Questions about the future of pfsense 2.7 CE

netblues

@nimrod said in Questions about the future of pfsense 2.7 CE:

Can you, or anyone else in this thread, tell me exactly what is wrong with current CE version ? Are there any bugs or critical vulnerabilities that make CE version unusable ? Please let me know.

Please read the thread from the top.
Boils down to the use of the patch package.

Ce is as secure as Plus is.

Nitrobeast

@netblues personally I did not even know about it. Now that I am aware of it the package is being installed on all my CE firewalls.

nimrod

@netblues said in [Questions about the future of

Ce is as secure as Plus is.

My point exactly.

Gblenn

@netblues said in Questions about the future of pfsense 2.7 CE:

Boils down to the use of the patch package.

Precisely, install that and then select to "Apply All" and you get all those patches I pasted into the post earlier.

Patch

@nimrod said in Questions about the future of pfsense 2.7 CE:

Can you, or anyone else in this thread, tell me exactly what is wrong with current CE version ?

Development of CE directly opposes Netgate's commercial interest. Other than overt security flaws as they do not want their name on a product known overt security (hence the patch updates).

But the 105 issues form v24.03, 122 from v24.11, and currently 70+ from 25.03. are bared from CE (even snapshot) access for a reason.
There are currently also 4 issues from 24.11, 3 issues from 25.03 and 19 issues 25.11 which MAY be released in some CE version after 2.8
Netgate are doing this because they really do not want anyone to use CE. It is in their commercial interest to ensure it quietly dies.

Which is why is said, if you are happy with 2.7.2 (and critical security fixes) forever then you have no issue. However if you want a firewall with ongoing development (actually accessible to use) then it is wise to consider other options.

netblues

@Patch Other options being for you 5 figures solutions 4 sure.
You are most probably confusing enhancements with security issues

Ce version will continue to exist at least for this reason: As a free entry level security product that anyone can tinker with.
Microsoft did the same by allowing "free" use of its products at homes.
The rest is history.
Asking for $129 for the bells and whistles version isn't exactly making money
On the other hand we have all seen the chinese boxes that were sold with the free evaluation version of plus preinstalled.

So, no it won't go away, anytime soon, and for the few that stumble upon unbearable issues the fix is simple
Just $129.
As for lab use, which is still a corner situation, perhaps a limited time evaluation version could also work.

nimrod

@Patch said in Questions about the future of pfsense 2.7 CE:

@nimrod said in Questions about the future of pfsense 2.7 CE:

Can you, or anyone else in this thread, tell me exactly what is wrong with current CE version ?

Development of CE directly opposes Netgate's commercial interest. Other than overt security flaws as they do not want their name on a product known overt security (hence the patch updates).

But the 105 issues form v24.03, 122 from v24.11, and currently 70+ from 25.03. are bared from CE (even snapshot) access for a reason.
There are currently also 4 issues from 24.11, 3 issues from 25.03 and 19 issues 25.11 which MAY be released in some CE version after 2.8
Netgate are doing this because they really do not want anyone to use CE. It is in their commercial interest to ensure it quietly dies.

Which is why is said, if you are happy with 2.7.2 (and critical security fixes) forever then you have no issue. However if you want a firewall with ongoing development (actually accessible to use) then it is wise to consider other options.

What are you doing on these forums then ?

SteveITS

@netblues

Asking for $129 for the bells and whistles version isn't exactly making money

$129/year is more gross income over time than selling a $700 router once (which has a cost). Or if projecting, a new router every 7-10 years.

One could perhaps argue white box installs generate more support tickets. Netgate would know that. $xx/year without any support whatsoever could solve that I suppose. However That risks “I paid and it doesn’t work” complaints.

AndyRH

@Nitrobeast said in Questions about the future of pfsense 2.7 CE:

personally I did not even know about it. Now that I am aware of it the package is being installed on all my CE firewalls.

This is a problem that should be solved by making the patches package part of the default install.

bmeeks

@AndyRH said in Questions about the future of pfsense 2.7 CE:

@Nitrobeast said in Questions about the future of pfsense 2.7 CE:

personally I did not even know about it. Now that I am aware of it the package is being installed on all my CE firewalls.

This is a problem that should be solved by making the patches package part of the default install.

I think there is a misunderstanding about the Patches package. That allows updating certain PHP files that impact some things in the GUI. It does not permit the updating of binary components on the firewall such as core packages like ISC, Kea, ssh, etc., nor parts of the underlying FreeBSD OS itself. If an update or fix requires changes to a binary portion of pfSense, then the update can't currently be applied by the Patches. package.

netblues

@bmeeks
Well, if it is a package then an interim fix can (and is Issued)
php has the most issues but we have seen it elsewhere too

eg

What I'm saying is that netgate supports ce as far as security is concerned
If the need arises for a core binary change, then an interim release can also happen.

We can't complain for something not being done when not needed, at least from what seems to be the case.

bmeeks

@netblues said in Questions about the future of pfsense 2.7 CE:

@bmeeks
Well, if it is a package then an interim fix can (and is Issued)
php has the most issues but we have seen it elsewhere too

eg

What I'm saying is that netgate supports ce as far as security is concerned
If the need arises for a core binary change, then an interim release can also happen.

We can't complain for something not being done when not needed, at least from what seems to be the case.

No, just being a package does not mean it can easily be updated. In the example you provided, the PHP code that generates the text-based conf file for the sshd daemon was updated. But if the sshd daemon itself has a problem, that can't be fixed with the Patches package.

A new CVE was just published for nginx, the web server used for the pfSense GUI. Here is the Redmine ticket: https://redmine.pfsense.org/issues/16049#change-76049. Updating nginx cannot be done with the Patches package. I develop and maintain packages for pfSense that have both PHP and binary components, so I am quite familiar with the current limitations of the Patches package.

netblues

@bmeeks Patching was never easy to begin with.
What I'm saying is that a package can be updated without releasing any interim pf release, so it needs less regression testing, than a full point release

Maniplulationg text (php) and configuration files is different from changing binary files.

What Im trying to say is that ce version isn't something left to its (security) fate, only to be fixed if and when the sun is shining.