Considering switching from IPFire to OPNSense

[securityconscious]

To make network secure, I have bought dedicated hardware(cpu, mb & ram) to maintain a firewall. Before I actually install and setup a firewall distro on a dedicated system, I take them for a test run in virutal machine.

I use VirtualBox and I setup two interfaces, 1 for LAN and the other for WAN. LAN interface has host-only adapter, WAN interface has NAT. I first tried pfSense with this, I couldn't get it to work, I think I typed the correct IP address for LAN interface, gateway and setup a DHCP server to issue IP addresses on LAN, but the client wasn't getting any IP addresses. It was a fluke I got it to work, the 3rd or 4th time I installed but the webGUI was counter-intuitive, I just couldn't figure how to view connections, and when I did, it was incomprehensible, it was just numbers, no color coding, how the f*ck would I know which are suspicious connections. Even the place where this is found seems counter-intuitive, pfSense places it under Diagnostics-States, I think it would have been better under Status-States, why can't they place under the heading of traffic or connections rather than states. While creating rules, I didn't know if I had to create rules in WAN interface or LAN interface, I was shocked to find I couldn't block websites without enabling a web proxy, which was equally counter-intuitive to setup.

After pfSense I tried Smoothwall, IPCop, OPNSense and IPFire, I can't remember in which order. Smoothwall and IPCop were equally incomprehensible. With OPNSense I could get it to work until I was able to access it's webGUI from the clients on LAN but they weren't able to access Internet, if anything I found OPNSense's interface to be even more counter-intuitive than others, although the webGUI of OPNSense was a lot nice to look at. Firstly, I couldn't find how to view connections, it was hidden under Firewall -> Logs -> something else. Why the f*ck can't you idiots make these easy to find? I typed connections, traffic in the search box and it wasn't showing, I clicked through sections on the left, but because of counter-intuitive names used for options under those sections, I couldn't find that. It was after searching the net, I found a reply here informing how to use it.

IPFire was just as bad, but it was a little easy to go around finding what I was looking for, I could see connections under the connections sections, although I couldn't immediately create a block rule or terminate a connection from there. It showed only numbers (IP addresses, ports) which was although irritating but not as much as others because it has color coding. I found creation of rules to be counter-intuitive not because of the words used but the non-standard semantics IPFire gave for them. They deliberately left out information from their wiki, like for example, in setting up web proxy, in the webui, it only shows port number, but it doesn't show which IP address to use for the proxy, without this information how would I configure a browser or client to use the web proxy, there is no information to figure out web proxy's IP address, I think this information should be shown in the webui and in the wiki but they left it out, when I asked about this on their forums, retarded sc*mbags descended on me and attacked me as if just having port information is sufficient to configure web proxy in clients and browser, and they suggested using a script.

As the rules I created weren't working I thought my IPFire was hacked and asked them if it'll be possible for IPFire creators to hack an individual's IPFire installation, a user answered no without explaining why and said they weren't working because of the way I configured, there aren't many ways to configure rules in IPFire, there is only way and I created 4 simple rules, these are shown in the image attached to this post. I was banned until 20 January 3021

I was previously angry with IPFire for lack of necessary features like ability to show domain names or URLs instead of IP addresses in the connections view, not allowing termination connection, creation of rules there, and the default firewall behavior of allowing all connections to be made, not allowing administration of firewall on the system where it is installed. I think they developed a grudge on me because of these things and hacked my IP Fire to make rules ineffective.

I'm very angry with almost all firewall distros, because I think creators are sc*mbags who advertise their product as free but set their sights on selling service by making the webui so counter-intuitive that it would require a diploma to administrate properly or the user has to buy service or help from the company.

There are security risks with administrating a firewall from a webui from other systems rather than doing it on the system where it is installed, not allowing terminations of connections and creation of rules from the connections view is an intention design to make the administration counter-intuitive and sell a service, showing IP addresses instead of domain names is for the same reason, allowing all outbound connections and accepting incoming connections from them is equally stupid, in this state, a firewall is useless. Nothing is stopping creators of firewall from making the administration of firewall easy to use. This is a sc*mbag move by firewall vendors.

I don't think many complicated concepts are involved to administrate firewall, creation of rules mostly involve IP addresses, Ports and Zones. Not difficult for people to understand and apply, something so simple has been made pretty impossible to utilize is abhorable. 

I forgot to ask, can creators of hack OPNSense installations?

[allebone]

Yes creators are always of have hack opnsense. You should not use it and instead find something else more appropriate to you. This is not for you.


Thank you for your post. Good luck in your search.

Pete

[securityconscious]

What I wanted to ask was, can creators of OPNSense hack any installation of OPNSense?

[allebone]

No

[franco]

I'm very angry with almost all firewall distros, because I think creators are sc*mbags who advertise their product as free but set their sights on selling service by making the webui so counter-intuitive that it would require a diploma to administrate properly or the user has to buy service or help from the company.

Well, to some degree that is not to aggravate users. Networking and security come from computer science and have been considered by sales forever as "products in need of explanation". This is where you can't skip the handbook/documentation unless you know what you are doing.

IPFire is nice in this regard as it tries to break down a lot. The possibilities of OPNsense will just add to the fact of being overwhelmed more than required maybe.


Cheers,
Franco

[Gauss23]

if anything I found OPNSense's interface to be even more counter-intuitive than others, although the webGUI of OPNSense was a lot nice to look at. Firstly, I couldn't find how to view connections, it was hidden under Firewall -> Logs -> something else. Why the f*ck can't you idiots make these easy to find?

Are you serious?

I was banned until 20 January 3021

I'm not really surprised and I would really appreciate a ban here, too. Do you think someone will help you in a support forum driven mostly by the community if you insult everyone in the first post?

I think they developed a grudge on me because of these things and hacked my IP Fire to make rules ineffective.

I think it's merely because of your incompetence and ignorance of manuals.

[securityconscious]

Well, to some degree that is not to aggravate users. Networking and security come from computer science and have been considered by sales forever as "products in need of explanation". This is where you can't skip the handbook/documentation unless you know what you are doing.

But the concepts required are mainly IP addresses, ports and zones, do you think they are so hard to understand? I've used application firewalls before, like Comodo, etc on Windows and they were easy to understand, only firewall distros seem to make it counter-intuitive to sell a service.

IPFire is nice in this regard as it tries to break down a lot. The possibilities of OPNsense will just add to the fact of being overwhelmed more than required maybe.
Cheers,
Franco

IPFire just seems to a reskinned version of IPCop, IPFire have made it a bit more complicated than IPCop by allowing users to make redundant rules coming from outside, IPCop simplifies this by only allowing to make rules in the outgoing direction. Because stateful firewalls only allow connections into LAN if they were initiated from a client in LAN.

[securityconscious]

Are you serious?

I'm serious, you ask a Phd computer science student specializing in networking and security, where they'd expect to see connections and under what heading and they'll tell you they would expect it to be under connections or traffic, not in states, or logs and live view, etc. It is only firewall distros which put them under unknown labels because making it easy will not allow them to sell service.

I'm not really surprised and I would really appreciate a ban here, too. Do you think someone will help you in a support forum driven mostly by the community if you insult everyone in the first post?

A product must be easy to use and understand, even then if it is impossible to configure and administrate, a support forum driven by community will be appreciated. Yes, I think I was justified by insulting everyone in my OP, you people are the ones who is making OPNSense hard to use, you people have been using OPNSense from many years, wouldn't you have encountered these problems or thought it was difficult to use? I'm sure some of you did, they could have given feedback and improved but no, you supported the counter-intuitive interfaces and labels. You'd support a ban on me because you don't want to hear what kind of sc*mbags firewall distros and community you are?

I think it's merely because of your incompetence and ignorance of manuals.

Not because of my incompetence, you can view the attached image and see the rules I created, they are simple and straightforward, I've applied them and rebooted and they are not working, earlier they were working, what does it say? Before firewall distros, I've application firewalls in Windows, so I have experience with creating rules, you'd like to make yourselves feel like geniuses over using simple concepts like IP addresses, ports and zones.

[Gauss23]

I'm serious, you ask a Phd computer science student specializing in networking and security, where they'd expect to see connections and under what heading and they'll tell you they would expect it to be under connections or traffic, not in states, or logs and live view, etc. It is only firewall distros which put them under unknown labels because making it easy will not allow them to sell service.

It's just a place you need to know. Nothing to rant about user interface being counter-intuitive.

A product must be easy to use and understand, even then if it is impossible to configure and administrate, a support forum driven by community will be appreciated. Yes, I think I was justified by insulting everyone in my OP, you people are the ones who is making OPNSense hard to use, you people have been using OPNSense from many years, wouldn't you have encountered these problems or thought it was difficult to use? I'm sure some of you did, they could have given feedback and improved but no, you supported the counter-intuitive interfaces and labels. You'd support a ban on me because you don't want to hear what kind of sc*mbags firewall distros and community you are?

No, I'm not supporting a ban for constructive criticism. I'm supporting it because of your bad attitude and insults.
A product needs to work in the first place. Whether a WebGui is intuitive or not is not important. If you ask 10 people about an user-interface you'll get 12 opinions about it. I don't have any problems with the UI. But I'm reading docs when I'm unable to find what I'm looking for. No UI is perfect. Every Firewall has its own philosophy about how to guide the user. If you're not feeling comfortable, that's fine, go on and try another one. Your list is missing Sophos XG. It has a free version, too.

Not because of my incompetence, you can view the attached image and see the rules I created, they are simple and straightforward, I've applied them and rebooted and they are not working, earlier they were working, what does it say? Before firewall distros, I've application firewalls in Windows, so I have experience with creating rules, you'd like to make yourselves feel like geniuses over using simple concepts like IP addresses, ports and zones.

In this attached image I can't see anything useful to decide if this should work or not. I'm not using IPFire. Maybe you misconfigured something at another screen. Using pfSense or OPNsense was always a pleasure for me. Never had an issue installing them or getting them to work with a basic setup. Problems came with more complex setups and then this forum was a big help for me. There is a lot of competence in this forums. But most of them are helping in their freetime based on good will. So insulting people won't help you here.

[mihak]

I don't know if this is trolling, but I couldn't stop laughing at cognitive dissonance here:

I don't think many complicated concepts are involved to administrate firewall, creation of rules mostly involve IP addresses, Ports and Zones. Not difficult for people to understand and apply

and then:

I couldn't get it to work, I think I typed the correct IP address for LAN interface, gateway and setup a DHCP server to issue IP addresses on LAN, but the client wasn't getting any IP addresses.

My uncle had a dual-compressor bi-turbo high-performance BMW - that NEVER worked well. He spent most of his time under the bonnet, tinkering with advanced car electronics, screaming how car engines are actually very simple: you squirt some gas in a chamber, you ignite the gas, you turn the shaft. Not difficult for people to understand and apply.

Except it never worked. He didn't understand timing belts. He didn't understand turbo. He didn't understand anything that makes a modern car engine work. Yet, it was all BMW's fault. Greedy Germans made car engines stupidly complex so my uncle with rudimentary understanding just couldn't figure them out and was ripping components he didn't understand.

People can either be consumers or (semi) professionals. There are products targeting each group.

Don't be like my uncle, unless you enjoy being frustrated when consumer-level knowledge clashes with professional-level products. Because stuff just won't work. And you will blame everyone else but yourself.

[franco]

To some degree this thread progression was expected. It's probably best to stop replying and see what happens.


Cheers,
Franco

[securityconscious]

I don't know if this is trolling, but I couldn't stop laughing at cognitive dissonance here:

No cognitive dissonance or trolling. That would be because pfSense's interface was counter-intuitive.

and then:
My uncle had a dual-compressor bi-turbo high-performance BMW - that NEVER worked well. He spent most of his time under the bonnet, tinkering with advanced car electronics, screaming how car engines are actually very simple: you squirt some gas in a chamber, you ignite the gas, you turn the shaft. Not difficult for people to understand and apply.

Except it never worked. He didn't understand timing belts. He didn't understand turbo. He didn't understand anything that makes a modern car engine work. Yet, it was all BMW's fault. Greedy Germans made car engines stupidly complex so my uncle with rudimentary understanding just couldn't figure them out and was ripping components he didn't understand.

People can either be consumers or (semi) professionals. There are products targeting each group.

Don't be like my uncle, unless you enjoy being frustrated when consumer-level knowledge clashes with professional-level products. Because stuff just won't work. And you will blame everyone else but yourself.

Except BMW sells it's car, it doesn't say it is free for everyone. The analogy you gave is not suitable, a more suitable analogy would involve the handles of the car, not the engine, if BMW placed the steering wheel at feet and brakes at hand levels and gears at mouth, it would be the best analogy for IPFire and other firewall distros. Even professionals want everything to be easy to use, software professionals use the same libraries in AI as high school students use, so this excuse of professionalism is a face-saving measure at best.

Is the reason you are mentioning BMW because IPFire is Germany based? Are you saying germans are sc*mbags and they must have freedom to deceive people to gain money? Not all of Germany makes exceptional products, their expertise in automobiles doesn't mean they make great firewalls.

As I said, IPFire just seems to be a reskinned version.

[securityconscious]

It's just a place you need to know. Nothing to rant about user interface being counter-intuitive.

It is like traffic lights, throughout the world, red means stop, and green means go, you can't create a country of your own and give the meaning of go for red light and stop for green light, and advertise tourist destinations.

No, I'm not supporting a ban for constructive criticism. I'm supporting it because of your bad attitude and insults.
A product needs to work in the first place. Whether a WebGui is intuitive or not is not important. If you ask 10 people about an user-interface you'll get 12 opinions about it. I don't have any problems with the UI. But I'm reading docs when I'm unable to find what I'm looking for. No UI is perfect. Every Firewall has its own philosophy about how to guide the user. If you're not feeling comfortable, that's fine, go on and try another one. Your list is missing Sophos XG. It has a free version, too.

I didn't include Sophos XG because I didn't try it, and it is a closed source version, I thought it would contain disclosed back doors, telemetry, etc.

In this attached image I can't see anything useful to decide if this should work or not. I'm not using IPFire. Maybe you misconfigured something at another screen. Using pfSense or OPNsense was always a pleasure for me. Never had an issue installing them or getting them to work with a basic setup. Problems came with more complex setups and then this forum was a big help for me. There is a lot of competence in this forums. But most of them are helping in their freetime based on good will. So insulting people won't help you here.

What more information do you want? Maybe because you didn't use IPFire. That is all the information IPFire shows. I'll tell you what it means, the pinkish-red rectangle at the left mean drop, green means traffic originating from green interface, and blue means traffics destination is blue interface, it means drop all packets originating from green interface to blue interface. Other 3 rules can interpreted similarly. I think it should work if it wasn't hacked and it did work before.

[mihak]

No, configuration of firewall is not equivalent to driving a car - it is the equivalent of SERVICING a car.

When firewall works, you do not press pedals, hold the steering wheel or tinker with it. All the engineering efforts are channeled into tuning, optimizing, enriching, and updating the CORE engine. User-serviceable interfaces are really low on the priority. (check VyOS and their CLI-only interface and tell us how do you feel about them...)

You think that a specialized professional firewall needs to be as user-friendly as all-in-one consumer boxes that ISPs give away for free. Well, they are not. Pro-level Wifi GUI, pro-level switching GUI, pro-level Synology GUI - neither of them is meant to be opened daily and used by non-experts.

Why I mentioned BMW? Besides the fact that my uncle did have BMW, they use the same product mentality that you are complaining about: all focus goes into top-level performance of the engine, but when you need service, BMW absolutely expects you to take the car to professionals and not mess with it on your own. "No user-serviceable parts inside" - applies both to high-performance cars and high-performance firewalls.

[securityconscious]

No, configuration of firewall is not equivalent to driving a car - it is the equivalent of SERVICING a car.

I debated a lot with myself whether I should reply to your post or not, because your analogies seem so inapt, I didn't know if you were serious or egotistical. No, webUI of firewall is equivalent of the controls of a car, like gears, steering wheel, accelerator, brakes, buttons, etc. Messing with the engine is like messing with the source code.

And you seem to be missing the most important thing, BMW sells its products, they don't give it away for free by putting counter-intuitive controls in the car. 

When firewall works, you do not press pedals, hold the steering wheel or tinker with it. All the engineering efforts are channeled into tuning, optimizing, enriching, and updating the CORE engine. User-serviceable interfaces are really low on the priority. (check VyOS and their CLI-only interface and tell us how do you feel about them...)

You think that a specialized professional firewall needs to be as user-friendly as all-in-one consumer boxes that ISPs give away for free. Well, they are not. Pro-level Wifi GUI, pro-level switching GUI, pro-level Synology GUI - neither of them is meant to be opened daily and used by non-experts.

Why I mentioned BMW? Besides the fact that my uncle did have BMW, they use the same product mentality that you are complaining about: all focus goes into top-level performance of the engine, but when you need service, BMW absolutely expects you to take the car to professionals and not mess with it on your own. "No user-serviceable parts inside" - applies both to high-performance cars and high-performance firewalls.

I never knew delusions of grandeur went hand-in-hand with autism.