Announcement

Collapse
No announcement yet.

OPNsense 19.7 Released With Remote Logging, Firewall Rule Improvements, Route-Based IPsec

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OPNsense 19.7 Released With Remote Logging, Firewall Rule Improvements, Route-Based IPsec

    Phoronix: OPNsense 19.7 Released With Remote Logging, Firewall Rule Improvements, Route-Based IPsec

    OPNsense, the FreeBSD-based pfSense-forked firewall offering that has continued experiencing increased adoption following the closure of m0n0wall, is out with version 19.7 as its newest feature update...

    http://www.phoronix.com/scan.php?pag...-19.7-Released

  • #2
    Thanks to the developers for another release.

    Sadly proper IPv6 support in firewall rules did not make it in to this release, but it's more HardenedBSD's (or pf's) fault. I really hope they'll make the transition from BSD to Linux one day, as it has better NIC drivers and much better firewalling support. Both are kind of important for the target audience.

    Just to give you an example: BSD's packet filter (pf) still does not allow you to write firewall rules for changing IPv6 prefixes. Since all of the ISPs I know change their IPv6 prefix every once in a while this is a huge show stopper for a firewall. I know the OPNsense devs work around many of pf's shortcomings by intensive scripting, but in the Linux world things could be so much easier and cleaner.

    Comment


    • #3
      What would be the POINT of transition to Linux. You'd also lose pf. Since it has never ported to Linux. Just use random Linux firewall distro and give up all the goodies coming from the use of pf.

      Comment


      • #4
        Originally posted by aht0 View Post
        What would be the POINT of transition to Linux. You'd also lose pf. Since it has never ported to Linux. Just use random Linux firewall distro and give up all the goodies coming from the use of pf.
        What are the goodies? If I wanted to make a little embedded system or SBC be a DIY router(which this type of thing is intended for right?), or a VM even I guess, what benefits are there from going with a BSD solution vs similar ones on Linux? (this is coming from someone who doesn't really know anything about this or similar software)

        Comment


        • #5
          Originally posted by aht0 View Post
          What would be the POINT of transition to Linux. You'd also lose pf. Since it has never ported to Linux. Just use random Linux firewall distro and give up all the goodies coming from the use of pf.
          IMHO there are no goodies in pf compared to nftables. For mainstream usage nftables is more flexible and advanced. As I said pf is lacking support for real-life IPv6 rules, as it cannot ignore the prefix and match only the host part. That's kind of important in a world where there are ISPs out there which change IPv6 prefixes as often as I change my underwear. pf also cannot do any form of interface matching (inbound/outbound interface). They always resolve interfaces to IP addresses or subnets. Again, that's a real pain in the IPv6 world.

          There might be special use-cases where pf performs better than nftables. However I think the average user or business won't benefit from these use-cases. They usually only suffer from pf's shortcomings (such as the ones mentioned above).

          I have used OPNsense for quite some time and what I have learned from this is that *BSD is heavily overrated when it comes to it's networking and firewalling capabilities. I have switched to a self-made Linux firewall (plain Debian with nftables+unbound+dhcp+radvd) a while ago and I do not regret this. At least I am getting proper IPv6 support in Linux. And the general network throughput in Linux is also higher than in BSD. PPPoE on FreeBSD was super slow, no way to reach Gigabit performance on embedded hardware. No proplem on Linux.

          That's why I hope that OPNsense will switch it's foundation one day. I have really liked the user interface. It's very clean and easy to use, but still gives advanced users enough room.

          Comment


          • #6
            Originally posted by aht0 View Post
            Just use random Linux firewall distro and give up all the goodies coming from the use of pf.
            Is there any such thing which is as polished and full-featured as pfsense/opnsense?

            Comment


            • #7
              Originally posted by jabl View Post

              Is there any such thing which is as polished and full-featured as pfsense/opnsense?
              Endian firewall ("network security UTM something something" in their site),
              Untangle NG Firewall,
              ClearOS for the paid ones (you can usually install the "community" version for free, sometimes with some reduced functionality that does not matter much for smaller users).

              Usually based off CentOS or Debian.

              IPFire and OpenWrt for the Linux FOSS side.


              Note: there are more, I only cited the good ones.

              i_am_not_a_robot non-technical people should use these, no need to piss off BSD fans.
              Last edited by starshipeleven; 07-18-2019, 12:17 PM.

              Comment

              Working...
              X