pfsense vs opnsense vs manjaro linux

[yeraycito]

I'm a very concerned person about Internet security. I was using pfsense for a while until I discovered opnsense. Pfsense and Opnsense are practically the same but what I liked about Opnsense is that it gave me more security when I saw that the latest versions were based on HardenedBSD. I was also convinced by the update policy of Opnsense. The first thing I have to say is that opnsense is free and therefore I should not complain. Opnsense is not a text editor, it is supposed to be a security system. And in terms of security, time is money. FreeBSD 12 has been active since last year. HardenedBSD 12 is active since last year. Suricata 5 has been active since last year. Opnsense has not been updated for over a month. Some components such as unbound have security holes that have not been updated. Manjaro linux is not a security system and yet it is updated every week to the latest versions of its components. Is it so difficult to do the same with opnsense? Even pfsense has already fixed the latest security patches: https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-p1-new-features-and-changes.html

As I said before opnsense is free and I can't thank the developers for their work but, as I said before, time is money.

[fabian]

FreeBSD 12 has been active since last year. HardenedBSD 12 is active since last year. Suricata 5 has been active since last year. Opnsense has not been updated for over a month.

Kernel updates are only done at major versions -> 12 Will come in July, Suricata may be included as well.

Some components such as unbound have security holes that have not been updated. Manjaro linux is not a security system and yet it is updated every week to the latest versions of its components.

Manjaro is designed to be a desktop OS and the updates are usually from Arch Linux on which it is based on which is always containing the newest components if it works (sometimes a library is kept on an older version because it would break to many other packages like the version jump from OpenSSL from 1.0.x to 1.1.x).

Is it so difficult to do the same with opnsense? Even pfsense has already fixed the latest security patches: https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-p1-new-features-and-changes.html

It depends on the kind of vulnerablility if there is an out of band update. If it is not exploitable, there is no reason to patch. Also maybe there is no update because Franco is on vacation. At least that was the reason some time in the past why there was no update for longer than 2 weeks.

[AdSchellevis]

I think our release track record speaks for itself https://docs.opnsense.org/releases.html (181 releases since Januari 2015), and yes, proper release management is a lot of work if you don't want to risk breakage of existing setups.

Usually we assess if security issues warrant an intermediate release of our software or if it's possible to postpone until a more sensible release can be packaged (including other bug fixes and enhancements).

If for some reason you do require the latest (and greatest) version of a package, FreeBSD/HardenedBSD offers the ports tree to build the package yourself (our mirror can be found here : https://github.com/opnsense/ports).

Suricata 4 is a release version and isn't end of life (https://suricata-ids.org/about/eol-policy/), our development version ships 5 (as of Januari if I'm not mistaken).

It's ok to be a concerned citizen, but try not to mix feature enhancements (FreeBSD 12, suricata 5, ..) with security issues and one-shots (system X has fix Y earlier this time) with overal performance, it's not very realistic.

Best regards,

Ad

[franco]

11.2 is also actively maintained by us.

If I had one request please do not compare us to sporadic success stories of other projects that have a completely different approach to security patches. Nobody cares if we ship an update every other week but if others do it first it is a problem, right?

Instead, take the time to skim through the currently active CVEs and identify the ones you are worried about and then we can talk about those how they could apply and what could be done in the meantime, if at all necessary.


Cheers,
Franco