OpenBSD trolls (moan alert)
-
OpenBSD trolls came out of the woodwork and tried to claim that a raw OpenBSD installation (with no packages) would be better than pfSense, and that pfSense was just "packaging" over the top standard OS stuff.
They also said that anyone who uses a GUI to configure a firewall "shouldn't be in charge of security to begin with".
There are many "GUI" tools for packet filters (mostly for Linux's iptables, but a couple for PF too), and they are not all the same. I think many people who are quick to make such disparaging comments, don't have an full understanding of the added value that pfsense brings.
Btw one can also edit pfsense's config.xml file, rather than click around in the GUI.
-
Having read most of the debate at G+, I think that the OpenBSD folks do have a point in that OpenBSD is a very good platform for building a network security appliance, since its development / innovation in recent years is mostly focused on the networking subsystems: PF, CARP, OpenBGP, pfsync, etc.
Whereas FreeBSD development seems to be towards a general-purpose server OS, and I sometimes have the impression that PF under FreeBSD is somewhat of an "unwanted step-child" …
However I do agree with your point in the G+ debate that most network security professionals would be better served overall by using pfsense, rather than trying to build a comparable system starting with stock OpenBSD distribution, unless they have significant Unix expertise.
-
sometimes I have the impression that PF under FreeBSD is somewhat of an "unwanted step-child" …
That's fun :D
I second that.
-
There is a reason we use FreeBSD and not OpenBSD.
http://doc.pfsense.org/index.php/Why_did_you_choose_FreeBSD_instead_of_%27insert_OS_here%27%3F
Follow the "not at all supportive of similar efforts." link.
-
OpenBSD guys tend to be Internet tough guys and nice and agreeable in person for the most part. I'm friendly with Henning in particular. Outside of conferences we never interact in any fashion, but at EuroBSDCon, BSDCan, and other BSD conferences the last few years we've hung out many times. He usually attends my presentations at conferences, without even heckling. ;)
I have gotten into this exact debate at a bar in Manhattan at NYCBSDCon 2010. Jason Dixon is an OpenBSD guy that's extremely anti-GUI and anti-pfSense. He basically brought up the same argument noted here by the OP. I really didn't even have to defend the project, NYCBUG guys George Rosamond and Ike Levy, who are hard core BSD guys who have many times in the past built BSD firewalls from scratch and are more than capable of doing so, passionately argued the points I would have, knowing from many years of experience the benefits we bring. Those two even started out thinking we were a joke, no different than what most of the OpenBSD trolls argue, and have long since been converted. We're far from a GUI. That's certainly one of the benefits, as in virtually every company you're going to have admins who are perfectly competent administering a GUI firewall along the lines of any commercial firewall, but give them a strictly CLI BSD system and they're lost or highly likely to break stuff. The "far from a GUI" part is the big one though, even a highly experienced BSD firewall admin will take hours to build a box you can build in maybe 30 minutes start to finish with pfSense. There's so much glue underneath to make everything work nicely together with no fuss that it's a huge, huge time saver. Another point of reference from another hard core BSD guy, Michael Lucas:
http://blog.pfsense.org/?p=520There will always be haters. Many of them have long since been converted and are big fans of the project today. Others will never be convinced otherwise, and there's nothing you can do but shrug.
Maybe we need our own "haters gonna hate" picture. :D
-
Having read most of the debate at G+, I think that the OpenBSD folks do have a point in that OpenBSD is a very good platform for building a network security appliance, since its development / innovation in recent years is mostly focused on the networking subsystems: PF, CARP, OpenBGP, pfsync, etc.
I'm sure it is, and I never said it wasn't. If people want to go the OpenBSD, command-line and config file maintenance route, that's up to them and that's fine by me. Choice is good.
They don't seem to think so. It seems they believe anything which doesn't conform to their idea of what an OS is, what security is, and how you should use it is wrong.
Oh, and I've known a few hardcore OpenBSD fans myself over the years and they are mostly reasonable people. In fact, in my experience, if they progress in real-world IT beyond being a sys-admin or lone developer, they soften their stance considerably or even change their minds completely.
Anyway, I'm pleased to say that none of these guys are in my G+ circles, and one of them is specifically banned. They only saw my comments because I commented on Randy's IPv6 post. On G+ all comments against a post are seen by anyone who has the OP in their circles.
In fact originally only one person saw it, but he then alerted his troll mates (who weren't in Randy's circles, and wouldn't have seen the original post Randy made) and got them to come and hijack the thread.
The nice thing about G+ is I can mute the post, and block anyone I really don't want to deal with in the future.
Thanks, guys, for letting me get this off my chest.
Cheers,
Keith
-
@cmb:
We're far from a GUI. […] There's so much glue underneath to make everything work nicely together with no fuss that it's a huge, huge time saver.
And that's the main point in favor of pfSense, which I alluded to in my earlier with my comment "many people who are quick to make such disparaging comments, don't have an full understanding of the added value that pfsense brings", probably thinking it's similar to "Firewall Builder with GUI" that allows one to maintain fw policy and translates it into Cisco PIX, iptables, ipfw, pf etc rules.
I can think of situations where a pure OpenBSD (or Linux) system might be preferable, such as when you need to finely tune very specific functionality (e.g. pfsense allows only limited ways to configure PF's max-src-* options), but pfsense would be a better solution (richer functionality and far less time spent) for the vast majority of mid-sized deployments.
-
By the way, the OP has, very sensibly, deleted the post and comments and reposted it afresh, so don't bother looking for it.
BTW I deliberately didn't post the link to it as I didn't want to be accused of "organising a posse", which was very clearly what one of the OpenBSD guys did.
Cheers,
Keith
-
It's interesting to note that you may have had trouble raising a posse anyway.
Almost every commenter here is sufficiently open minded to realise that there are plenty of scenarios where you may need to go beyond the flexibility of pfSense and configure your own firewall from scratch. It's just that those scenarios are a pretty small percentage of firewall deployments.
A refreshing attitude I think. :)Steve
-
+1 to that!
Cheers,
Keith
