Slashdot Mirror

← Back to Stories (view on slashdot.org)

FreeBSD-Powered Firewall Distro OPNsense 16.1 Released (phoronix.com)

Posted by timothy on from the sub-systems dept.

An anonymous reader writes: OPNsense, the open-source firewall project powered by FreeBSD that began as a fork of pfSense, is out with a new release. OPNsense 16.1 was developed over the past half-year and is a big update. OPNsense 16.1 has upgraded to using a FreeBSD 10.2 base, support for a high-speed IPS mode, a redesigned captive portal, firewall improvements, and a wide range of other work.

6 of 64 comments (clear)

  1. Re:opnonsense by Anonymous Coward · · Score: 2, Informative

    This should explain it.

  2. Why they forked by ilsaloving · · Score: 5, Informative

    My most immediate question, before even reading the feature set, was why they forked in the first place. I had to do some digging (ie: click multiple links and read a couple different pages to find what I was looking for), so to save others time, here's the why:

    https://docs.opnsense.org/fork...

    Technical

    We had technical reasons to fork. As much as we love the functionality/feature set of pfSense, we do not enjoy the code quality and anarchistic development method. We like structure, achievable goals set forth in a roadmap with regular releases and a decent framework.
    Security

    On the security part the main issue was the need to separate logic. The GUI should not perform tasks that require root access.
    Quality

    As for quality, all new features will be built using a solid framework with a Model View Controller. For this purpose we choose Phalcon as it is the fastest open source PHP framework available. And we will gradually migrate parts inherited from pfSense to the new framework to avoid a big-bang approach.
    Community

    A thriving community can only exist when people are willing to share. We want to make it easier for people to join and help to build the community. With pfSense this has been rather difficult as the tools to build it are difficult to use and often do not work in the first few attempts. And since 2014 year they are not freely available any more, you need to apply for access with ESF. We believe a good open source project has nothing to hide so access to the sources should be there for all. It will remain a mystery why ESF made that move as commit rights and read rights are totally different.

    Note
    ESF has since changed their policy and the source code is now available under their 6 clause ESF license.

    Transparency

    A real concern with pfSense is transparency. Since Netgate bought the majority share of pfSense and renamed the company to ESF it has been difficult to understand the direction they want the project to go. Removing the tools from github without prior warning and using the brand name to fence off competitors has scared quite a lot of people. Also the license had changed for no apparent reason
    Restore a firm open source project

    With OPNsense we have restored a stable project with clear goals and a very simple license that is suitable for forking and making OEM versions. We think a community project is there for all to use and work with.

    1. Re:Why they forked by Fez · · Score: 3, Informative

      [Disclaimer: I am a pfSense dev of many years and an ESF Employee]
      The bulk of that notice is the very definition of FUD.

      First: Fear of going closed source. pfSense was never "closed source" (any part of it), and was never not "freely available" despite what they attempt to claim about policy changes. The only time the build tools were inaccessible was for a couple days while the repo was being moved to a private git server. (And it's since been moved back to github, and later made obsolete when the build process was rewritten).

      Second: Uncertainty about "direction" -- there have been many blog posts on blog.pfsense.org about the direction the project is going. There is no problem with transparency except what they are dreaming up. Also, OPNsense is run by Deciso, no mention of that in there, so much for transparency.

      Third: Doubt -- vague accusations of code and development quality trying to make people doubt the pfSense project source in general.

    2. Re:Why they forked by saleenS281 · · Score: 4, Informative

      As a user (still on pfsense) who watched it all go down, I'm going to scream BS. ESF basically shut down the build tools and went *COMPLETELY DARK* for almost two weeks as I recall it. Not responding to anybody, and basically saying "give us time to figure out what we're going to do". You guys were pissed that there were third parties selling hardware when that was your primary source of revenue, and nobody had any idea what your plans were.

      After much outcry from the community, things slowly started opening back up. If nothing else, OPNsense seemed to kick the team in the ass to actually make a GUI that doesn't look like it's from the early 90s. I love pfsense, but this whole "we didn't do anything wrong, we have no idea why they reacted like that" is complete and utter bullshit. You guys made it very clear your intent was to stop other people from selling hardware using the PFsense logo/name, and were originally planning on making it EXTREMELY difficult for people to make customized builds of pfsense as a way to accomplish that.

    3. Re:Why they forked by Fez · · Score: 4, Informative

      The problem was not people selling hardware including an unmodified version of pfSense. That's fine and always has been. The problem was people taking pfSense, modifying it in unknown ways, building their own copy and selling the result as still being pfSense, which it wasn't at that point. It was a trademark violation to do that. That and some others were using the trademark inappropriately in various ways on their web sites. See http://m0n0.ch/wall/list/showm... for some more background (it's been posted elsewhere but I had that link handy)

      That's like someone buying Coke, adding their own unknown ingredients, re-bottling it, and selling it as Coke. I doubt Coke would be very happy about that, either. Same thing with Mozilla and Firefox vs Iceweasel. The same resolution there applies here as well. Name the product something different and clearly distinct, removing the name "pfSense" and logo, but keeping the copyright/license notices, and then there would not have been a trademark issue.

      We had some vendors that were making some really weird changes and then people were coming to us for support on things we didn't do, questioning why things were broken, etc. Since it was still called "pfSense" and it had code we didn't write and wasn't in our repository, there was a lot of confusion even outside the legal problems...

  3. no complaints so far by epine · · Score: 5, Informative

    I've been running two instances for about six months. Both have been totally stable. Neither is presently configured to do much beyond basic firewall, dhcpd, and name server duties. I have no complaints.

    I chose OPNsense over pfSense because their roadmap made vague claims about becoming closer to base FreeBSD, and since I'm running plenty of FreeBSD and PC-BSD elsewhere, the closer the better. I had not at that time encountered the highly charged discussions that took place between the two teams.

    As much as OPNsense has worked out for me so far, it has certainly lacked the polish of a larger project. Some of the documentation was scanty to non-existent. So I'll be waiting a good four weeks before updating these hosts.

    I did have one issue associated with a old PCI-based Intel network card. There's this thing about whether this card delivers interrupts as an electric signal or as a data packet. This particular card is right on the brink of when one method gave way in favour of the other. It has some ability to emulate the packet method, but obviously it's not rock solid, because the card would freeze up for ten minutes at a time once or twice a week. Then a watchdog would reset it and all would be normal again.

    My fussing with sysctl didn't manage to lock the card into the right mode, for whatever reason, so I pulled the card and switched to the on-board LAN port (some ostensibly crappier thing) and it's worked perfectly ever since.

    Congratulations to the OPNsense team for getting this far. I look forward to another uneventful six months.