Minimal install (Starting at 50$)



  • Hi All,

    I don't know if I'm the only one interested in this, but I was thinking today after playing with the package manager for a bit, that it might be cool to have a minimal install image of pfSense (Including only the web UI, and the basic networking components so you can connect to it).  That way if you know that (for instance) you won't be needing any openVPN support, you don't need it installed.  But if you need it, it could be installed from the package manager.

    I would open with 50$ for an install image like that.  I'm hoping there are other folks that think this is a cool idea!

    Thanks

    Brigzzy



  • I would like to see the system become completely modular, where custom builds removing any part of the base system are easy. The system is very much interdependent at this point though, it's months of full time work to get to that point.



  • Interesting idea, however what would be the actual benefits?

    It doesn't seem to be an issue of limited resources, since CPUs, memory and disks are becoming faster, larger and cheaper every year, and this trend seems to continue for several more years. Do you envision a pfsense-variant for 4M/16M (flash/memory size), similar to the various Linux-based router firmwares (openwrt, tomato, ddwrt etc)?

    Other than potential security issues (e.g. privilege escalation) which might arise, it'd be quite reassuring  to know that tools like OpenVPN are part of the base pfsense install and can be enabled with a few clicks, rather than having to install them from packages and rebooting …



  • @dhatz:

    Interesting idea, however what would be the actual benefits?

    What I see in that is the ability to build a much more diverse range of appliances, more outside the scope of a typical firewall. There's minimal if any benefit to removing pieces in a firewall context. There is value in having the ability to build highly customized appliances with only the specific pieces you require, which in non-firewall contexts could exclude a number of things in our base system today.



  • @cmb:

    What I see in that is the ability to build a much more diverse range of appliances, more outside the scope of a typical firewall.

    Exactly.  pfSense is a powerful platform, and it would be great to tailor it exactly to your needs.  I would compare it loosely to say, compiling something from source.  Sure you COULD grab a binary package filled with bits and pieces you don't really need, but it would be great to have just the parts that you would use in one specific circumstance.



  • Major benefits to removing packages is for auditing, risk mitigation, and certification.

    Less modules means less screens and configurations to verify on every audit (Is VPN turned off?  OpenVPN, yes.  IPSec, yes, etc. etc.  Every bloody audit.)

    Risk mitigation: You aren't vulnerable to a flaw in the X module if it's not even present on the media (see the recent OpenSSL issue).

    Certification: If you need to pay for certification for some reason, then less things to certify takes less time and can be considerably cheaper and easier.


Locked