Messages

16

General Discussion / Re: Migrating from pfSense

« on: January 29, 2021, 11:49:54 pm »

Sorry, but I am going to have to call you out on this one. Did you ever consider that since you were new to networking & firewalls (by your own admission), you might have made a mistake in the setup which caused your rules to be ineffective

I'm new but I'm not stupid, these rules were working fine earlier, but only after certain incidents they seemed to have stopped working.

You can see an image of the rules I made in my other thread, they weren't working with those rules on, even when removed and/or after rebooting with and without those rules. I was able to access green and blue from each other.

You have an IP Fire VM, why don't you create three interfaces, one red for wan, one green for lan/management and blue for lan, without creating any rules, see if you can access green from blue, and blue from green, if you can, create rules preventing traffic between green and blue and then try again.

In firewall rules, in source I selected standard network as green, and in destination I selected standard network as blue, I selected drop packets, placed this rule at position 1, applied it and rebooted, but I could still access blue from green. So what am I to understand? From my logic this ought to have blocked green's access to blue. When this didn't work, I modified the rule and selected interface as green, left the destination untouched, applied this and rebooted, and I still could access blue from green. Either they intentionally gave different meaning or they hacked the system.

Because earlier I wanted to isolate green from everything else and those rules worked.

17

General Discussion / Re: Blocking Mozilla networks is preventing Firefox from accessing other sites.

« on: January 29, 2021, 08:47:46 pm »

Hi,
Firefox checks websites you browse for malicious URLs. I assume the list is hosted within that CDN and Firefox therefore blocks the access.

So this is their politically correct reason for telemetry.

18

General Discussion / Re: Blocking Mozilla networks is preventing Firefox from accessing other sites.

« on: January 29, 2021, 08:46:38 pm »

Can you do a NSLookup and Ping on these Sites?

When I NSLookup for mozilla.org, it showed the same 3 IPs which are in the network I have blocked. Do I need to block the nameservers as well?

Other sites are not in those networks, I think the person who posted below probably has the correct reason.

19

General Discussion / Re: Migrating from pfSense

« on: January 29, 2021, 08:42:51 pm »

Does Sensei work offline or does it need to use a cloud service?

20

General Discussion / Re: Migrating from pfSense

« on: January 29, 2021, 11:25:31 am »

I'd be very careful to post such things. It's quite unfair for the distro and may distribute untruths.

Why should a community (mostly 2 core devs) putting hours of coding into it do this to someone like you and not everyone?

Vendetta for asking hard questions. Anyway that is my experience with it, apparently they block traffic between interfaces by default, so I disabled all rules, and I tried pinging green network from blue and I was getting response, vice versa, same. Then I created explicit rules blocking traffic from green to blue and blue to green, still getting responses.

2 developers are easy to corrupt than a team of them, they'll settle for less money. And I don't know how much they contribute, IP Fire really looks like reskinned version of IP Cop, most of the core is from Linux From Scratch, I guess they use the firewall portion from IP Cop and they have only used their HTML and JavaScript to create a different interface.

21

General Discussion / Re: Migrating from pfSense

« on: January 29, 2021, 03:40:02 am »

I'm new to networking and firewalls but I have some experience with IP Fire and I would advice you to stay away from it, they can hack your IP Fire installation and compromise it, if they don't like you.

That is what happened to me and I changed from IP Fire. They didn't like hearing hard truths about firewall distros, so they developed a grudge and hacked my IP Fire installation and made all rules ineffective. I could block access entirely to allow entirely.

You say, you have experience with pfSense, then you would be comfortable with OPNSense, although interface is different, but making rules is similar, they use different symbols for allow, block, incoming, outgoing. Remember, in OPNSense, incoming means traffic coming into the firewall from any interface, and outgoing means traffic leaving the firewall.

You can always take the firewall distros for a test drive in virtual machine. Other firewalls based on Linux are Smoothwall, ipcop, ClearOS, etc.

22

General Discussion / Blocking Mozilla networks is preventing Firefox from accessing other sites.

« on: January 29, 2021, 03:15:23 am »

I have blocked two Mozilla networks, one is powered by Amazon Cloud and the other, Cloudflare. Despite this, Mozilla is opening, I tried pinging IP addresses in those networks and I wasn't getting any replies. So, I'm confused why this is happening.

And, when these two Mozilla networks are blocked, many sites are not opening in Firefox(I haven't tried other browsers), when I unblock those networks, those sites are opening. I've checked the IPs of the sites, and they are not in the blocked network. Is this because of some telemetry in Firefox?

23

General Discussion / Re: Considering switching from IPFire to OPNSense

« on: January 26, 2021, 04:06:49 am »

No, configuration of firewall is not equivalent to driving a car - it is the equivalent of SERVICING a car.

I debated a lot with myself whether I should reply to your post or not, because your analogies seem so inapt, I didn't know if you were serious or egotistical. No, webUI of firewall is equivalent of the controls of a car, like gears, steering wheel, accelerator, brakes, buttons, etc. Messing with the engine is like messing with the source code.

And you seem to be missing the most important thing, BMW sells its products, they don't give it away for free by putting counter-intuitive controls in the car. 

When firewall works, you do not press pedals, hold the steering wheel or tinker with it. All the engineering efforts are channeled into tuning, optimizing, enriching, and updating the CORE engine. User-serviceable interfaces are really low on the priority. (check VyOS and their CLI-only interface and tell us how do you feel about them...)

You think that a specialized professional firewall needs to be as user-friendly as all-in-one consumer boxes that ISPs give away for free. Well, they are not. Pro-level Wifi GUI, pro-level switching GUI, pro-level Synology GUI - neither of them is meant to be opened daily and used by non-experts.

Why I mentioned BMW? Besides the fact that my uncle did have BMW, they use the same product mentality that you are complaining about: all focus goes into top-level performance of the engine, but when you need service, BMW absolutely expects you to take the car to professionals and not mess with it on your own. "No user-serviceable parts inside" - applies both to high-performance cars and high-performance firewalls.

I never knew delusions of grandeur went hand-in-hand with autism.

24

General Discussion / Re: Considering switching from IPFire to OPNSense

« on: January 22, 2021, 07:50:15 pm »

It's just a place you need to know. Nothing to rant about user interface being counter-intuitive.

It is like traffic lights, throughout the world, red means stop, and green means go, you can't create a country of your own and give the meaning of go for red light and stop for green light, and advertise tourist destinations.

No, I'm not supporting a ban for constructive criticism. I'm supporting it because of your bad attitude and insults.
A product needs to work in the first place. Whether a WebGui is intuitive or not is not important. If you ask 10 people about an user-interface you'll get 12 opinions about it. I don't have any problems with the UI. But I'm reading docs when I'm unable to find what I'm looking for. No UI is perfect. Every Firewall has its own philosophy about how to guide the user. If you're not feeling comfortable, that's fine, go on and try another one. Your list is missing Sophos XG. It has a free version, too.

I didn't include Sophos XG because I didn't try it, and it is a closed source version, I thought it would contain disclosed back doors, telemetry, etc.

In this attached image I can't see anything useful to decide if this should work or not. I'm not using IPFire. Maybe you misconfigured something at another screen. Using pfSense or OPNsense was always a pleasure for me. Never had an issue installing them or getting them to work with a basic setup. Problems came with more complex setups and then this forum was a big help for me. There is a lot of competence in this forums. But most of them are helping in their freetime based on good will. So insulting people won't help you here.

What more information do you want? Maybe because you didn't use IPFire. That is all the information IPFire shows. I'll tell you what it means, the pinkish-red rectangle at the left mean drop, green means traffic originating from green interface, and blue means traffics destination is blue interface, it means drop all packets originating from green interface to blue interface. Other 3 rules can interpreted similarly. I think it should work if it wasn't hacked and it did work before.

25

General Discussion / Re: Considering switching from IPFire to OPNSense

« on: January 22, 2021, 07:23:48 pm »

I don't know if this is trolling, but I couldn't stop laughing at cognitive dissonance here:

No cognitive dissonance or trolling. That would be because pfSense's interface was counter-intuitive.

and then:
My uncle had a dual-compressor bi-turbo high-performance BMW - that NEVER worked well. He spent most of his time under the bonnet, tinkering with advanced car electronics, screaming how car engines are actually very simple: you squirt some gas in a chamber, you ignite the gas, you turn the shaft. Not difficult for people to understand and apply.

Except it never worked. He didn't understand timing belts. He didn't understand turbo. He didn't understand anything that makes a modern car engine work. Yet, it was all BMW's fault. Greedy Germans made car engines stupidly complex so my uncle with rudimentary understanding just couldn't figure them out and was ripping components he didn't understand.

People can either be consumers or (semi) professionals. There are products targeting each group.

Don't be like my uncle, unless you enjoy being frustrated when consumer-level knowledge clashes with professional-level products. Because stuff just won't work. And you will blame everyone else but yourself.

Except BMW sells it's car, it doesn't say it is free for everyone. The analogy you gave is not suitable, a more suitable analogy would involve the handles of the car, not the engine, if BMW placed the steering wheel at feet and brakes at hand levels and gears at mouth, it would be the best analogy for IPFire and other firewall distros. Even professionals want everything to be easy to use, software professionals use the same libraries in AI as high school students use, so this excuse of professionalism is a face-saving measure at best.

Is the reason you are mentioning BMW because IPFire is Germany based? Are you saying germans are sc*mbags and they must have freedom to deceive people to gain money? Not all of Germany makes exceptional products, their expertise in automobiles doesn't mean they make great firewalls.

As I said, IPFire just seems to be a reskinned version.

26

General Discussion / Re: pfSense is going closed source and not free for commercial use

« on: January 22, 2021, 05:55:52 pm »

a question from someone that never used pfSense: how hard would it be to create a converter of pfSense config to OPNSense config? I feel there will be considerable amount of defectors that will evaluate OPNSense - and we should make it easy for them...

There will be a no charge path for home and lab use, more info here under question "Can I get pfSense Plus for my own hardware or virtual machine?": https://www.netgate.com/solutions/pfsense/plus-faq.html

So I think people used to it will stick to it.

27

General Discussion / Re: Considering switching from IPFire to OPNSense

« on: January 22, 2021, 05:51:04 pm »

Are you serious?

I'm serious, you ask a Phd computer science student specializing in networking and security, where they'd expect to see connections and under what heading and they'll tell you they would expect it to be under connections or traffic, not in states, or logs and live view, etc. It is only firewall distros which put them under unknown labels because making it easy will not allow them to sell service.

I'm not really surprised and I would really appreciate a ban here, too. Do you think someone will help you in a support forum driven mostly by the community if you insult everyone in the first post?

A product must be easy to use and understand, even then if it is impossible to configure and administrate, a support forum driven by community will be appreciated. Yes, I think I was justified by insulting everyone in my OP, you people are the ones who is making OPNSense hard to use, you people have been using OPNSense from many years, wouldn't you have encountered these problems or thought it was difficult to use? I'm sure some of you did, they could have given feedback and improved but no, you supported the counter-intuitive interfaces and labels. You'd support a ban on me because you don't want to hear what kind of sc*mbags firewall distros and community you are?

I think it's merely because of your incompetence and ignorance of manuals.

Not because of my incompetence, you can view the attached image and see the rules I created, they are simple and straightforward, I've applied them and rebooted and they are not working, earlier they were working, what does it say? Before firewall distros, I've application firewalls in Windows, so I have experience with creating rules, you'd like to make yourselves feel like geniuses over using simple concepts like IP addresses, ports and zones.

28

General Discussion / Re: Considering switching from IPFire to OPNSense

« on: January 22, 2021, 05:35:09 pm »

Well, to some degree that is not to aggravate users. Networking and security come from computer science and have been considered by sales forever as "products in need of explanation". This is where you can't skip the handbook/documentation unless you know what you are doing.

But the concepts required are mainly IP addresses, ports and zones, do you think they are so hard to understand? I've used application firewalls before, like Comodo, etc on Windows and they were easy to understand, only firewall distros seem to make it counter-intuitive to sell a service.

IPFire is nice in this regard as it tries to break down a lot. The possibilities of OPNsense will just add to the fact of being overwhelmed more than required maybe.
Cheers,
Franco

IPFire just seems to a reskinned version of IPCop, IPFire have made it a bit more complicated than IPCop by allowing users to make redundant rules coming from outside, IPCop simplifies this by only allowing to make rules in the outgoing direction. Because stateful firewalls only allow connections into LAN if they were initiated from a client in LAN.

29

General Discussion / Re: Considering switching from IPFire to OPNSense

« on: January 22, 2021, 02:53:09 am »

What I wanted to ask was, can creators of OPNSense hack any installation of OPNSense?

30

General Discussion / Considering switching from IPFire to OPNSense

« on: January 21, 2021, 11:05:48 pm »

To make network secure, I have bought dedicated hardware(cpu, mb & ram) to maintain a firewall. Before I actually install and setup a firewall distro on a dedicated system, I take them for a test run in virutal machine.

I use VirtualBox and I setup two interfaces, 1 for LAN and the other for WAN. LAN interface has host-only adapter, WAN interface has NAT. I first tried pfSense with this, I couldn't get it to work, I think I typed the correct IP address for LAN interface, gateway and setup a DHCP server to issue IP addresses on LAN, but the client wasn't getting any IP addresses. It was a fluke I got it to work, the 3rd or 4th time I installed but the webGUI was counter-intuitive, I just couldn't figure how to view connections, and when I did, it was incomprehensible, it was just numbers, no color coding, how the f*ck would I know which are suspicious connections. Even the place where this is found seems counter-intuitive, pfSense places it under Diagnostics-States, I think it would have been better under Status-States, why can't they place under the heading of traffic or connections rather than states. While creating rules, I didn't know if I had to create rules in WAN interface or LAN interface, I was shocked to find I couldn't block websites without enabling a web proxy, which was equally counter-intuitive to setup.

After pfSense I tried Smoothwall, IPCop, OPNSense and IPFire, I can't remember in which order. Smoothwall and IPCop were equally incomprehensible. With OPNSense I could get it to work until I was able to access it's webGUI from the clients on LAN but they weren't able to access Internet, if anything I found OPNSense's interface to be even more counter-intuitive than others, although the webGUI of OPNSense was a lot nice to look at. Firstly, I couldn't find how to view connections, it was hidden under Firewall -> Logs -> something else. Why the f*ck can't you idiots make these easy to find? I typed connections, traffic in the search box and it wasn't showing, I clicked through sections on the left, but because of counter-intuitive names used for options under those sections, I couldn't find that. It was after searching the net, I found a reply here informing how to use it.

IPFire was just as bad, but it was a little easy to go around finding what I was looking for, I could see connections under the connections sections, although I couldn't immediately create a block rule or terminate a connection from there. It showed only numbers (IP addresses, ports) which was although irritating but not as much as others because it has color coding. I found creation of rules to be counter-intuitive not because of the words used but the non-standard semantics IPFire gave for them. They deliberately left out information from their wiki, like for example, in setting up web proxy, in the webui, it only shows port number, but it doesn't show which IP address to use for the proxy, without this information how would I configure a browser or client to use the web proxy, there is no information to figure out web proxy's IP address, I think this information should be shown in the webui and in the wiki but they left it out, when I asked about this on their forums, retarded sc*mbags descended on me and attacked me as if just having port information is sufficient to configure web proxy in clients and browser, and they suggested using a script.

As the rules I created weren't working I thought my IPFire was hacked and asked them if it'll be possible for IPFire creators to hack an individual's IPFire installation, a user answered no without explaining why and said they weren't working because of the way I configured, there aren't many ways to configure rules in IPFire, there is only way and I created 4 simple rules, these are shown in the image attached to this post. I was banned until 20 January 3021

I was previously angry with IPFire for lack of necessary features like ability to show domain names or URLs instead of IP addresses in the connections view, not allowing termination connection, creation of rules there, and the default firewall behavior of allowing all connections to be made, not allowing administration of firewall on the system where it is installed. I think they developed a grudge on me because of these things and hacked my IP Fire to make rules ineffective.

I'm very angry with almost all firewall distros, because I think creators are sc*mbags who advertise their product as free but set their sights on selling service by making the webui so counter-intuitive that it would require a diploma to administrate properly or the user has to buy service or help from the company.

There are security risks with administrating a firewall from a webui from other systems rather than doing it on the system where it is installed, not allowing terminations of connections and creation of rules from the connections view is an intention design to make the administration counter-intuitive and sell a service, showing IP addresses instead of domain names is for the same reason, allowing all outbound connections and accepting incoming connections from them is equally stupid, in this state, a firewall is useless. Nothing is stopping creators of firewall from making the administration of firewall easy to use. This is a sc*mbag move by firewall vendors.

I don't think many complicated concepts are involved to administrate firewall, creation of rules mostly involve IP addresses, Ports and Zones. Not difficult for people to understand and apply, something so simple has been made pretty impossible to utilize is abhorable. 

I forgot to ask, can creators of hack OPNSense installations?