1
General Discussion / Re: Reasons why I'm choosing OPNsense over pfSense
« on: June 12, 2016, 05:17:48 am »
Thanks azdps, that helps put the nail in the coffin.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
2
General Discussion / Re: Reasons why I'm choosing OPNsense over pfSense
« on: June 11, 2016, 12:07:02 pm »
Hey Franco, I'm sorry you had to go through that. I just spent the last two hours going through all the tweets by the troll known as "htilonom". Reading his Twitter history, it looks like he has a long history of trolling others as well. I wish I could have simply said "ignore him, don't feed the trolls", but Jim Thompson joined in the absolutely disrespectful and unprofessional bashing. I'm much more disappointed by Jim's behaviour than a random troll on the Internet. IMHO, leaders in the open source community should be an example to look up to, not only in computer coding, but especially in human interactions. I have hope that he will stop this line of bashing, and apologize for his disrespectful behaviour.
Regarding Wikipedia, I went through all of the back-and-forth edit wars. We have to commit an effort to get the Wikipedia pages and references back up by working with the Wikipedia editors, starting with https://en.wikipedia.org/wiki/List_of_router_and_firewall_distributions . We should also mention OPNsense as a fork of pfSense on https://en.wikipedia.org/wiki/PfSense . I don't think we need to mention OPNsense on the m0n0wall page, since OPNsense has much more in common with pfSense.
Regarding the supposed copyright infringement
https://github.com/opnsense/core/commit/ed6c71d6a31b64a220d4bf89ba9bd83478011073
You clearly left the authors name, email, and copyright year intact.
Removing "part of pfSense by Scott Ullrich" and "originally based on m0n0wall (http://neon1.net/m0n0wall)" is OK because you still explicitly give copyright credit to Scott Ullrich and Manuel Kasper. You also left out any mention of OPNsense, so representation is more uniform.
More generally, no one should be angry that OPNsense forked pfSense. That's how open source works. In particular, the BSD community is a big proponent of using BSD-licensed software for any purpose, whether commercial or personal, competitive or benign. We work together - not against each other. Some people like to pin two software projects against each other, as though they were enemies - FreeBSD vs. Linux, Microsoft vs. Apple, MySQL vs. MariaDB, etc, etc. When you talk to the FreeBSD Foundation, Bill Gates, and Steve Jobs, they will be the first to tell you that we actively share new ideas with each other, including code whenever possible.
By cooperatively working together, OPNsense and pfSense can dramatically improve the quality of firewall software for everyone, and raise the bar for FreeBSD-based firewall solutions.
Regarding Wikipedia, I went through all of the back-and-forth edit wars. We have to commit an effort to get the Wikipedia pages and references back up by working with the Wikipedia editors, starting with https://en.wikipedia.org/wiki/List_of_router_and_firewall_distributions . We should also mention OPNsense as a fork of pfSense on https://en.wikipedia.org/wiki/PfSense . I don't think we need to mention OPNsense on the m0n0wall page, since OPNsense has much more in common with pfSense.
Regarding the supposed copyright infringement
https://github.com/opnsense/core/commit/ed6c71d6a31b64a220d4bf89ba9bd83478011073
You clearly left the authors name, email, and copyright year intact.
Removing "part of pfSense by Scott Ullrich" and "originally based on m0n0wall (http://neon1.net/m0n0wall)" is OK because you still explicitly give copyright credit to Scott Ullrich and Manuel Kasper. You also left out any mention of OPNsense, so representation is more uniform.
More generally, no one should be angry that OPNsense forked pfSense. That's how open source works. In particular, the BSD community is a big proponent of using BSD-licensed software for any purpose, whether commercial or personal, competitive or benign. We work together - not against each other. Some people like to pin two software projects against each other, as though they were enemies - FreeBSD vs. Linux, Microsoft vs. Apple, MySQL vs. MariaDB, etc, etc. When you talk to the FreeBSD Foundation, Bill Gates, and Steve Jobs, they will be the first to tell you that we actively share new ideas with each other, including code whenever possible.
By cooperatively working together, OPNsense and pfSense can dramatically improve the quality of firewall software for everyone, and raise the bar for FreeBSD-based firewall solutions.
3
General Discussion / Re: ASLR, PIE and the future of i386
« on: June 06, 2016, 01:07:44 pm »
I hear you. In cases like this, it's good to conduct a poll of the user base, or analyze automated usage reports that can tell us how many OPNsense users run i386 vs amd64.
If a very low number of people still use i386, I'd recommend to stop supporting it. That way you can save developer time and energy, as you mentioned. However, it seems that the team has already pledged to support i386 for at least a few more years. I'm not sure exactly why.
@Franco Is there a thread where this was discussed?
If a very low number of people still use i386, I'd recommend to stop supporting it. That way you can save developer time and energy, as you mentioned. However, it seems that the team has already pledged to support i386 for at least a few more years. I'm not sure exactly why.
@Franco Is there a thread where this was discussed?
4
General Discussion / Re: ASLR, PIE and the future of i386
« on: June 06, 2016, 12:56:03 pm »
Yeah, I have no problem with people wanting to run weird and exotic hardware, I just refer them to NetBSD 
For most cases, like Franco mentioned, newer hardware should be encouraged instead of i386.
For most cases, like Franco mentioned, newer hardware should be encouraged instead of i386.
5
General Discussion / Re: ASLR, PIE and the future of i386
« on: June 06, 2016, 12:39:38 pm »
@weust Yes, it's like a "sin tax". The more expensive it becomes to use i386, the more incentive people have to stop using it.
6
General Discussion / Re: Reasons why I'm choosing OPNsense over pfSense
« on: June 06, 2016, 12:36:03 pm »
Awesome, thanks Franco!
7
General Discussion / Re: ASLR, PIE and the future of i386
« on: June 04, 2016, 04:39:42 pm »
Awesome 
I'm also in favour of PIE on i386.
I see this as an incentive to motivate people to use more modern hardware that's likely much more energy efficient.
I'm also in favour of PIE on i386.I see this as an incentive to motivate people to use more modern hardware that's likely much more energy efficient.
8
General Discussion / Reasons why I'm choosing OPNsense over pfSense
« on: June 02, 2016, 04:30:09 am »
Don't start a flame war 
After reading the interesting pfSense roadmap by Jim Thompson, I was surprised by two things.
First and foremost, LibreSSL will probably never be accepted into pfSense:
"Finally, since I mentioned OpenSSL, let me say this: Other projects may explore alternative implementations of OpenSSL (e.g. LibreSSL), but pfSense is unlikely to do this for three reasons:
1) OpenSSL had its issues, but a good, long-time (> 30 year) friend named Rich Salz is now leading the development there. I’ve known Rich since 1985, and I trust his leadership of the OpenSSL project.
2) Intel is focused on OpenSSL, as is the Linux Foundation, and their funding. There will be more test path coverage and more performance work in OpenSSL than any other implementation.
3) I don’t like the attitude of the people behind the LibreSSL project. Talking smack about the project you forked from is bad form. I’ll say no more than to quote Frank Zappa on the subject."
The arguments are very weak. Points 1 and 3 are extremely subjective and openly biased, and all points ignore the fact that LibreSSL has already proven to be more secure than OpenSSL, having fewer vulnerabilities since it's release.
Secondly, the first, and likely most important, reason for switching from PHP to Python for pfSense 3.0 was simply "Personally, I have no time for PHP..."
....This is not a very in-depth analysis of why Python is the most appropriate language for pfSense. I can imagine many people would argue to use Go, or Node, or something else.
Considering that PHP is much more widely used than Python, using less popular language becomes a barrier to entry for developers. Hence, making such decisions shouldn't be done so carelessly.
OPNsense has already incorporated LibreSSL and security hardening features from HardenedBSD. That's very proactive.
After reading the interesting pfSense roadmap by Jim Thompson, I was surprised by two things.
First and foremost, LibreSSL will probably never be accepted into pfSense:
"Finally, since I mentioned OpenSSL, let me say this: Other projects may explore alternative implementations of OpenSSL (e.g. LibreSSL), but pfSense is unlikely to do this for three reasons:
1) OpenSSL had its issues, but a good, long-time (> 30 year) friend named Rich Salz is now leading the development there. I’ve known Rich since 1985, and I trust his leadership of the OpenSSL project.
2) Intel is focused on OpenSSL, as is the Linux Foundation, and their funding. There will be more test path coverage and more performance work in OpenSSL than any other implementation.
3) I don’t like the attitude of the people behind the LibreSSL project. Talking smack about the project you forked from is bad form. I’ll say no more than to quote Frank Zappa on the subject."
The arguments are very weak. Points 1 and 3 are extremely subjective and openly biased, and all points ignore the fact that LibreSSL has already proven to be more secure than OpenSSL, having fewer vulnerabilities since it's release.
Secondly, the first, and likely most important, reason for switching from PHP to Python for pfSense 3.0 was simply "Personally, I have no time for PHP..."
....This is not a very in-depth analysis of why Python is the most appropriate language for pfSense. I can imagine many people would argue to use Go, or Node, or something else.
Considering that PHP is much more widely used than Python, using less popular language becomes a barrier to entry for developers. Hence, making such decisions shouldn't be done so carelessly.
OPNsense has already incorporated LibreSSL and security hardening features from HardenedBSD. That's very proactive.
9
General Discussion / Re: Not mobile friendly
« on: May 20, 2016, 07:08:56 pm »
Wow, that's awesome! You guys are fast. Thanks for the quick turn around, and please send my thanks to Ad.
10
General Discussion / Re: Not mobile friendly
« on: May 20, 2016, 06:41:49 pm »
Sounds good Franco Is there a OPNsense bug tracker/redmine where I can add this, so we can target this fix for a specific future release?
Is there a OPNsense bug tracker/redmine where I can add this, so we can target this fix for a specific future release?
11
General Discussion / Re: Not mobile friendly
« on: May 18, 2016, 08:00:07 pm »
Thanks, they were 400x468.
12
General Discussion / Re: [SOLVED] Can't fetch updates: "Repository problem"
« on: May 14, 2016, 03:26:18 am »Quote
Now you've got me curious about how this will work.
Sorry, I wish I knew more so I could help
13
General Discussion / Re: [SOLVED] Can't fetch updates: "Repository problem"
« on: May 12, 2016, 02:33:46 am »
Hey Shawn! Thanks for working on this despite your busy schedule, we appreciate it.
Having all the goodies of HardenedBSD baked right into OPNsense seems like the perfect match for building a very secure router. I'm glad features have already been backported to FreeBSD 10 and integrated into OPNsense.
Although I might not fully understand, I'm curious about the technical reasons why binary upgrades don't work?
Having all the goodies of HardenedBSD baked right into OPNsense seems like the perfect match for building a very secure router. I'm glad features have already been backported to FreeBSD 10 and integrated into OPNsense.
Although I might not fully understand, I'm curious about the technical reasons why binary upgrades don't work?
14
General Discussion / Re: [SOLVED] Can't fetch updates: "Repository problem"
« on: May 10, 2016, 10:27:59 am »
If the HardenedBSD version of OPNsense can't be binary upgraded, then should anyone really be using it? Are there any plans to make binary upgrades work?
15
General Discussion / [SOLVED] Can't fetch updates: "Repository problem"
« on: May 09, 2016, 09:00:47 am »
When I try to fetch updates under System > Firmware > Updates, I get "Repository problem".
I get the same error when checking for updates under Lobby > Dashboard > Updates.
I've made sure the server has access to the Internet by running `ping google.com` from the command line.
I'm using OPNsense 16.7.b_113-amd64, FreeBSD 11.0-CURRENT-HBSD.
The logs show:
which makes sense, because http://pkgs.hardenedbsd.org doesn't exist, but this address does:
http://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64/meta.txz
http://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64/packagesite.txz
Editing /usr/local/etc/pkg/repos/origin.conf and setting the url to:
pkg+http://pkg.hardenedbsd.org/HardenedBSD/pkg${ABI}
seems to have worked, but after running an upgrade, which upgraded `pkg` itself, no installed or available packages show up. Running `pkg` on the command line produces no output. I suspect this copy of pkg isn't compatible with HardenedBSD.
I get the same error when checking for updates under Lobby > Dashboard > Updates.
I've made sure the server has access to the Internet by running `ping google.com` from the command line.
I'm using OPNsense 16.7.b_113-amd64, FreeBSD 11.0-CURRENT-HBSD.
The logs show:
Quote
configd.py: [2463ae76-bb96-46ce-9205-555cf47c921f] Script action stderr returned "pkg: http://pkgs.hardenedbsd.org/OPNSense/pkg/FreeBSD:11:amd64/16.1/libressl/meta.txz: Not Found pkg: http://pkgs.hardenedbsd.org/OPNSense/pkg/FreeBSD:11:amd64/16.1/libressl/packagesite.txz: Not Found pkg: http://pkgs.hardenedbsd.org/OPNSense/pkg/FreeBSD:"
which makes sense, because http://pkgs.hardenedbsd.org doesn't exist, but this address does:
http://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64/meta.txz
http://pkg.hardenedbsd.org/HardenedBSD/pkg/FreeBSD:11:amd64/packagesite.txz
Editing /usr/local/etc/pkg/repos/origin.conf and setting the url to:
pkg+http://pkg.hardenedbsd.org/HardenedBSD/pkg${ABI}
seems to have worked, but after running an upgrade, which upgraded `pkg` itself, no installed or available packages show up. Running `pkg` on the command line produces no output. I suspect this copy of pkg isn't compatible with HardenedBSD.
Pages: [1] 2