OPNsense vs HBSD, amount of packages

[sanyo]

Hello,

Please let me know:

1) How many packages are in HardenedBSD repository? It seems there are only 574 packages in OPNsense? Are there any additional binary repositories for OPNsense or compatible HBSD repos?

2) Can prebuilt binary HardenedBSD packages be used in OPNsense? Like adding a repository in Debian?
Or only build from ports sources?

3) Can instructions for moving already installed FreeBSD system from UFS to ZFS root be used for HBSD and OPNsense too?

I have installed OPNsense as a KVM guest, works fine, updated to the latest packages, installed a few of new packages like rsync, bash, etc.
I have created a new pool hbsd/rootfs, mounted it and rsynced mounted UFS root / to ZFS root.
Now going to reconfigure bootloader to boot OPNsense from ZFS root.

4) Does OPNsense support the same paxctl features,  those are supported by HardenedBSD distro?
I cannot find paxctl package for OPNsense, does it exist at all?
secadm is missing too?

What about HBSD security features listed on the page:
https://hardenedbsd.org/content/easy-feature-comparison
?
Are all HBSD hardening features  present in OPNsense too?

5) What I will miss in OPNsense if trying to use it as a general universal server OS for example just for a hardened ZFS storage? Provided I need only command line interface without a nice  panel like in FreeNAS.

6) Will very minimum of HBSD or OPNsense work on a very old Pentium 1 MMX say with 200-300Mb of RAM?
At least without cryptography and with the most OPNsense services being stopped?
Without local ZFS of course because of low memory on Pentium1 host.
But may be booted by network iPXE from another librebooted host with ZFS+iSCSI ?


7) It seems HBSD project stalled at collecting money for further work? Why did it happen and how are you going to resolve this?

[sanyo]

I have tried to add ports according to:

https://forum.opnsense.org/index.php?topic=5752.msg23568#msg23568

But it seems there is no git for i386 in base?

#pkg install git

git-2.25.0.txz Not Found

How to get git on my test OPNsense system?

[mimugmail]

Git is already in OPNsense repo

[sanyo]

Does

#opnsense-code tools ports

work for you?

on my installation it tries to install git which is missing in repo, is it a bug?

[sanyo]

[mimugmail]

Did you run pkg update?
I can see it when browsing the link

[franco]

Hi there,

> 1) How many packages are in HardenedBSD repository? It seems there are only 574 packages in OPNsense? Are there any additional binary repositories for OPNsense or compatible HBSD repos?

We do not want to burden our build system with tens of thousands of packages, some of which are only relevant for graphical desktops... We keep the number to a minimum to be able to maintain and fix those if necessary. We do have a core mission in this regard.

> 2) Can prebuilt binary HardenedBSD packages be used in OPNsense? Like adding a repository in Debian?
Or only build from ports sources?

No, you can, however, use prebuilt FreeBSD packages at your own risk.

> 3) Can instructions for moving already installed FreeBSD system from UFS to ZFS root be used for HBSD and OPNsense too?

https://github.com/opnsense/update#opnsense-bootstrap

> 4) Does OPNsense support the same paxctl features,  those are supported by HardenedBSD distro?
I cannot find paxctl package for OPNsense, does it exist at all?
secadm is missing too?

Yes, again, core mission...

> 5) What I will miss in OPNsense if trying to use it as a general universal server OS for example just for a hardened ZFS storage? Provided I need only command line interface without a nice  panel like in FreeNAS.

Tools to configure it as per item 1) of your list. You can, however, use OPNsense as a skeleton for sever duty as the rc framework will assist you with configuring services like on FBSD and HBSD.

> 6) Will very minimum of HBSD or OPNsense work on a very old Pentium 1 MMX say with 200-300Mb of RAM?
At least without cryptography and with the most OPNsense services being stopped?
Without local ZFS of course because of low memory on Pentium1 host.
But may be booted by network iPXE from another librebooted host with ZFS+iSCSI ?

Yes, but I doubt you will fit enough RAM to make ZFS viable.

> 7) It seems HBSD project stalled at collecting money for further work? Why did it happen and how are you going to resolve this?

HBSD is going through changes. A cofounder left recently and the project is currently realigning its goals for the future.


Cheers,
Franco

[sanyo]

Dear Franco, thank you very much for your answers, please see more questions:

> We do not want to burden our build system with tens of thousands of packages, some of which are only relevant for graphical desktops... We keep the number to a minimum to be able to maintain and fix those if necessary. We do have a core mission in this regard.

I need only text mode server with SSH, actually choosing between your OPNsense and OpenBSD, already installed both of them into KVM guests on my Devuan host corresponding zvols per each vm. Later I can share these zvols via iSCSI and boot BSDs from TFTP server and iSCSI Devuan target by network?

> No, you can, however, use prebuilt FreeBSD packages at your own risk.

I cannot understand why HBSD packages cannot be used while FreeBSD can and still your distro seems to be based on HBSD according to release history?

>Yes, again, core mission...

If you distro is based on HBSD then why there is no secadm and paxctl? Actually I need just a 32bit HBSD, not a feature rich router. Though I used pfSense earlier, I am more comfortable just with a CLI and manual config for firewal, etc. OpenBSD looks very nice for me, but it seems HBSD had more hardening features with tens more packages.

Why there is no a 32bit HBSD? How to build it?

>Yes, but I doubt you will fit enough RAM to make ZFS viable.
ZFS will run on a librebooted Core2Duo, Pentium 1MMX will run only a BSD via iSCSI->network->target->zvol, OpenBSD even does not have any ZFS at all.

>HBSD is going through changes. A cofounder left recently and the project is currently realigning its goals for the future.
Can we know what changes are expected?

I just need a secure OS to run on a 32 bit Pentium MMX having more secure CPU rings than modern shining CPUs with very nasty ME and PSP and missing even CPU rings security which  was designed 20 years ago. I am not an expert in security and CPU rings, it is just what I have read on some Internet forums.

Is somewhere a script to build text only server packages for HBSD 32 bit without diving deep into understanding on how to build FreeBSD, HardenedBSD, etcBSD ?

As for now OpenBSD looks more suitable for me and it has everything described in its docs and it supports a huge amount of architectures in addition to i486.

Are there any other builds or forks of HardenedBSD except on its main website? May be some other distros are based on HBSD and have a support for 32bits?

[franco]

Err, hold on, HBSD does not focus on 32-bit security. The reason why OPNsense HBSD is slightly different is that we try to stay binary compatible with FBSD instead of HBSD because otherwise users would be more prone to bricking their systems with incorrect packages.

The other reason is we wanted 32-bit support which HBSD has had no focus on directly and 32-bit is already beyond its supposed end of life with OPNsense 20.1, but since we did not change the OS from version 11 to 12 it was kept alive.

If you need "secure" 32-bit you should use OpenBSD. But I can assure you from work experience that very few people even in OpenBSD still actively develop on 32-bit hardware. But also keep in mind that 32-bit severely limits effectiveness of modern security measures.


Cheers,
Franco

[sanyo]

But also keep in mind that 32-bit severely limits effectiveness of modern security measures.

IMHO modern "security" features are Spectre, ME/PSP, lack of enough CPU rings and many many unavoidable nasty blobs in different firmwares.

If the latest modern open source OpenBSD (known as the most secure OS) works fine on 32 bit does not it inherit most hardware independent security features of the 64 bit OS too?

I am going also to  run OpenBSD 32 bit in fully software emulated KVM on modern hosted servers like Linode.
Linode KVM bare metal host -> Linode VM guest like Devuan Beowulf + soft qemu emulator for a rare OBSD architecture like ARMv7 or S390 -> TCG Emulated Guest for OpenBSD

Is it more secure than modern baremetal OpenBSD with ME/PSP/blobs/bootkit BIOS trojans/etc. ?