How are packages supported

SteveITS

@michmoor You found the list of what Netgate maintains. Some are indicated, others are listed, some are not listed. From experience I've seen Netgate devs fix issues in other packages such as the "loses settings upon upgrade unless you clicked Save" bug in FreeRADIUS.

pfBlockerNG is at pfblockerng.com -> https://www.patreon.com/pfBlockerNG

There's a general issue in all open source software. Maintainers from 2000 have been doing it 20 years. If the maintainer gets run over by a bus what happens? It's sounding like Snort will wither unless someone steps up, though there is still Suricata.

michmoor

@SteveITS
Thanks on the link to pfBlockerNG. The maintainer generally responds there to issues or feature requests.

What i pointed out is the downside to any OSS project which is very true. I guess im trying to figure out where the middle ground is between a package that is needed to enhance the functionality of pfsense - Suricata for example - and where Netgate should step in and be the primary owner of the application for pfsense (make sure its updated, bugs fixed, features pulled down from upstream). Snort and Suricata are in the same boat. One maintainer. If no one steps up then there is no 'threat prevention', Thats a concern i suppose. Shouldnt that be brought in house?
I lean on pfblocker substantially. Should that be brought in-house and be a maintained feature or treated as a 3rd party app with the hopes that a maintainer is always available? More of a question for Netgate i suppose but im very interested in hearing thoughts? Id imagine i cant be the only one with this concern.

Gertjan

@michmoor

The squid stuff is a good example here.
The squid package is actually a huge binary, probably a set of programs, compiled for your x86, or ARM, or PowerPC, or Risk processor.
Packages like this can be installed on system with easy commands like "apt install squid" and your good.
Then you need to set it up for your needs, which boils down since 1960 to : edit the configuration files, and then start the try and error cycle up untill the pont where you have a situation that you want to have.
For pfSense : exit the command line, around the (FreeBSD) package a GUI layer has to be written so you can use the GUI to control the content of all thee configuration files.
Added to that : pfSense uses FreeBSD, but it is not FreeBSD.

About squid, see here what happened : November 2023 updates: pfsense plus 23.09 CE 2.7.1, OpenSSL, KEA DHCP, & Squid Proxy Deprecation

Squid is a big and very complicated.

For myself, I see it like this : pfSense is pfSense.
It's nice that there are 'addons' or packages .... just 'nice'.

The good news : most packages do not include / need binary 'executable' and are just PHP, Python, shell and whatever script files. So, very open source. The strong point of open source is that : you can correct minor stuff yourself (noop, I'm not kidding).

A lot of pfSense package were build and are thus maintained by Netgate itself : acme, Notes, Cron, Filer, all the OpenVPN export/import stuff, shellcmd and System_Partches (these are the ones I use).

A special case is pfBlockerng : it's is/was just one guy that took an exiting idea to a whole new level.
That said, I wouldn't be surprised that Netflix is preparing a "the making of pfBlockerng" mini series
The pfBlockerng is part of pfSense, and it isn't at the same time, it's the exception.

When you create your own (pfSense) package, and you think (better be sure here) that it is possible that others also want to use it, and that Netgate shares your idea, then you can become an 'official' package author.
You better be very motivated though
And ones you sign in, you can't leave, so have some co developers ready to assist you.

@michmoor said in How are packages supported:

Lastly, if there is an issue with an upstream port whos responsibility is it to reach out to get a port fixed? If there is a problem with FRR, should we ask Netgate to reach out to the handler of FRR to fix it upstream?

Ok, you get the issue I guess.
Netgate can't support 'FRR' as it is probably as big as pfSense itself.
Ït was nice to have it as a package to extend the usage of pfSense itself" and the moment they said yes, ok, let's integrate FRR they (Netgate) has to check if the FRR code doesn't harm the pfSense functionality. Exactly like what Apple does with the App store : they check them all to be sure that your new Apple App doesn't get all the credit card info, photos, contacts, mails and messages from every phone on which the app is installed. Netgate can't, of course, be an active developer in the actual package (binary) code. that's an upstream issue.

It's already close to a miracle that Netgate influences what happens with FreeBSD, the main package that does all the heavy lifting, and makes a dumb device into a router/firewall.
The rest, IMHO, all of this of course is : nice if it work, bye bye if it doesn't.

michmoor

@Gertjan @SteveITS
Thank you both for the feedback. Really appreciate it.
The goal of my post was to figure out what the delineation is for support of packages within pfsense.
How should the community view them? Should we rely on them when operating a business? Squid has/does have many challenges but there are businesses that rely on it. Should they have an expectation that the package will be supported (regardless of upstream CVEs that seem to have been mostly addressed)?
What about all the other packages such as HA Proxy or FRR? @Gertjan I love your analogy with the Apple store.
If FRR doesnt address certain CVEs does pfsense now no longer have dynamic routing support? Just seems like a fine line between support of a package and removal of it and thats concerning.

AlternateShadow

After being a long-time user and Netgate customer I finally registered on this forum just to reply to this thread, after I came across it while dealing with the Squid situation. In my industry we don't much care about caching but the kind of url filtering provided by SquidGuard is a nonnegotiable requirement.

My expectations for what packages Netgate should support are pretty simple. If the features being advertised to sell their products on pages like this

https://www.netgate.com/pfsense-features

this

https://www.netgate.com/tnsr-vs-pfsense-software

and this

https://shop.netgate.com/products/1541-base-pfsense

depend on a package, Netgate has a responsibility to their customers to provide some level of support for that package.

This thread is the first time I've seen the supported packages page @michmoor linked to in the original post and the fact that they don't even provide TAC support for many of the packages underlying the key features they are advertising is really telling. After years of being happy with their products, using them internally and recommending them to others, this is the first time I'm considering removing them from the shortlist of vendors for our next deployment. We're still trying to figure out how to replace SquidGuard, but if we can't figure out how to do that within pfsense we'll likely rip out all the current installs and replace them with something else as well.

michmoor

@AlternateShadow
This is entirely the reason why i started this conversation. There is a gray area here where there are packages that are being advertised but arent really supported.

Take for example threat prevention - Snort/Suricata. Its advertised as a feature of pfsense. But what is not stated is that its maintained by a single individual who does so out of respect to the open source community which i truly appreciate. The problem is when that volunteer decides to no longer be active in maintaining the package. Now what? Who pushes feature requests? Who does bug fixes? Why advertise a feature that essentially you dont support even under a TAC subscription? Its really odd.
The takeaway i have is that any package that specifically says "Maintained by Netgate" that is the package you can safely install. Any package that does not have that is not supported and should not be installed at all - that means Squid / Suricata/ Snort / pfblockerNG / HA Proxy - basically all the popular packages because they are not at all supported under a TAC subscription which makes them pointless to have on a production system.

In summary, package support is a very gray area on pfsense. Some are advertised within the marketing material but have no official support even if you pay for suppot from Netgate.

AlternateShadow

In my opinion, if you want an example of how this should be handled by a company with a very similar business model, just look at ixSystems with TrueNAS. The features used to advertise the software are part of the core that they maintain and then it is made clear that additional functionality is also available via plugins:

"You can also expand its functionality with a variety of free plugins, like Plex Media Server, NextCloud, Zoneminder surveillance, and many others."

I don't know specifically what kind of support they provide for plugins, but the important thing is that it is clear from the beginning what is part of the product they are providing and what isn't. As a result, everyone can set they're expectations appropriately.

Netgate's approach makes me imagine a car company selling me a sports car and then when the brakes fail saying "Sorry, those pads are made by Brembo so we don't support them." That's an entirely fair response if I added the pads as an aftermarket accessory, but it is another thing entirely if the car was advertised and sold as coming with Brembo pads as OEM equipment.

michmoor

@AlternateShadow
I agree.
For comparison here is how packages are supported elsewhere as well
https://docs.opnsense.org/support.html
This is a much better and very clear documented way of telling a community where the support is and is not. Right now, Netgate is very ambiguous with the support as we see with plugins like Squid.

This is not a discussion of which platform is better but simply how the support of the platform and its packages are carried out.
I used the term gray-area when it comes to netgate plugin support and im being nice when writing that but your description is accurate about the brakes on a sports car.

JonathanLee

@AlternateShadow Netgate products when I purchased them advertised proxy use. The Vector W8 I mean firewall was sold to me with the K&N air filter and the Brembo breaks I mean Proxy web caching support.

michmoor

@JonathanLee said in How are packages supported:

Netgate products when I purchased them advertised proxy use.

Thats why im saying to be very careful about the packages you install and rely on. It is not clear what is supported internally and what isnt.
This site here can be a guide:https://www.netgate.com/supported-pfsense-plus-packages

But as I mentioned above any package that has "Maintained by Netgate" you can install, submit redmines and get developer movement (in my experience).
Any package that doesn't explicitly say it's maintained by netgate but instead has nothing or has "Netgate TAC Support can only assist with the installation of this package." that is a package you dont want installed as there is no internal support for it. That includes Suricata/Snort/pfBlockerNG,HA Proxy. So if your business relies on any of those packages find an alternative because there isnt support for them at all. Purchasing a TAC subscription doesnt give you that at all which is very scary. Whats the point then if i can pay to get openvpn support but the best i can do for a Snort bug is go to the forums to seek out the maintainer's assistance? You have to hope that they are available but then you just paid $500USD for a subscription that doesnt cover your use case. Very confusing.

What makes this all confusing and maybe just a tad backhanded is the marketing clearly makes it seem that these are supported features: https://www.netgate.com/pfsense-features

This is far from true as we are learning with Squid. The threat prevention section needs a huge and bolded asterisks because it can technically do it but there is no support for it. Install at your own risk.

one last edit. In the package supported section it states "Netgate supports packages maintained in-house and others that have been proven to work well with our software."
This is somewhat true. There are quite a few feature requests and bugs open for pfBlockerNG but who supports it? The redmine tickets are unassigned but you could reach out to the maintainer via Paetron. So what is the official pathway to get package support for it? Do I pay the TAC subscription and still open a redmine? Do i reach out via Paetron? This is a popular package but there is no clear pathway for support.
Again, this is all very confusing and the marketing + documentation needs to be clear.

Gertjan

@michmoor said in How are packages supported:

This is far from true as we are learning with Squid

Maybe it's just me, but when I look at "squid" (here ?) it isn't a surprise that that project is bigger as the entire 'pfSense' (I'll exclude the FreeBSD kernel part for 'reasons').
I've no difficulties at all to understand that Netgate can't just 'do what has to be done' to take care of any "squid" issues.
I've seen it with Debian, an OS I'm using daily for our server needs : if a package exist for something I need to do, that fine. It did happen many times that packages get removed while I was using them because the Debian authorities had their reasons, mostly because 'non maintained' or pure 'non addressed security concerns by the authors'.

AlternateShadow

@michmoor said in How are packages supported:

There are quite a few feature requests and bugs open for pfBlockerNG but who supports it? The redmine tickets are unassigned but you could reach out to the maintainer via Paetron. So what is the official pathway to get package support for it? Do I pay the TAC subscription and still open a redmine?

I currently have a ticket open with TAC to find out what their recommend replacement for SquidGuard is. The solution they have recommended is to use pfBlockerNG, however, in the same reply they explicitly stated that pfBlockerNG is not supported so if you choose to use it assume that you are on your own.

michmoor

@AlternateShadow
Yep. pfBlocker isnt a great alternative to Squid when talking about per-client filtering and looking into a URL path to see content and detect viruses.
Funny enough i have a Redmine ticket for a feature request for pfblocker to do per-network filtering similar to what pi-hole can do [groups/clients] but because redmine doesn't seem to be the best way to reach out and get the support i guess is to use pateron?? i dont know..why is pfblockerNG listed in redmine then? This is confusing.

But the TACs response lines up with what i see the support model being which truthfully isnt great. Again the TAC support page says it supports pfsense plus software....but what does that mean? 3rd party packages?

michmoor

@Gertjan
I think the conversation is pivoting to more with what my concerns are. Dropping support for a package is one thing but indicating you have support in marketing materials but you really dont is another.
Support of whats in the repo is not clear.

JonathanLee

Every one of the community packages for me worked perfectly. I purchased this as an educational tool, as PfSense was taught by a Professor in class. The packages where not covered only the access control lists. But the packages is also what makes Netgate shine. I am very thankful to the team that made them. Me yeah, I am stuck at 23.05.01 as it was the last version that worked for me. I still recommend PfSense. I started on Cisco PIX systems years ago.

Now that I am in computer science, this educational tool still has much to offer. No code is hidden, everything is accessable, any errors you can submit to Redmine for review, there is a very positive community.

Sure I am sad about Squid, but once I get more skillsets I am sure going to try to help. I have some feature requests in on Redmine that would improve Squid's easofacess.

Again, support will come and go packages will come and go. I am sure support will come back.

Netgate has what big tech doesn't, clear visibility and understanding with open source code nothing is hidden, and a community to help. It doesn't hide what it's doing, it doesn't empty a home users wallet. It's affordable for to purchase an official appliance, yes it's a pain to configure at times packages like Squid.

We have to remember every package is someone donated time, they didn't get paid for it. They just want to help. Packages are altruistic.

SteveITS

@michmoor said in How are packages supported:

why is pfblockerNG listed in redmine

All packages are. Also Netgate devs do occasionally fix things in non-Netgate-maintained packages.

https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-pfBlockerNG :

I totally get the points raised. I would just observe that the point of open source is a community effort, so is this entirely under Netgate's control/purview, or not. Would it be great if there were multiple people working on each add-on package? Sure...the "hit by a bus" scenario. Is everyone on this thread able and/or willing to contribute time and expertise? No. I'm sure it's only a small percentage of programmers.

https://www.reddit.com/r/chaoticgood/comments/mjsmv9/gamer_gets_himself_hired_just_so_he_can_fix_a_bug/

JonathanLee

@SteveITS maybe that's why it's open source, very few understand, and less so can program for it. The hit by bus situation is like a time bomb as many of the 80s original programs are retiring, and lot's of companies didn't expect to have to explain closed source tools maybe this is what forced their hand. Let's face it cyber security needs are growing everyday, and the original ideas the code could also be lost without new talent. The foundation was layed, but it still needs to be built upon to keep up with nation state actors.

Security vs Support vs need for new talent vs new equipment vs trust vs regulations. It's a balancing act on a tightrope that needs guardrails at the same time.

Where is the next generation? Are many caught up in smartphones gaming technology? I want to help, but again there is a learning curve, what tools are use to debug so on, how can it be tested? The list of questions for a computer science student just grows and grows.

michmoor

@SteveITS said in How are packages supported:

https://www.reddit.com/r/chaoticgood/comments/mjsmv9/gamer_gets_himself_hired_just_so_he_can_fix_a_bug/

ROTFL. I love that. hahaha.
Sometimes man...You have to just take matters into your own hands.
I appreciate the commitment that was had there. Pro moves

JonathanLee

Take me for example I hate the privacy abuse with the advertising, I do not like this panopticon feeling. I hate looking up something and for days after it's advertised on every website after. It's absolutely absurd and abusive, California makes laws and advertising companies don't care. I block it out now and it probably pisses someone in big tech off to a point they want to break tools or publicly release lists of vulnerabilities. Is California law making the rules or angry big tech? Do some users block out every single advertisement? Edge browser now does that for you, so again now Microsoft is allowing users to block out all advertising. It's like a wild West in places. I don't care about advertising, I just hate companies that flat ignore opt outs, and keep profiling users like we have no rights.

Leading to what tools and packages should even be allowed for users?

AlternateShadow

@SteveITS said in How are packages supported:

Is everyone on this thread able and/or willing to contribute time and expertise?

What about those of us who contribute money? I'm paying netgate to contribute their time and expertise so I don't have to. My criticism is that there seems to be a discrepancy between what they are selling to their customers and what they are delivering.