How is pfsense's security compared to smoothwall?



  • Hi all. So the question might sound loose but I'll try to explain better. Smoothwall is Linux based and pfsense is BSD. BSD as we know has waaaaaay less amount of vulnurabilities than Linux. So my guess is that it's much easier to hack smoothwall (from outside) as it's Linux than to hack pfsense as it's BSD. Right?


  • Netgate Administrator

    Not necessarily.
    Both Smoothwall and pfSense run heavily cut-down versions of their base OS. This reduces the attack surface by simply not running most services that would be available on a standard install. By having such a reduced component list it is relatively easy to keep on top of vulnerabilities. Smoothwall, these days, is a large commercial outfit so you would hope this wouldn't be a problem for them. It's a long time since I ran Smoothwall, I'm not following their status that closely.
    You could argue that because more people are running Linux than FreeBSD there will be more people trying to find new exploits. However 'security through obscurity' has long been seen as a bad idea. Many of the components have shared code anyway.

    I would argue that lesser security is not a good argument for pfSense over Smoothwall, though I guess it might depend on what you're protecting.

    Steve



  • You say

    Both Smoothwall and pfSense run heavily cut-down versions of their base OS. This reduces the attack surface by simply not running most services that would be available on a standard install.

    which means cut-down OS has less vulnurabilities. And then

    By having such a reduced component list it is relatively easy to keep on top of vulnerabilities.

    Quite the opposite…


  • Netgate Administrator

    Hmm, perhaps I could have worded that better.
    The maintainers of any distro have to try and keep up to date with newly discovered vulnerabilities in the many, many packages that they contain. This means applying patches and releasing updates. By having less packages in the distro there are less patches to apply (due to newly discovered vulnerabilities) which means it's easier for maintainers to keep the distro up to date.

    My point, I guess, is that neither pfSense nor Smoothwall should have any outstanding known vulnerabilities to an external attack. The only way you potentially compare the security of the two distros is the speed with which updates are released to patch newly discovered vulnerabilities. Simply looking at the number of vulnerabilities in Linux vs FreeBSD is not a valid comparison.

    Steve



  • @stephenw10:

    My point, I guess, is that neither pfSense nor Smoothwall should have any outstanding known vulnerabilities to an external attack. The only way you potentially compare the security of the two distros is the speed with which updates are released to patch newly discovered vulnerabilities. Simply looking at the number of vulnerabilities in Linux vs FreeBSD is not a valid comparison.

    I second this.

    For the vast majority of installations, the comparison should be about how well the features you need are supported by each product.

    If you are concerned with security, make sure you don't expose the system's webGUI to the public.

    Beyond that, it comes down to potential exploits of the software running as root on the box itself (e.g. ISC dhcpd, dnsmasq, ntpd, openvpn, racoon etc)


  • Banned

    Yes and I think that PFSense needs a lot of work regarding the needed packages available.

    A package like Snort is mandatory in a production environment and it is not well maintained until Bmeeks came along.


  • Netgate Administrator

    If you're really considering a switch I think this recent tweet from Smoothwall founder Richard Morrell is telling:

    @https://twitter.com/EMEACloudGuy/status/313717756463833088:

    @gpryzby Reserved for people who let a good project die badly, thankfully #pfsense exists for those that want a better firewall

    ;)

    Steve


  • Rebel Alliance Developer Netgate

    The security of either is as good or bad as you make it.

    If you load a vulnerable package on either one and open it up to the world, you'll have problems.

    If you misconfigure firewall rules on either one, you'll have problems.

    If you keep the firewall itself closed off and just pass packets and nothing else, then either one would probably be equivalent.

    Keeping the OS and packages up-to-date is helpful but it's rare that such updates actually are relevant to the firewall as it processes traffic They are more relevant to secondary functions (e.g. DNS server, DHCP server, VPN software, etc) if you use them.



  • The free version of Smoothwall seems see little attention form the company, users have tried to support it, even forking to add features and fix problems. Active users working on fixing problems haven't gotten much if any support from the company in the last couple years. It does appear that they are working on an upgrade from 3.0.x to 3.1 but that has happened since I switched.

    Add on packages are a major pain there, again users do what they can but support by the company is minimal and many packages are abandoned by their maintainers. Upgrades if you have packages installed can be a huge hassle, uninstall everything, update, reinstall everything.

    Sad because they had a good base system back when  the company cared about building their reputation using the free version.

    I still have SmoothWall loaded on a couple boxes but as I get better at using it they will be moving to pfSense too.


Locked