FreeBSD-Powered Firewall Distro OPNsense 16.1 Released (phoronix.com) 64
An anonymous reader writes: OPNsense, the open-source firewall project powered by FreeBSD that began as a fork of pfSense, is out with a new release. OPNsense 16.1 was developed over the past half-year and is a big update. OPNsense 16.1 has upgraded to using a FreeBSD 10.2 base, support for a high-speed IPS mode, a redesigned captive portal, firewall improvements, and a wide range of other work.
opnonsense (Score:2)
am i the only one who read it as opnonsense?
Re: (Score:2, Informative)
This [opnsense.org] should explain it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
phoronix (Score:1)
How about linking to the site instead of the clickbait at Phoronix ?
Why they forked (Score:5, Informative)
My most immediate question, before even reading the feature set, was why they forked in the first place. I had to do some digging (ie: click multiple links and read a couple different pages to find what I was looking for), so to save others time, here's the why:
https://docs.opnsense.org/fork... [opnsense.org]
Technical
We had technical reasons to fork. As much as we love the functionality/feature set of pfSense, we do not enjoy the code quality and anarchistic development method. We like structure, achievable goals set forth in a roadmap with regular releases and a decent framework.
Security
On the security part the main issue was the need to separate logic. The GUI should not perform tasks that require root access.
Quality
As for quality, all new features will be built using a solid framework with a Model View Controller. For this purpose we choose Phalcon as it is the fastest open source PHP framework available. And we will gradually migrate parts inherited from pfSense to the new framework to avoid a big-bang approach.
Community
A thriving community can only exist when people are willing to share. We want to make it easier for people to join and help to build the community. With pfSense this has been rather difficult as the tools to build it are difficult to use and often do not work in the first few attempts. And since 2014 year they are not freely available any more, you need to apply for access with ESF. We believe a good open source project has nothing to hide so access to the sources should be there for all. It will remain a mystery why ESF made that move as commit rights and read rights are totally different.
Note
ESF has since changed their policy and the source code is now available under their 6 clause ESF license.
Transparency
A real concern with pfSense is transparency. Since Netgate bought the majority share of pfSense and renamed the company to ESF it has been difficult to understand the direction they want the project to go. Removing the tools from github without prior warning and using the brand name to fence off competitors has scared quite a lot of people. Also the license had changed for no apparent reason
Restore a firm open source project
With OPNsense we have restored a stable project with clear goals and a very simple license that is suitable for forking and making OEM versions. We think a community project is there for all to use and work with.
Re: (Score:2)
The OPNsense project wants to partner with business and make a success of it together. This is why we have a partner program where businesses get project benefits while supporting the project financially.
To get listed as partner of the OPNsense project means an annual investment of € 2500.
Special partners are assigned the Platinum Partner status. These are the partners that made an exceptional contribution to the project.
Meet the new boss, same as the old boss.
These guys just want their version to be the go to version so they can cash in on OSS on their chosen terms instead of ESF's, all while riding others works...
Re:Why they forked (Score:4, Insightful)
how are they "cashing in"? If it is freely available, open source, and under a mainstream license (such as Apple, BSD, GPL, Apache) then there are about two ways to make money off of it:
1) sell customized versions
2) reputation from the product
Neither one seems like "cashing in" as it requires them to do work. And the licensing was only one part identified (such as separation of privileges is a failure major point) so "their chosen terms instead of ESF's" is focusing on a single part of the reason.
In fact, the only people who I can see having a gripe would be ESF as this dilutes "their product". Welcome to the world of open source...
Re: (Score:2)
Does anyone have real complaints about Netgate's cashing in?
The product AFAICT remains free to use. About the worst it has gotten might be the "Gold" menu that shows up in the UI.
I guess at some point it's not hard to see why there's some level of monetization of these projects and that it's not necessarily a bad thing. It might maintain some development focus and quality and semblance of stability, especially if it staves off some of the fragmentation and forking into a half-dozen similar projects, all o
Re:Why they forked (Score:4, Informative)
[Disclaimer: I am a pfSense dev of many years and an ESF Employee]
The bulk of that notice is the very definition of FUD.
First: Fear of going closed source. pfSense was never "closed source" (any part of it), and was never not "freely available" despite what they attempt to claim about policy changes. The only time the build tools were inaccessible was for a couple days while the repo was being moved to a private git server. (And it's since been moved back to github, and later made obsolete when the build process was rewritten).
Second: Uncertainty about "direction" -- there have been many blog posts on blog.pfsense.org about the direction the project is going. There is no problem with transparency except what they are dreaming up. Also, OPNsense is run by Deciso, no mention of that in there, so much for transparency.
Third: Doubt -- vague accusations of code and development quality trying to make people doubt the pfSense project source in general.
Re:Why they forked (Score:5, Informative)
After much outcry from the community, things slowly started opening back up. If nothing else, OPNsense seemed to kick the team in the ass to actually make a GUI that doesn't look like it's from the early 90s. I love pfsense, but this whole "we didn't do anything wrong, we have no idea why they reacted like that" is complete and utter bullshit. You guys made it very clear your intent was to stop other people from selling hardware using the PFsense logo/name, and were originally planning on making it EXTREMELY difficult for people to make customized builds of pfsense as a way to accomplish that.
Re:Why they forked (Score:5, Informative)
The problem was not people selling hardware including an unmodified version of pfSense. That's fine and always has been. The problem was people taking pfSense, modifying it in unknown ways, building their own copy and selling the result as still being pfSense, which it wasn't at that point. It was a trademark violation to do that. That and some others were using the trademark inappropriately in various ways on their web sites. See http://m0n0.ch/wall/list/showm... [m0n0.ch] for some more background (it's been posted elsewhere but I had that link handy)
That's like someone buying Coke, adding their own unknown ingredients, re-bottling it, and selling it as Coke. I doubt Coke would be very happy about that, either. Same thing with Mozilla and Firefox vs Iceweasel. The same resolution there applies here as well. Name the product something different and clearly distinct, removing the name "pfSense" and logo, but keeping the copyright/license notices, and then there would not have been a trademark issue.
We had some vendors that were making some really weird changes and then people were coming to us for support on things we didn't do, questioning why things were broken, etc. Since it was still called "pfSense" and it had code we didn't write and wasn't in our repository, there was a lot of confusion even outside the legal problems...
Re: (Score:3)
No fairy tale, not money related in any way. It's a damned-if-you-do, f'd-if you don't trademark scenario.
If you defend your trademark, you catch flack for bringing up legal issues and making people follow the law.
If you don't defend your trademark, you can lose it and be worse off.
It's about protecting what it means to be "pfSense", which has little to do with money and everything to do with making sure people don't pass off their own code as being "pfSense".
Re: (Score:2)
Re: (Score:2)
If you make a derivative work for your own private/personal use, there's no problem. If you distribute an unmodified copy (no alterations), that's also OK. But when you make a derivative work and and distribute the result (such as selling a modified version of pfSense pre-installed on hardware) at that point it's, a new product.
http://www.linuxfoundation.org... [linuxfoundation.org]
"A trademark should not be used as part of your product name."
https://www.freebsdfoundation.... [freebsdfoundation.org]
"3. If we grant you permission to use the Marks, your
Re: (Score:2)
"A trademark should not be used as part of your product name."
It would help if you quoted the appropriate trademark, which isn't any of the items listed on that page, it's this:
http://www.linuxfoundation.org/programs/legal/trademark/sublicense-agreement [linuxfoundation.org]
And makes absolutely no mention of "not modifying the Linux source code" which would be a ridiculous requirement.
Re: (Score:2)
Right. You can modify a Linux kernel, release your source to comply with GPL, and make your own distro with its own name but you can't modify the source and then claim the result is the official unpatched Linux kernel or claim it is endorsed by the Linux foundation, which is essentially what was happening, from a trademark point of view.
Re: (Score:2)
Re: (Score:2)
Distinction is in "official" and "endorsed by", etc. But that's beside the point. You can say it's based on Linux, includes it, etc, but you can't claim to be Linux using their trademarks.
Closer comparisons are how CentOS can't claim to be Red Hat: https://wiki.centos.org/RedHat [centos.org] and the aforementioned Iceweasel project not claiming to be Firefox: https://en.wikipedia.org/wiki/... [wikipedia.org]
The lines are less clear in cases where the organizations have granted permission to some groups to use their mark in other ways
no complaints so far (Score:5, Informative)
I've been running two instances for about six months. Both have been totally stable. Neither is presently configured to do much beyond basic firewall, dhcpd, and name server duties. I have no complaints.
I chose OPNsense over pfSense because their roadmap made vague claims about becoming closer to base FreeBSD, and since I'm running plenty of FreeBSD and PC-BSD elsewhere, the closer the better. I had not at that time encountered the highly charged discussions that took place between the two teams.
As much as OPNsense has worked out for me so far, it has certainly lacked the polish of a larger project. Some of the documentation was scanty to non-existent. So I'll be waiting a good four weeks before updating these hosts.
I did have one issue associated with a old PCI-based Intel network card. There's this thing about whether this card delivers interrupts as an electric signal or as a data packet. This particular card is right on the brink of when one method gave way in favour of the other. It has some ability to emulate the packet method, but obviously it's not rock solid, because the card would freeze up for ten minutes at a time once or twice a week. Then a watchdog would reset it and all would be normal again.
My fussing with sysctl didn't manage to lock the card into the right mode, for whatever reason, so I pulled the card and switched to the on-board LAN port (some ostensibly crappier thing) and it's worked perfectly ever since.
Congratulations to the OPNsense team for getting this far. I look forward to another uneventful six months.
Re: (Score:1)
Just a quick question. How well does the CARP work with this using the captive portal?
That is a setup with two firewalls using CARP both inside and outside and requiring users inside to authenticate using the captive portal.
We had pfSense 1.2 to 2.1 and it worked pretty nice, but since 2.2 upgrade it was broken (freebsd carp was rewritten or something like that and it broke lot of thing). I haven't had a look since september, I'm now running ESX virtualised and that takes care of clustering, but maintenance
Re: (Score:2)
I'm not sure why your being so apologetic. pfSense makes a BETTER firewall than many commercial options.
After reading discussion in the pfsense forums... (Score:1)
Re: (Score:1)
https://www.reddit.com/r/PFSENSE/comments/35dl17/pfsense_vs_opnsense_articles/
Re: (Score:2)
Re: (Score:1)
You should really learn how to use search engines:
http://m0n0.ch/wall/end_announcement.php
m0n0wall, from the get go, endorsed OPNsense on their own :)
Re: (Score:2)
Re: (Score:2)
See here: http://m0n0.ch/wall/list/showm... [m0n0.ch]
They didn't earn the endorsement, they bought it.
Re: (Score:2)
TThey also took over the m0nowall domains from it's creator and instead of maintaining them as-is, they redirect to their own domain and crown themselves as successors to the legacy of that project, when really, pfSense is that.
If that m0n0wall piece is true, these guys are obviously looking more at $ and not community.
Re: (Score:2)
m0n0wall.ch [m0n0wall.ch]