Here is why NAS functionality on pfsense can make a hell lot of sense.
-
I don't think pfsense should develop NAS capability, I just think it'd be nice to run them both on the same box without vm. I mean, the only thing separating them now is an Ethernet cable, why not do away with the physical separation and have a robust software integration that is security conscious AND feature rich. Let them share what they can share and keep separate what needs to be separate. A pfsense based time capsule would be killer.
-
luckily this will probably never happen.
if people wish to dig their own grave then they should do so, i guess.
-
I spent some more time thinking about this and I still think that all the security concerns are complete BS.
I mean if you think about it, having anything sensitive on a computer that has a browser or Windows on it (or even better: android) is a gazzilion times more risky.
Just think about the million Flash and browser vulnerabilities.
In my opinion everyone who argues that NAS and router on the same device is stupid has no right to run Windows in a network with private data. Period.
But I'm sure you all have figured this out and are running a separate computer for every program. One for the emails, one for the browser, one for the notepad, one for the calculator and one for minesweeper. I mean you would probably get hacked within a minute if you were to run all these on the same device, right?But (I probably said this a million times by now) what makes you think that pfsense would be any less secure when you install a NAS package on it? I mean seriously WHAT EXACTLY do you think would cause pfsense to be any less secure? I mean the NAS package would have no reason to temper with the router config and I highly doubt that pfsense would accidentally create a vulnerability upon spotting a NAS package.
-
NopIt,
I'm not sure why you are beating a dead horse; you have already been provided an answer and venting is not likely to change anything.
The fact that Windows is not very secure does not justify NAS functionality being added to pfSense. I do not follow this logic. As a security professional, I would not want NAS functionality added to pfSense.
If you have a decent enough computer with a few network cards on it, consider loading the free VMware ESXi hypervisor on it and then load FreeNAS and pfSense as separate virtual machines (VM) on ESXi. This will allow you to share hardware for both services. I personally do this for several services on my home network including Plex, SABnzbd, Deluge, etc., all running Ubuntu server on separate VM's. Pfsense would also run fine as a VM, but I prefer a dedicated box for this so that I can do maintenance on ESXi whenever I please without impacting internet service.
Just my 2 cents.
-
"The fact that Windows is not very secure does not justify NAS functionality being added to pfSense."
I'm just arguing that almost everyone has private data on the same computer that they use to surf the Internet. Thus there is absolutely no reason to not reduce pfsense's security by 0.00001 nano-percent (or whatever that would be) to get a ton of benifits.I mean seriously. It feels like some people here are living in a dreamworld. Maybe an analogy helps you understand my POV:
Imagine you live in a house and you buy a super heavy titanium steel bunker door because you care about security. At the same time you don't even spend a second about the fact that a small stone could easily penetrate any window in your house and you refuse to add a door handle to the inside of the bunker door because you somehow think that it could have any affect on the security of the door.
See the irony? -
I'd wager that the person putting a bunker door on the house would have already secured the rest of it, and they would put a door handle on the inside, but have the deadbolt be keyed instead of just a knob. (Basically, I think your analogy is faulty).
NAS gives a potential way in; every service running on a computer/firewall/router has the potential to allow someone a way in. Software is written by humans, people make mistakes. Mistakes lead to buffer overflows, which lead to privilege escalation, which lead to access.
Access can lead to malware or programs using your equipment to act as part of a bot net to DDOS a bank. DDOS could lead to Federal charges. Oh, you didn't know someone "broke into" your computer/NAS/firewall? Too bad, enjoy the next 20 years of your life in a small cell.
NAS on your firewall/router. Someone that doesn't like you, they figure out your public IP, start a DOS against you. Your ISP doesn't do anything about it, so until you unplug from the Internet, you can't even access the files on your NAS.
"…a ton of benefits."
I don't see any benefit other than maybe having one less device, and given the cost, I can do without that benefit. Noone is telling you "you can't do that". They are saying "It's a bad idea, go ahead if you want to, I am not helping you".Perhaps we are living in a dreamworld, where there is understanding that bad things can happen and bad people exist.
-
"…a ton of benefits."
Not only one I saw or can imagine! ;)
In the Link I was posting you, you were able to read that your dream becomes perhaps going on
or happen. It was the last statement from @jwt and so this discussion about is in my eyes obsolete! ::)
Now that bhyve has been added, you could probably have pfReeNAS without too much trouble.So this might be a real gain for someone, but I personally hope that the development team is not
doing it in another way and let all the code fleeting in the pfSense source code, because than we
would fall back for seeing many fine functions and options that is really missed at this time from
much more peoples;- Intel QuickAssist support
- CPU multicore usage for the entire core system
Would be making much more sense in my eyes than getting a NAS box on top!
If you want to have a NAS there are many different ways to walk this road and
for each need another system likes; ::)- FreeNAS
- NA4FreeS
- OwnCloud
- OpenMediaVault
So if the new Intel Xeon D-1548 would come out you could really built a new pfSense
box and spend your older one for a NAS, that this theme is really solved. ;D -
"Not only one I saw or can imagine! ;)"
So basically you didn't even read the first post. I guess I don't have to read yours either then…@mer
Yeah sure buffer overflows and all that stuff can happen. But we are living in 2015. We know about TDD/BDD and we can easily test edge cases before releasing a product. -
If you want a NAS, setup a NAS, if you want a firewall, setup a firewall. If you don't care about security, forego the firewall and just setup your NAS.
NAS and firewall are nearly as polar opposite as you can get. May as well ask for a NAS app to install on your cellphone. Ummm… No. Of course someone could always create a package for PFSense, but most people skilled enough to do so won't agree with NAS on a firewall.
This could just be my Server Admin, Server Security, Network Admin, and Network Security background talking. Now I just do software development, but I can smell a bad idea a mile away.
-
@mer
Yeah sure buffer overflows and all that stuff can happen. But we are living in 2015. We know about TDD/BDD and we can easily test edge cases before releasing a product.Anyone that does development knows that all the tools in the world does not automatically mean better code. I'd wager it lets you make mistakes faster. "One more feature", lack of unit testing, shortened QA cycles (because the release date can't be moved) all lead to test cases not getting covered. Edge cases? Sorry, but users will come up with ones you never thought of.
Another way of looking at it: Default Deny vs Default Accept security stance. Which is easier to verify? (Hint, OpenBSD does Default Deny, Windows does Default Accept).
I agree with Harvy66 and other that integrating NAS functionality onto a pfSense box is bad idea, but you know what? It's your hardware, you have complete control of it so you do what you want. You may get others to help you, but those who "waste too much time on security" are just going to sit back and chuckle.
-
I spent some more time thinking about this and I still think that all the security concerns are complete BS.
I mean if you think about it, having anything sensitive on a computer that has a browser or Windows on it (or even better: android) is a gazzilion times more risky.
Just think about the million Flash and browser vulnerabilities.
In my opinion everyone who argues that NAS and router on the same device is stupid has no right to run Windows in a network with private data. Period.
But I'm sure you all have figured this out and are running a separate computer for every program. One for the emails, one for the browser, one for the notepad, one for the calculator and one for minesweeper. I mean you would probably get hacked within a minute if you were to run all these on the same device, right?But (I probably said this a million times by now) what makes you think that pfsense would be any less secure when you install a NAS package on it? I mean seriously WHAT EXACTLY do you think would cause pfsense to be any less secure? I mean the NAS package would have no reason to temper with the router config and I highly doubt that pfsense would accidentally create a vulnerability upon spotting a NAS package.
I'm all for it, even if I had no firewall at all. Only thing people are going to see on my network is lot of furry porn. In enterprise environment, then whole other ball park even so you hardly see open sources used anyway.
There was day many years ago when my first firewall was Celeron 366 with 32mb of PC133 and cell phone were only made for calling. Have you seen smart phones lately? If I have to setup VM then I will, but it can be done. For now time go back to this "good all days of dailup and being teenager" >>>
Foxler
-
Hi!
Jumping in this discussion a little late, still my points are:
1 - We don't have even the available packages working as well we need, if you want to contribute more and have the time, help improve the packages.
2 - pfSense is intended as a Router/Firewall system, it also can be built as an UTM, but NAS fits a completely different category and functionality.
3 - If you say security concerns for NAS in pfSense are BS, you clearly understand s** about security. You NEVER, EVER expose your files or any sensitive data for that matter, in the very OS that serves as Firewall between your network and the rest of the world.
4 - If you want to host simple files for Proxy messages, simple web pages, there's already a package called vHosts, use that.
5 - IF you want to build a cheap NAS, buy Raspberry Pi 2 or a Cupieboard, they are cheap and you can learn a lot working with them.
-
@BlueKobold:
- Intel QuickAssist support
soon
@BlueKobold:
- CPU multicore usage for the entire core system
what do you think netmap-fwd is about? :-)
Also: "Woof!"
-
OP, I found the answer to your combined NAS/Firewall-router predicament.
-
http://www.pcper.com/news/Cases-and-Cooling/Phanteks-Enthoo-Mini-XL-Dual-System-Enclosure-2-Motherboards-1-PSU
That's a ridiculous solution! - The colour is all wrong ;)
-
3 - If you say security concerns for NAS in pfSense are BS, you clearly understand s** about security. You NEVER, EVER expose your files or any sensitive data for that matter, in the very OS that serves as Firewall between your network and the rest of the world.
When your boss know what you do in bed, sensitive data last thing on your mind. Some people understand everything about security, some of those people understand it will be losing battle. If I'm getting paid for it then yes, for myself I could care less. It's always about getting things you don't need. It reminds me when I stop by a Mcdonalds few years back while on the road at night. I saw this very over weight woman, she couldn't even wait for her order to get done. She was eating it right at the counter, my other boss was like "OMG you don't need take other bite of that. Put it down!" Yes idea of firewall and NAS is not normal, but sometimes people do odd things.
@jwt:
Also: "Woof!"
Arf
