Slashdot Mirror

← Back to Stories (view on slashdot.org)

FreeBSD-Powered Firewall Distro OPNsense 16.1 Released (phoronix.com)

Posted by timothy on from the sub-systems dept.

An anonymous reader writes: OPNsense, the open-source firewall project powered by FreeBSD that began as a fork of pfSense, is out with a new release. OPNsense 16.1 was developed over the past half-year and is a big update. OPNsense 16.1 has upgraded to using a FreeBSD 10.2 base, support for a high-speed IPS mode, a redesigned captive portal, firewall improvements, and a wide range of other work.

4 of 64 comments (clear)

  1. Why they forked by ilsaloving · · Score: 5, Informative

    My most immediate question, before even reading the feature set, was why they forked in the first place. I had to do some digging (ie: click multiple links and read a couple different pages to find what I was looking for), so to save others time, here's the why:

    https://docs.opnsense.org/fork...

    Technical

    We had technical reasons to fork. As much as we love the functionality/feature set of pfSense, we do not enjoy the code quality and anarchistic development method. We like structure, achievable goals set forth in a roadmap with regular releases and a decent framework.
    Security

    On the security part the main issue was the need to separate logic. The GUI should not perform tasks that require root access.
    Quality

    As for quality, all new features will be built using a solid framework with a Model View Controller. For this purpose we choose Phalcon as it is the fastest open source PHP framework available. And we will gradually migrate parts inherited from pfSense to the new framework to avoid a big-bang approach.
    Community

    A thriving community can only exist when people are willing to share. We want to make it easier for people to join and help to build the community. With pfSense this has been rather difficult as the tools to build it are difficult to use and often do not work in the first few attempts. And since 2014 year they are not freely available any more, you need to apply for access with ESF. We believe a good open source project has nothing to hide so access to the sources should be there for all. It will remain a mystery why ESF made that move as commit rights and read rights are totally different.

    Note
    ESF has since changed their policy and the source code is now available under their 6 clause ESF license.

    Transparency

    A real concern with pfSense is transparency. Since Netgate bought the majority share of pfSense and renamed the company to ESF it has been difficult to understand the direction they want the project to go. Removing the tools from github without prior warning and using the brand name to fence off competitors has scared quite a lot of people. Also the license had changed for no apparent reason
    Restore a firm open source project

    With OPNsense we have restored a stable project with clear goals and a very simple license that is suitable for forking and making OEM versions. We think a community project is there for all to use and work with.

    1. Re:Why they forked by saleenS281 · · Score: 4, Informative

      As a user (still on pfsense) who watched it all go down, I'm going to scream BS. ESF basically shut down the build tools and went *COMPLETELY DARK* for almost two weeks as I recall it. Not responding to anybody, and basically saying "give us time to figure out what we're going to do". You guys were pissed that there were third parties selling hardware when that was your primary source of revenue, and nobody had any idea what your plans were.

      After much outcry from the community, things slowly started opening back up. If nothing else, OPNsense seemed to kick the team in the ass to actually make a GUI that doesn't look like it's from the early 90s. I love pfsense, but this whole "we didn't do anything wrong, we have no idea why they reacted like that" is complete and utter bullshit. You guys made it very clear your intent was to stop other people from selling hardware using the PFsense logo/name, and were originally planning on making it EXTREMELY difficult for people to make customized builds of pfsense as a way to accomplish that.

    2. Re:Why they forked by Fez · · Score: 4, Informative

      The problem was not people selling hardware including an unmodified version of pfSense. That's fine and always has been. The problem was people taking pfSense, modifying it in unknown ways, building their own copy and selling the result as still being pfSense, which it wasn't at that point. It was a trademark violation to do that. That and some others were using the trademark inappropriately in various ways on their web sites. See http://m0n0.ch/wall/list/showm... for some more background (it's been posted elsewhere but I had that link handy)

      That's like someone buying Coke, adding their own unknown ingredients, re-bottling it, and selling it as Coke. I doubt Coke would be very happy about that, either. Same thing with Mozilla and Firefox vs Iceweasel. The same resolution there applies here as well. Name the product something different and clearly distinct, removing the name "pfSense" and logo, but keeping the copyright/license notices, and then there would not have been a trademark issue.

      We had some vendors that were making some really weird changes and then people were coming to us for support on things we didn't do, questioning why things were broken, etc. Since it was still called "pfSense" and it had code we didn't write and wasn't in our repository, there was a lot of confusion even outside the legal problems...

  2. no complaints so far by epine · · Score: 5, Informative

    I've been running two instances for about six months. Both have been totally stable. Neither is presently configured to do much beyond basic firewall, dhcpd, and name server duties. I have no complaints.

    I chose OPNsense over pfSense because their roadmap made vague claims about becoming closer to base FreeBSD, and since I'm running plenty of FreeBSD and PC-BSD elsewhere, the closer the better. I had not at that time encountered the highly charged discussions that took place between the two teams.

    As much as OPNsense has worked out for me so far, it has certainly lacked the polish of a larger project. Some of the documentation was scanty to non-existent. So I'll be waiting a good four weeks before updating these hosts.

    I did have one issue associated with a old PCI-based Intel network card. There's this thing about whether this card delivers interrupts as an electric signal or as a data packet. This particular card is right on the brink of when one method gave way in favour of the other. It has some ability to emulate the packet method, but obviously it's not rock solid, because the card would freeze up for ten minutes at a time once or twice a week. Then a watchdog would reset it and all would be normal again.

    My fussing with sysctl didn't manage to lock the card into the right mode, for whatever reason, so I pulled the card and switched to the on-board LAN port (some ostensibly crappier thing) and it's worked perfectly ever since.

    Congratulations to the OPNsense team for getting this far. I look forward to another uneventful six months.