Wishlist: Collection of features & strategy proposals for OPNsense

[temporaryuser]

Hi everyone,

This thread is intended to function as a centralized collection of community ideas on what features to implement in OPNsense and proposals concerning the overall strategy and future of the project.

Please add your suggestions to this thread so we can discuss and elaborate and shape the future of OPNsense together!

Cheers
temporaryuser

[temporaryuser]

Here is my list:

• Inline links to documentation:
  The menus come already with "help" integrated. This resembles 1-2 sentences with some basic information to each setting. Many times this information is not enough for me and I need more detailed help and background information. It would be great if at every service or setting there would be a deep link to the documentation pointing right at the relevant section of the documentation. It would be nice, too, if the documentation would start each topic with very general information. Example. Right now I am checking out Intrusion detection. It would be nice if there would be a link to the documentation which starts from 0: What is intrusion detection (=> small theoretical introduction including link to wikipedia). What is Suricata (=> small theoretical introduction including link to website), etc. and then explain all settings of the menu in detail.
• Concrete service names:
  It would be very beneficial if every menu item/service would not only be named generically, e.g. "Intrusion detection" or "Proxy Server" but also in addition with the name of the particular software, e.g. "Suricata", "squid", etc. This would help me understand faster what each menu item hides and I can go e.g. read the net about the service or check it's manuals, etc. Further, "Proxy server" is rather generic. Is it a HTTP proxy, a mail proxy, a FTP proxy, etc.?
• Email proxy with anti-spam blocking & quarantine and antivirus scanning and disinfection.
• FTP proxy with antivirus scanning.
• Possibility to run FTP traffic over multiple bundled WAN uplinks so to add bandwidth to FTP services
• Reverse HTTP proxy:
  With a reverse HTTP proxy you have the possibility to run multiple identical server services in your network (e.g. 10 Webservers, all reachable over port 80) with just one external IP. In countries where the ISPs charge a lot for additional static IPs this would be very beneficial
• Application Control:
  I don't really know what service that is :-), but Endian (https://en.wikipedia.org/wiki/Endian_Firewall) writes the following and I find it really interesting: "Take control of the network by properly managing time-wasting, high bandwidth or non-business applications like Skype, WhatsApp, Dropbox, Facebook, Twitter and over 150 more.  Endian makes it simple to manage applications on your network with just a few clicks, increasing productivity has never been easier." (http://www.endian.com/products/utm/)
• Content/URL filter
• Turn weak Open Source to strong, copylefted Free Software:
  Relicense OPNsense to "GPLv3 or later" (https://en.wikipedia.org/wiki/GNU_General_Public_License#Version_3) and turn it this way to real, copylefted (https://en.wikipedia.org/wiki/Copyleft) Free Software (https://en.wikipedia.org/wiki/Free_software), instead of just being "open source" (https://en.wikipedia.org/wiki/Open-source_software) which is much weaker than Free Software.
• Non-profit foundation for OPNsense:
  Create a foundation which holds the trademark "OPNsense", the copyright on the code, the internet domains, etc. so that the OPNsense code base and brand rights will be fully released to freedom and be independent of Deciso, or other for-profit entities, i.e.: to go the way that many successful Free Software projects go nowadays, such as Libreoffice (> The Document Foundation https://en.wikipedia.org/wiki/The_Document_Foundation), Tryton (> Tryton Foundation http://www.tryton.org/foundation/index.html), Django (Django Software Foundation https://en.wikipedia.org/wiki/Django_Software_Foundation), etc.
  The example of Tryton Foundation is specially interesting, since it is a very similar case to OPNsense: A for-profit company called B2CK has forked Tryton (https://en.wikipedia.org/wiki/Tryton) from TinyERP (later called OpenERP, nowadays Odoo) but then founded the Tryton Foundation and handed over all rights to the code, brand, website, etc. to it. Development is sponsored/done by B2CK and other for-profit partner companies who provide customization, development, service, etc. http://www.tryton.org/services.html. They followed the PostgreSQL example, as stated here https://en.wikipedia.org/wiki/Tryton#Project_management_.26_governance: "In contrast to their parent project and other open-source business software, the Tryton founders avoided creating a partner network which tends to generate opposition and duality between the partners and the community of volunteers.
  They followed the PostgreSQL example where the project is driven by a federation of companies. As of August 2015, Tryton is supported by 17 of such companies, which are distributed globally as follows: France 3, Spain 3, Colombia 2, Germany, 2, Argentina 1, Australia 1, Belgium 1, Brazil 1, India 1, Mexico 1, Switzerland 1."
  For further examples: https://en.wikipedia.org/wiki/Category:Free_software_project_foundations
• Create a poll for the propositions of this thread so to have the community weigh them
• to be continued..

By my estimation, the suggestions to a) relicense OPNsense with the GPLv3 and b) to create a foundation for OPNsense, would really make a difference for this nice project.
A strategical decision of this significance would really separate OPNsense from pfSense, since those changes would initiate an absolutely new path for OPNsense and give this project a completely new character, instead of just being what in marketing strategy is called "same-but-a-bit-better".
As a result, from a marketing perspective, OPNsense would have a real competitive advantage over pfSense, both, on the side of it's relationship to partner companies and contributors as well on the side of it's users. I expect those advantages make the user base, the number of contributors and the number of companies that want to back this project skyrocket.

Cheers
temporaryuser

[Σουπεργιούζερ]

My whishlist is:

• Increase security of OPNsense file downloads:
  
  
  
  • Currently the download section points to mirrors which host the OPNsense files for download. The mirrors include checksums which is good, since it helps to check if the download was successfull or not. But it does not improve security, since someone who infiltrated the mirror and manipulated the download files can easily modify the checksums to match his manipulated versions, too, so the manipulations will remain undiscovered. Solution: Publish the checksums in visible text form and as downloadable files (only a few bytes of traffic) on the OPNsense website instead or in addition to having them only on the mirrors. This increases security, since a intruder will have to hack the mirror AND your website so to have the checksums match his manipulated files.
  • Even more of an improvement in security would be to additionally digitally sign the dowloads with GPG and publish the signature files & public key etc. on the OPNsense website and on the mirrors.
  • An example is e.g. Opensuse: https://software.opensuse.org/421/en
• Real time, dashboard-like, human readable, aggregated, in-depth, IP- or user-based network activity monitoring/ surveillance:
  See what all network clients are doing right now, e.g. IP 192.168.1.124 or user X is browsing websites a, b and c right now, has sent an email with subject xy and contens x to recipient yz, downloaded file x, etc. Possibility to record this activity information over a defined period of time and to export it, make statistics, etc. Usage possibilities: Network problem debugging, optimization, testing, learning, analyzing, etc., intrusion detection and intruder / trojan / backdoor behavor analyzing, legal investigation & evidence collection in case of e.g. fraudalent users/ employees. I assume that the use of this feature could be regulated by national laws in some jurisdictions, e.g. when the users are employees of a company, so there should be some warning info popping up when activating it, so the user can check his local laws first and use the features accordingly
• Live demo on website: I think it would be great marketing for OPNsense to offer a live demo on the website
• Firewall: Add outgoing filter. Currently on each interface only incoming traffic is handled and filtered, as it enteres the box. I would like to filter also traffic that leaves the box (i.e. packets that traverse the box or that are produced by the box) while it passes an interface when exiting the box again. This way I can much easyer overview and protect one network zone from traffic that wants to enter it (e.g. by having missconfigured another interface so that it lets traffic in and reach other interfaces while it should'nt) or traffic that is initiated on the box and wants to leave it while I do not want that.
• Plugins for hardware:
  
  
  
  • Daemon for uninterrupted power supply (UPS) from brand APC: apcupsd (http://www.apcupsd.org). It would be nice to be able to install, configure and monitor apcupsd via the OPNsense web interface
  • 3ware RAID controllers: a) Change SMART web interface support to pass settings to smartmontools that detect harddisks behind a 3ware controller (http://www.linuxweblog.com/smartctl-3ware-RAID) b) make a plugin for installing 3ware command line tool tw_cli (ftp://ftp.sgi.com/public/Technical%20Support/Pdf%20files/3Ware/9000/3ware_9000_CLI_User_Guide.pdf) and poll some overview & monitoring data through it for lobby plugin
  • ECC RAM: monitor ECC errors
• Honeypot: have one or multiple honeypots in isolated environments (VMs?) on the box, installable as plugins, including notifications in case of attack
• Refine & improve release cycle: I really like your decision to introduce a time based release scheme and your ambition to release 2 major releases per year (Jan & July). Additionally, it is really great that you release minor releases every week, this is really outstanding! Nevertheless I think that your scheme needs some refinement. The reason for this is that currently due to the fact that those weekly updates include not only bug and security fixes but also new features, things tend to seriously break very often and make those updates a real risk for anybody who is serious about his productive systems; actually - if someone takes "production grade" seriously and cannot afford even a tiny bit to risk his production networks, it is currently not possible to update for him.
  So what i propose is to further refine and improve your release scheme so to combine your really fast release ambition with reliable releases for users who need rocksolid versions for their businesses. The weel needs not to be reinvented though! Libreoffice has such a scheme which is outstanding and near to perfect, since it serves both user groups, those who want (or need) new features ASAP and those who need bullet-proof, rocksolid versions no matter what. And it is embedded in a 2-major-release-per-year approach, too. Here is a great introduction to their stategy: https://wiki.documentfoundation.org/ReleasePlan

[fabian]

Want to add this to the wishlist:

   
• make the ruby package available to install via pkg

[AdSchellevis]

Σουπεργιούζερ,

Increase security of OPNsense file downloads:
Good point, we could add the signatures to our download page, we will certainly take this into account.

Real time, dashboard-like, human readable, aggregated, in-depth, IP- or user-based network activity monitoring/ surveillance:
This one is on our roadmap (https://opnsense.org/about/road-map/) since the release of 16.1 for 16.7, there will be some sort of analysis in OPNsense using Netflow.

Live demo on website:
I do like the idea, although I don't expect we have time to release this any time soon.

Firewall:
The firewall scripting really needs a lot of work before it's a good idea to extend more there.
It's always interesting to know if other people miss the functionality your describing here.

Plugins for hardware:
The plugin architecture is fully in place since version 16.1 (https://github.com/opnsense/plugins), as soon as enough people need the same kind of functionality its likely new plugins do arrive.

Honeypot:
We haven't looked at it yet, might be a nice idea at some point in time.

Refine & improve release cycle:
We have mechanisms in place to rollback versions if you have them and have proven to respond very fast on the few issues we had.
Given the enormous lack of maintenance of the project we forked from, we spend a *lot* of time rewriting code to make it better readable, more consistent and solve a lot of structural issues.
We might consider additional options after release 16.7, but no concrete plans yet.


Best regards.

Ad

[klausneil]

Greetings, not if this is the way but I wanted to express my humble but collaborative idea and my whishlist is basicly for the proxy module:

* Create group by ip or users for apply filter rules of the proxy by each one.
* Create time of access by groups by  the proxy.
* Cutomize the page of deny proxy
* The log displays information such as time of access, domain, url and / or MIME type.
* A button to clear the cache proxy.

Thanks for your consideration and time.

[sergey1984qq]

I deal with dnscrypt proxy as described in these guide https://ramirosalas.com/installing-dnscrypt-in-opnsense.html

Pesronally what I want it to see in the future opnsense builds is the ability to use dnscrypt proxy out of the box with conjunction of privoxy or tor services these would be great feature if implemented like in way they does with suricata package that is work for IPS/IDS and can be correctly setting up through GUI.

But I do it for a standard dns port 53 and dhcp on my client sabayon system through network-manager, I issuing then command dig -4 @127.0.0.1 -p 53 slashdot.org and seems all kind of logic dnscrypt provides to my system through DNS Forwarder works fine. I don't know how to check if it going to encrypt my dns queries or not cause not know is there any dns sniffer are availible for freebsd distribution. Well I does also standard steps and setup not just public but official dnscrypt servers from their github file that provides complete list of standard dnscrypt-proxy servers.

[GreG.P.]

Hi all,

I think the good values were to add some essentials information into the banner (top banner) like these info listed below.

• Hostname (short value, without the domain name/fqdn) (I think it's already added in last OPNsense version)
• Version of the firewall (ex: 16.1.8)
• Account name currently login on the firewall
• Current rights of the account login if several administrators can be logon th firewall in same time to permitt to know if the admin user have the read/write permissions or read only because another administrator has login previously)
• Help and Logout links are already exists in banner :)

Optional:

• Ethernet ports status (link state Up or Down for each Ethernet port could be indicated by a green or black  network port pictures integrated into the banner)

PS: I think essentials informations or links are important into the banner but need to stay clearly readable and visible.

Regards,
GreG

[donkey]

I would like to congratulate for the great and excellent project.

My suggestion would be an ajax supported webUI mainly to allow to move filter rules up and down by drag & drop.

many thanks  ;)

[AndyX90]

Hey guys,
great work and great progress!
Here is my personal plugin/feature-wishlist:
- gui customizable blockpages in webproxy/clamav
- wpad package
- apache-guacamole like html5-portal
- postfix package
- some kind of port-knocking-feature to temporary open/close ports
- iperf package
(- proxy sso using ntlm)

Best regards,

Andy

[fabian]

SSO is currently under development: https://github.com/opnsense/plugins/pull/266

iperf, postfix: if you want only the package (no plugin) it should not be a problem to add it - you need to add a request here: https://github.com/opnsense/tools/issues
port knocking: there is already a feature request but nobody did implement it: https://github.com/opnsense/plugins/issues/37

wpad: is there a ready to use package?
apache-guacamole: may be possible to support but probably not without a plugin (which needs to be contributed).

gui customizable blockpages in webproxy/clamav -> first of all, web proxy and clamav are separated - the proxy is in core the clamav and  c-icap are plugins. This are different maintainers and different repositories. If there would be time for that, somebody would have already implemented it.

[AndyX90]

Oh sorry i meant plugins not packages [emoji28]

Gesendet von meinem LG-H850 mit Tapatalk