9bd83478011073

You clearly left the authors name, email, and copyright year intact.

Removing "part of pfSense by Scott Ullrich" and "originally based on m0n0wall (http://neon1.net/m0n0wall)" is OK because you still explicitly give copyright credit to Scott Ullrich and Manuel Kasper. You also left out any mention of OPNsense, so representation is more uniform.

More generally, no one should be angry that OPNsense forked pfSense. That's how open source works. In particular, the BSD community is a big proponent of using BSD-licensed software for any purpose, whether commercial or personal, competitive or benign. We work together - not against each other. Some people like to pin two software projects against each other, as though they were enemies - FreeBSD vs. Linux, Microsoft vs. Apple, MySQL vs. MariaDB, etc, etc. When you talk to the FreeBSD Foundation, Bill Gates, and Steve Jobs, they will be the first to tell you that we actively share new ideas with each other, including code whenever possible.

By cooperatively working together, OPNsense and pfSense can dramatically improve the quality of firewall software for everyone, and raise the bar for FreeBSD-based firewall solutions.

I hear you. In cases like this, it's good to conduct a poll of the user base, or analyze automated usage reports that can tell us how many OPNsense users run i386 vs amd64.

If a very low number of people still use i386, I'd recommend to stop supporting it. That way you can save developer time and energy, as you mentioned. However, it seems that the team has already pledged to support i386 for at least a few more years. I'm not sure exactly why.

@Franco Is there a thread where this was discussed?

Yeah, I have no problem with people wanting to run weird and exotic hardware, I just refer them to NetBSD :P

For most cases, like Franco mentioned, newer hardware should be encouraged instead of i386.

@weust  Yes, it's like a "sin tax". The more expensive it becomes to use i386, the more incentive people have to stop using it.

Awesome, thanks Franco!

Awesome :) I'm also in favour of PIE on i386.

I see this as an incentive to motivate people to use more modern hardware that's likely much more energy efficient.

Don't start a flame war  ;D


After reading the interesting pfSense roadmap by Jim Thompson, I was surprised by two things.


First and foremost, LibreSSL will probably never be accepted into pfSense:


"Finally, since I mentioned OpenSSL, let me say this:  Other projects may explore alternative implementations of OpenSSL (e.g. LibreSSL), but pfSense is unlikely to do this for three reasons:


1) OpenSSL had its issues, but a good, long-time (> 30 year) friend named Rich Salz is now leading the development there.  I've known Rich since 1985, and I trust his leadership of the OpenSSL project.


2) Intel is focused on OpenSSL, as is the Linux Foundation, and their funding.  There will be more test path coverage and more performance work in OpenSSL than any other implementation.


3) I don't like the attitude of the people behind the LibreSSL project.  Talking smack about the project you forked from is bad form. I'll say no more than to quote Frank Zappa on the subject."


The arguments are very weak. Points 1 and 3 are extremely subjective and openly biased, and all points ignore the fact that LibreSSL has already proven to be more secure than OpenSSL, having fewer vulnerabilities since it's release.


Secondly, the first, and likely most important, reason for switching from PHP to Python for pfSense 3.0 was simply "Personally, I have no time for PHP..."


....This is not a very in-depth analysis of why Python is the most appropriate language for pfSense. I can imagine many people would argue to use Go, or Node, or something else.


Considering that PHP is much more widely used than Python, using less popular language becomes a barrier to entry for developers. Hence, making such decisions shouldn't be done so carelessly.


OPNsense has already incorporated LibreSSL and security hardening features from HardenedBSD. That's very proactive.

Wow, that's awesome! You guys are fast. Thanks for the quick turn around, and please send my thanks to Ad.

Sounds good Franco :) Is there a OPNsense bug tracker/redmine where I can add this, so we can target this fix for a specific future release?

Thanks, they were 400x468.

Now you've got me curious about how this will work.

Sorry, I wish I knew more so I could help  ;D

Hey Shawn! Thanks for working on this despite your busy schedule, we appreciate it.

Having all the goodies of HardenedBSD baked right into OPNsense seems like the perfect match for building a very secure router. I'm glad features have already been backported to FreeBSD 10 and integrated into OPNsense.

Although I might not fully understand, I'm curious about the technical reasons why binary upgrades don't work?

If the HardenedBSD version of OPNsense can't be binary upgraded, then should anyone really be using it? Are there any plans to make binary upgrades work?

When I try to fetch updates under System > Firmware > Updates, I get "Repository problem".

I get the same error when checking for updates under Lobby > Dashboard > Updates.

I've made sure the server has access to the Internet by running `ping google.com` from the command line.

I'm using OPNsense 16.7.b_113-amd64, FreeBSD 11.0-CURRENT-HBSD.

The logs show:

configd.py: [2463ae76-bb96-46ce-9205-555cf47c921f] Script action stderr returned "pkg: http://pkgs.hardenedbsd.org/OPNSense/pkg/FreeBSD:11:amd64/16.1/libressl/meta.txz: Not Found pkg: http://pkgs.hardenedbsd.org/OPNSense/pkg/FreeBSD:11:amd64/16.1/libressl/packagesite.txz: Not Found pkg: http://pkgs.hardenedbsd.org/OPNSense/pkg/FreeBSD:"

which makes sense, because http://pkgs.hardenedbsd.org doesn't exist, but this address does:

http://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64/meta.txz
http://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64/packagesite.txz

Editing /usr/local/etc/pkg/repos/origin.conf and setting the url to:

pkg+http://pkg.hardenedbsd.org/HardenedBSD/pkg${ABI}

seems to have worked, but after running an upgrade, which upgraded `pkg` itself, no installed or available packages show up. Running `pkg` on the command line produces no output. I suspect this copy of pkg isn't compatible with HardenedBSD.