FreeBSD-Powered Firewall Distro OPNsense 16.1 Released

An anonymous reader writes: OPNsense, the open-source firewall project powered by FreeBSD that began as a fork of pfSense, is out with a new release. OPNsense 16.1 was developed over the past half-year and is a big update. OPNsense 16.1 has upgraded to using a FreeBSD 10.2 base, support for a high-speed IPS mode, a redesigned captive portal, firewall improvements, and a wide range of other work.

opnonsense

[greenfruitsalad]

am i the only one who read it as opnonsense?

Re:opnonsense

I read it as NOPsense, as in the assembly command NOPeration, and then (pf)sense.

Speaking of which, what's wrong with pfSense? Why do we need another BSD-based firewall distro?

Re:opnonsense

[Flavianoep]

Yes, you are.

Re:opnonsense

This should explain it.

Re: opnonsense

As an active pfSense user I think they have excellent points there, especially regarding root access and security issues. I think this fork might put more pressure on the pfSense team and eventually benefit everybody.

Re: opnonsense

[ilikenwf]

They have a lot of drama between them, but pfsense still seems superior, especially since as I understand it, the current 2.3 beta is a mostly unpatched FreeBSD, I hear they only have patches on some of the vendor specific drivers....which reminds me I need to file a bug about a crappy broadcom ethernet chip.

Re: opnonsense

"Mostly unpatched" is a broad understatement with the amount of pfSense patches still present hidden in the FreeBSD commit history, albeit dropping the fact that 2.3 is not out till March 2016 at least. Your measure of "superiority" is lacking.

Re: opnonsense

[ruir]

I remember quite clearly reading posts about this being not much more than a repackaging of PfSense, and that they had some technical problems. So I am using PfSense. I am sorry, running late here, cannot be bothered to search for the link atm.

Re: opnonsense

I worry about the mention of taking it commercial/proprietary. Too many good OSS utils have gone that road, never to return. The biggest attraction of pfSense is the ease of adding modules (Snort, squid), the ease of running it as a VM appliance, and many other niceties. It works, and works well.

I do hope this fork does have the ability to come on dedicated hardware. There are many uses for a dedicated firewall with known, secure software running on it.

Re: opnonsense

"Mostly unpatched" is a broad understatement with the amount of pfSense patches still present hidden in the FreeBSD commit history, albeit dropping the fact that 2.3 is not out till March 2016 at least. Your measure of "superiority" is lacking.

What are you talking about?

Re:opnonsense

No, it's just opnsense.com

Re: opnonsense

https://github.com/pfsense/FreeBSD-src/commits/6ee75bdd7bf7c

2 pages worth of custom commits on top of FreeBSD 10-STABLE. Not "mostly unpatched".

Re: opnonsense

PFSense devs actively work in FreeBSD head and backport many changes from FreeBSD 11 back into 10.x. Sometimes you don't want to way 3 years for changes to make it into stable.

phoronix

How about linking to the site instead of the clickbait at Phoronix ?

Why they forked

[ilsaloving]

My most immediate question, before even reading the feature set, was why they forked in the first place. I had to do some digging (ie: click multiple links and read a couple different pages to find what I was looking for), so to save others time, here's the why:

https://docs.opnsense.org/fork...

Technical

We had technical reasons to fork. As much as we love the functionality/feature set of pfSense, we do not enjoy the code quality and anarchistic development method. We like structure, achievable goals set forth in a roadmap with regular releases and a decent framework.
Security

On the security part the main issue was the need to separate logic. The GUI should not perform tasks that require root access.
Quality

As for quality, all new features will be built using a solid framework with a Model View Controller. For this purpose we choose Phalcon as it is the fastest open source PHP framework available. And we will gradually migrate parts inherited from pfSense to the new framework to avoid a big-bang approach.
Community

A thriving community can only exist when people are willing to share. We want to make it easier for people to join and help to build the community. With pfSense this has been rather difficult as the tools to build it are difficult to use and often do not work in the first few attempts. And since 2014 year they are not freely available any more, you need to apply for access with ESF. We believe a good open source project has nothing to hide so access to the sources should be there for all. It will remain a mystery why ESF made that move as commit rights and read rights are totally different.

Note
ESF has since changed their policy and the source code is now available under their 6 clause ESF license.

Transparency

A real concern with pfSense is transparency. Since Netgate bought the majority share of pfSense and renamed the company to ESF it has been difficult to understand the direction they want the project to go. Removing the tools from github without prior warning and using the brand name to fence off competitors has scared quite a lot of people. Also the license had changed for no apparent reason
Restore a firm open source project

With OPNsense we have restored a stable project with clear goals and a very simple license that is suitable for forking and making OEM versions. We think a community project is there for all to use and work with.

Re:Why they forked

[cHiphead]

The OPNsense project wants to partner with business and make a success of it together. This is why we have a partner program where businesses get project benefits while supporting the project financially.

To get listed as partner of the OPNsense project means an annual investment of € 2500.
Special partners are assigned the Platinum Partner status. These are the partners that made an exceptional contribution to the project.

Meet the new boss, same as the old boss.

These guys just want their version to be the go to version so they can cash in on OSS on their chosen terms instead of ESF's, all while riding others works...

Re:Why they forked

[thoromyr]

how are they "cashing in"? If it is freely available, open source, and under a mainstream license (such as Apple, BSD, GPL, Apache) then there are about two ways to make money off of it:

1) sell customized versions
2) reputation from the product

Neither one seems like "cashing in" as it requires them to do work. And the licensing was only one part identified (such as separation of privileges is a failure major point) so "their chosen terms instead of ESF's" is focusing on a single part of the reason.

In fact, the only people who I can see having a gripe would be ESF as this dilutes "their product". Welcome to the world of open source...

Re:Why they forked

[swb]

Does anyone have real complaints about Netgate's cashing in?

The product AFAICT remains free to use. About the worst it has gotten might be the "Gold" menu that shows up in the UI.

I guess at some point it's not hard to see why there's some level of monetization of these projects and that it's not necessarily a bad thing. It might maintain some development focus and quality and semblance of stability, especially if it staves off some of the fragmentation and forking into a half-dozen similar projects, all of which end up sucking.

Obviously it can be a bad thing if the free product ends up sucking and being, well, not free.

Re:Why they forked

[Fez]

[Disclaimer: I am a pfSense dev of many years and an ESF Employee]
The bulk of that notice is the very definition of FUD.

First: Fear of going closed source. pfSense was never "closed source" (any part of it), and was never not "freely available" despite what they attempt to claim about policy changes. The only time the build tools were inaccessible was for a couple days while the repo was being moved to a private git server. (And it's since been moved back to github, and later made obsolete when the build process was rewritten).

Second: Uncertainty about "direction" -- there have been many blog posts on blog.pfsense.org about the direction the project is going. There is no problem with transparency except what they are dreaming up. Also, OPNsense is run by Deciso, no mention of that in there, so much for transparency.

Third: Doubt -- vague accusations of code and development quality trying to make people doubt the pfSense project source in general.

Re:Why they forked

[saleenS281]

As a user (still on pfsense) who watched it all go down, I'm going to scream BS. ESF basically shut down the build tools and went *COMPLETELY DARK* for almost two weeks as I recall it. Not responding to anybody, and basically saying "give us time to figure out what we're going to do". You guys were pissed that there were third parties selling hardware when that was your primary source of revenue, and nobody had any idea what your plans were.

After much outcry from the community, things slowly started opening back up. If nothing else, OPNsense seemed to kick the team in the ass to actually make a GUI that doesn't look like it's from the early 90s. I love pfsense, but this whole "we didn't do anything wrong, we have no idea why they reacted like that" is complete and utter bullshit. You guys made it very clear your intent was to stop other people from selling hardware using the PFsense logo/name, and were originally planning on making it EXTREMELY difficult for people to make customized builds of pfsense as a way to accomplish that.

Re:Why they forked

[Fez]

The problem was not people selling hardware including an unmodified version of pfSense. That's fine and always has been. The problem was people taking pfSense, modifying it in unknown ways, building their own copy and selling the result as still being pfSense, which it wasn't at that point. It was a trademark violation to do that. That and some others were using the trademark inappropriately in various ways on their web sites. See http://m0n0.ch/wall/list/showm... for some more background (it's been posted elsewhere but I had that link handy)

That's like someone buying Coke, adding their own unknown ingredients, re-bottling it, and selling it as Coke. I doubt Coke would be very happy about that, either. Same thing with Mozilla and Firefox vs Iceweasel. The same resolution there applies here as well. Name the product something different and clearly distinct, removing the name "pfSense" and logo, but keeping the copyright/license notices, and then there would not have been a trademark issue.

We had some vendors that were making some really weird changes and then people were coming to us for support on things we didn't do, questioning why things were broken, etc. Since it was still called "pfSense" and it had code we didn't write and wasn't in our repository, there was a lot of confusion even outside the legal problems...

Re:Why they forked

It's 2016 and we're still hearing the fairy tale of how pfSense was tricked out of the money "it rightfully deserved".

Re:Why they forked

[Fez]

No fairy tale, not money related in any way. It's a damned-if-you-do, f'd-if you don't trademark scenario.

If you defend your trademark, you catch flack for bringing up legal issues and making people follow the law.

If you don't defend your trademark, you can lose it and be worse off.

It's about protecting what it means to be "pfSense", which has little to do with money and everything to do with making sure people don't pass off their own code as being "pfSense".

Re:Why they forked

It doesn't matter where one goes, every time the same story. Every time OPNsense is labeled inferior by pfSense enthusiasts. Time to speak up as a dev and let those people know that good change only comes from within, right?

Re:Why they forked

[saleenS281]

If trademark were enforced in the way you claim, Linux wouldn't exist. Nor would FreeBSD. Hell, PFSENSE wouldn't exist. I just don't buy that as the reasoning behind the actions that were taken.

Re:Why they forked

[Fez]

If you make a derivative work for your own private/personal use, there's no problem. If you distribute an unmodified copy (no alterations), that's also OK. But when you make a derivative work and and distribute the result (such as selling a modified version of pfSense pre-installed on hardware) at that point it's, a new product.

http://www.linuxfoundation.org...
"A trademark should not be used as part of your product name."

https://www.freebsdfoundation....
"3. If we grant you permission to use the Marks, your use of the Marks must always be fully and clearly reproduced, and you may not incorporate any of our Marks into the trademarks, service mark, logos, name of your business, project, organization, or username, unless you have the express prior written permission of the Foundation."

The pfSense CLA and such closely mirror that of the Apache product. Here is what they say on http://www.apache.org/foundati...
"This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file."

The confusing part is that people seem to mix up distributing an unmodified copy (which is OK to put on hardware for sale, so long as the mark is respected) with distributing a modified copy, which they may not realize is now a derivative work and thus violates the trademark. People interpret that as being told they can't sell the software, but what they can't do is sell their own derivative work and call it by someone else's trademark. (See above example, re: Coke)

Re:Why they forked

[saleenS281]

"A trademark should not be used as part of your product name."

It would help if you quoted the appropriate trademark, which isn't any of the items listed on that page, it's this:
http://www.linuxfoundation.org/programs/legal/trademark/sublicense-agreement

And makes absolutely no mention of "not modifying the Linux source code" which would be a ridiculous requirement.

Re:Why they forked

[Fez]

Right. You can modify a Linux kernel, release your source to comply with GPL, and make your own distro with its own name but you can't modify the source and then claim the result is the official unpatched Linux kernel or claim it is endorsed by the Linux foundation, which is essentially what was happening, from a trademark point of view.

Re:Why they forked

[saleenS281]

You absolutely can modify the Linux kernel and still claim it's the Linux kernel. What on earth are you talking about? That happens literally every day.

Re:Why they forked

[Fez]

Distinction is in "official" and "endorsed by", etc. But that's beside the point. You can say it's based on Linux, includes it, etc, but you can't claim to be Linux using their trademarks.

Closer comparisons are how CentOS can't claim to be Red Hat: https://wiki.centos.org/RedHat and the aforementioned Iceweasel project not claiming to be Firefox: https://en.wikipedia.org/wiki/...

The lines are less clear in cases where the organizations have granted permission to some groups to use their mark in other ways

Re:Why they forked

It's pointless to discuss forks. It's the basis of a lot of good products and I'm sure this fork helps the pfsense guys get their finger out of their ass. Note: I've been using pfsense for about 3 years, both for soho and mid-size businesses.

Re:Why they forked

I installed PFsense at home not too long ago to play with IPv6 and I've encountered some issues.
Posted on pfsense forum and was completely ignored there. How do you want people to use your Open Source product if community is so mute. I will give OPNSense a try now.

Re:Why they forked

According to some long term senior PFSense community devs, the OPNsense people wanted to rebrand PFSense, but couldn't easily do that with the current license. Follow the money. It's not an opensource drive, there is money backing it. PFSense is forward about their intentions, OPNsense is not. Seems sketchy.

A lot of the technical issues OPNsense made was already being addressed, just not very quickly. PFSense is also working with Intel and FreeBSD to help revamp the FreeBSD network stack for higher performance. OPNsense is just about making things look pretty and fixing the rebranding legal issue. At least PFSense is planning to go Python instead of crappy PHP. Why does OPNsense want to use such a horrible language with a reputation of security issues and terribly violating the law of least astonishment, which encourages bugs.

That being said. Competition is good. Even the best get complacent. OPNsense isn't bad, it's just not as pure intentions or great design changes as they make it sound like.

Re:Why they forked

OPNsense gives me a "feel good" vibe that I don't like. That same feeling nearly all Linux distros give me(Slackware excluded). PFSense gives me a "take it or leave it" feeling. It's a bit elitist, but I like it much more.

no complaints so far

[epine]

I've been running two instances for about six months. Both have been totally stable. Neither is presently configured to do much beyond basic firewall, dhcpd, and name server duties. I have no complaints.

I chose OPNsense over pfSense because their roadmap made vague claims about becoming closer to base FreeBSD, and since I'm running plenty of FreeBSD and PC-BSD elsewhere, the closer the better. I had not at that time encountered the highly charged discussions that took place between the two teams.

As much as OPNsense has worked out for me so far, it has certainly lacked the polish of a larger project. Some of the documentation was scanty to non-existent. So I'll be waiting a good four weeks before updating these hosts.

I did have one issue associated with a old PCI-based Intel network card. There's this thing about whether this card delivers interrupts as an electric signal or as a data packet. This particular card is right on the brink of when one method gave way in favour of the other. It has some ability to emulate the packet method, but obviously it's not rock solid, because the card would freeze up for ten minutes at a time once or twice a week. Then a watchdog would reset it and all would be normal again.

My fussing with sysctl didn't manage to lock the card into the right mode, for whatever reason, so I pulled the card and switched to the on-board LAN port (some ostensibly crappier thing) and it's worked perfectly ever since.

Congratulations to the OPNsense team for getting this far. I look forward to another uneventful six months.

Re:no complaints so far

Just a quick question. How well does the CARP work with this using the captive portal?

That is a setup with two firewalls using CARP both inside and outside and requiring users inside to authenticate using the captive portal.

We had pfSense 1.2 to 2.1 and it worked pretty nice, but since 2.2 upgrade it was broken (freebsd carp was rewritten or something like that and it broke lot of thing). I haven't had a look since september, I'm now running ESX virtualised and that takes care of clustering, but maintenance wise it would be nice to have clustering working. For the interested, this is not a company wide perimeter firewall but just a quite hefty guestnet setup being used multiple campuses supported by home grown account management system which our service desk, secretaries etc. can quickly pass visiting guests network access. Not earth shattering important service, but nice to have PR tool. We have used pfSense because of it's flexibility to customize nice login screen and nice stats.

If OPNsense is known to work better that wise it would be nice to hear experience from others of anything similar use or setup.

ps. We have many commercial vendors products for other firewall uses (perimeter, deparmental, labs, etc.) but pfSense was best suited for captive portal 2009 when we built that system.

Re:no complaints so far

[LDAPMAN]

I'm not sure why your being so apologetic. pfSense makes a BETTER firewall than many commercial options.

Re:no complaints so far

I'm not sure why your being so apologetic. pfSense makes a BETTER firewall than many commercial options.

You must be joking or not understanding requirements for large organizations, government etc. Sorry about appearing blunt, but I don't even know where to begin explaining, so silly is your comment.

After reading discussion in the pfsense forums...

[ilikenwf]

This project seems like a joke in many ways despite having valid goals. They also took over the m0nowall domains from it's creator and instead of maintaining them as-is, they redirect to their own domain and crown themselves as successors to the legacy of that project, when really, pfSense is that.

Re:Richard M. Stallman: Why We Should “Say L

Unless the code isn't available to me, I generally don't give two shits about licenses as far as being a single user is concerned, most people probably are the same. It only really matters if you are are rich or a business otherwise.

Re:Richard M. Stallman: Why We Should “Say L

I think that LisystemdGNUx is a more appropriate name these days.

Re:After reading discussion in the pfsense forums.

Link?

Re:After reading discussion in the pfsense forums.

https://www.reddit.com/r/PFSENSE/comments/35dl17/pfsense_vs_opnsense_articles/

Re:After reading discussion in the pfsense forums.

You should really learn how to use search engines:

http://m0n0.ch/wall/end_announcement.php

m0n0wall, from the get go, endorsed OPNsense on their own :)

Re:After reading discussion in the pfsense forums.

[cHiphead]

TThey also took over the m0nowall domains from it's creator and instead of maintaining them as-is, they redirect to their own domain and crown themselves as successors to the legacy of that project, when really, pfSense is that.

If that m0n0wall piece is true, these guys are obviously looking more at $ and not community.

Re:After reading discussion in the pfsense forums.

After reading discussion in the pfsense forums...[t]his project seems like a joke in many ways despite having valid goals.

Well they are hardly unbiased commentators.

Re:After reading discussion in the pfsense forums.

TThey also took over the m0nowall domains from it's creator and instead of maintaining them as-is, they redirect to their own domain and crown themselves as successors to the legacy of that project, when really, pfSense is that.

If that m0n0wall piece is true, these guys are obviously looking more at $ and not community.

http://m0n0.ch/wall/end_announcement.php

Misread title

Thought the name of the project was OPENonsense >_>

Re:After reading discussion in the pfsense forums.

[ilikenwf]

The m0n0wall dev also owned m0n0wall.ch, which does this redirect.

m0n0wall.ch

Re:After reading discussion in the pfsense forums.

[ilikenwf]

Remember he was only operating on what they said, not what they've actually done.

Re:After reading discussion in the pfsense forums.

[ilikenwf]

That top comment is what made me stick with pfsense when I rebuilt (virtualized) my router.

Re:After reading discussion in the pfsense forums.

Remember he was only operating on what they said, not what they've actually done.

You know this how? Just curious. Sounds like a pretty broad statement to make without knowing true context.

Re:After reading discussion in the pfsense forums.

See the reddit link above, while it is the pfsense subreddit, there's discussion both ways, but the top comment is a clincher.

Re:Richard M. Stallman: Why We Should “Say L

Don't spell it systemd.

Spell it SystemD. That way it looks like an ASCII penis.

Re:After reading discussion in the pfsense forums.

[Fez]

See here: http://m0n0.ch/wall/list/showm...

They didn't earn the endorsement, they bought it.

Screw OPNSense

OPNSense is garbage, just wait for pfsense to get their new bootstrap UI.

Re:Screw OPNSense

14 months after someone else put out a bootstrap version? Worth all the trouble waiting for sure.

Re: Richard M. Stallman: Why We Should “Say

Someone should write a browser plugin like the famous cloud2butt which would change every occurrence of systemd or SystemD to B=====D, or whatever the ISO standard for ASCII penis is.

Re: Richard M. Stallman: Why We Should “Say

But why

Re:After reading discussion in the pfsense forums.

[citation needed]

OPnSENSE? I thought it was a joke!

http://www.opnsense.com