duplicating pfblockerng features

[franco]

That's definitely true. However, pfBlockerNG is such a condensed Swiss army knife tool that users can end up failing to express their needs in firewall feature terms. They look for a single place to do it all and ask here if they can't find it.

So pfBlockerNG gives a very easy to use integration into pfSense, an experience that is hard to emulate with the philosophy that we try to follow with OPNsense. It's neither good or bad. Maybe documentation can help, maybe it can't. But it's worth a try.


Cheers,
Franco

[l0rdraiden]

That's definitely true. However, pfBlockerNG is such a condensed Swiss army knife tool that users can end up failing to express their needs in firewall feature terms. They look for a single place to do it all and ask here if they can't find it.

So pfBlockerNG gives a very easy to use integration into pfSense, an experience that is hard to emulate with the philosophy that we try to follow with OPNsense. It's neither good or bad. Maybe documentation can help, maybe it can't. But it's worth a try.


Cheers,
Franco

Why is hard to add feaures from pfBlockerNG to opnsense?
What has to do this with the "philosophy"?

pfBlockerNG is an excellent tool and opnsense should aim to replicate most of the functionality.
There are plenty of open source firewalls, what the market needs is one that integrates UTM functionalities. AV (not just clam AV which has a bad detection rates), suricata, OpenAppID, SNORT V3, Advanced thread protection functionality (anti APT), web filter, ad filter, ip filters, integration with external APIs like cuckoosandbox, Virus total, etc. the first open source firewall (osf) to get into this state will take the market from the others osf.

Either you get this from open source software or you start to look for optional and comercial alliances in the market.

Opnsense should focus on this and nothing else, if someone wants just a firewall is a no brain to pick pfsense over opnsense.

[elektroinside]

And yet, we all here picked OPNsense over pfsense.. and many coming from pfsense.

[marjohn56]

Opnsense should focus on this and nothing else, if someone wants just a firewall is a no brain to pick pfsense over opnsense.

You can do pretty much everything in Opnsense that pfSense + pfblockerng can do, it just takes a bit more thought. I also came over from pfSense, I will not be going back, however the choice is yours. If pfSense floats your boat then stay with it.

[mimugmail]

That's definitely true. However, pfBlockerNG is such a condensed Swiss army knife tool that users can end up failing to express their needs in firewall feature terms. They look for a single place to do it all and ask here if they can't find it.

So pfBlockerNG gives a very easy to use integration into pfSense, an experience that is hard to emulate with the philosophy that we try to follow with OPNsense. It's neither good or bad. Maybe documentation can help, maybe it can't. But it's worth a try.


Cheers,
Franco

Why is hard to add feaures from pfBlockerNG to opnsense?
What has to do this with the "philosophy"?

pfBlockerNG is an excellent tool and opnsense should aim to replicate most of the functionality.
There are plenty of open source firewalls, what the market needs is one that integrates UTM functionalities. AV (not just clam AV which has a bad detection rates), suricata, OpenAppID, SNORT V3, Advanced thread protection functionality (anti APT), web filter, ad filter, ip filters, integration with external APIs like cuckoosandbox, Virus total, etc. the first open source firewall (osf) to get into this state will take the market from the others osf.

Either you get this from open source software or you start to look for optional and comercial alliances in the market.

Opnsense should focus on this and nothing else, if someone wants just a firewall is a no brain to pick pfsense over opnsense.

Why do you think commercial vendors hire lots of people? This is tough work and here are only volunteers doing this in spare time. Also it's not our ambition to "take over the market".

Please feel free to find a AV vendor supporting current BSD .. If there was one, we would have a plugin yet

[franco]

Why is hard to add feaures from pfBlockerNG to opnsense?
What has to do this with the "philosophy"?

1. Nobody has done it so far. It it were easy, it would have been done. Isn't that a safe assumption?

2. I tried to explain this: we don't want pfBlockerNG as a powerful condensed type of plugin, we want to integrate the underlying features into the system in a natural way. We don't want a single point of entry for said functionality. This is "[design] philosophy".

pfBlockerNG is an excellent tool and opnsense should aim to replicate most of the functionality.

I concur.

There are plenty of open source firewalls, what the market needs is one that integrates UTM functionalities. AV (not just clam AV which has a bad detection rates), suricata, OpenAppID, SNORT V3, Advanced thread protection functionality (anti APT), web filter, ad filter, ip filters, integration with external APIs like cuckoosandbox, Virus total, etc. the first open source firewall (osf) to get into this state will take the market from the others osf.

Good list. We do have some of these features. Some will be added later for sure. Note that your own list does not mention "pfBlockerNG".

Either you get this from open source software or you start to look for optional and comercial alliances in the market.

True.

Opnsense should focus on this and nothing else, if someone wants just a firewall is a no brain to pick pfsense over opnsense.

This is a bit too narrow. Going back to what you said about UTM features:

Haven't we not added several of those over the course of this project's history?

Are we unwilling to add more of those? If yes, where did you interpret that?

Are you taking this exact moment and try to argue that the system is not good enough? That's true, but then again it's always true:

There will be more features, more bugs, more alignment with the needs of the user base as that grows and shifts.

So today we're not adequate, tomorrow we're also not adequate, but at least more adequate than today. That's what counts and your discussion does not take that into account because maybe you've come here very recently, expected to find something that you need but didn't.


Cheers,
Franco

[dcol]

I find that using IPS for the 10 'worst' offending countries and GeoIP Aliases for everything else works very nicely. Keeps my firewall logs cleaner.

[shred]

Is there a way to import lists of FQDNs such those listed on https://tspprs.com/ (and have them automatically updated) into an Alias? If I'm understanding this correctly, I would then be able to assign that alias to a firewall rule and I'd have similar functionality as with PiHole or pfBlocker.

[mimugmail]

You can Block these with Bind Plugin, but no chance for an Alias yet

[chrcoluk]

Definitely not easy to code but also as martin said I realised not all of it needs scripting, at least a few functions of pfblockerng can already be done in opnsense, just using a different procedure.