An Open-source firewall?

[-]

FenixSoars@reddit

I feel like \*Sense are prosumer at best in the enterprise world.. I'd be looking more at the normal NGFW vendors.

Reply

[-]

This is just silly. I have and would continue to run pfSense (with enterprise support) in the SMB and small enterprise world. HA/CARP, Suricata, pfBlocker... A "normal NGFW" is running most of the same kit under the hood. I can subscribe to the same definitions with the click of a few buttons. At my lat gig we would ingest a Cisco Talos feed.

Reply

[-]

jamesaepp@reddit

Netgate to my understanding is *working on* their centralized management plane. Whereas the "normal" NGFW vendors have had this for yeaaaaars. You're right, the functions of an individual firewall are mostly all the same - but the management plane is not.

Reply

[-]

quasides@reddit

correctgion, NGFW vendors had a cloud solution for years not a useable central management on premise. and i dont mean something wierd like having one cleintg that can send config to all walsl i talk about aktive central management with some metrics, and jobs that can run, things of that nature there all solution point to cloud which is insanity to put infrastructure management to a 3rd party.

Reply

[-]

jamesaepp@reddit

Idk if I buy that. I worked in an environment with Checkpoint firewalls (which did have "application layer filtering" even if we may not agree they were "NG"). They had the smartconsole is what Checkpoint uses to aggregate all firewall clusters, policy, logging, firmware updates, and administration under one tool/server. That place was also introducing Palo Alto firewalls into the environment and the network admin installed the Panorama software for similar functionality. I haven't used it, but I also understand it that Fortinet has similar management software that runs on-premise for firewall (Fortigate) management. I don't buy a for a moment when you say "not a useable central management on premise" unless we're talking about wildly different things.

Reply

[-]

quasides@reddit

yea we are speaking of different things. the things you mention are basically one way sync, so one console do config things. thats better than nothing but not that central management we are talking about. all the non cloud on premise variants ive seen are basically passive shootup config type of things. thats not what netgate is making here

Reply

[-]

reddittttttttttt@reddit

That's the only argument I would entertain. And I would agree with you. But for SMB and small enterprise, you aren't likely to have more than 5 devices. I'd be fine with managing that by hand.

Reply

[-]

bitslammer@reddit

Tend to agree but IMO that would really depend more on what features and use cases OP has. If they only want basic FW then fine. Once you start throwing in things like VPN, IPS, SSL inspection/web filtering, then it's not as clear.

Reply

[-]

BrorBlixen@reddit

I feel like SSL inspection and web filtering at the firewall have become irrelevant. With only part of the people in the office at any given time that would leave the WFH people unprotected.

Reply

[-]

bitslammer@reddit

Completely agree. Cloud based is now the only practical way to go.

Reply

[-]

FenixSoars@reddit

I would think any business would want IPS/VPN at minimum.. maybe some filtering if not handled by a DNS provider, like Umbrella. A basic FW is really only good for at home/labbing IMO. I run a TZ400 at home with no real licensing on it, just for basic stuff in/out and it works fine. I’d never do that in a business environment.

Reply

[-]

bitslammer@reddit

If the FW is really only there for outbound internet traffic those things may have less appeal and in that instance IPS isn't going to see much without decrypting SSL.

Reply

[-]

FenixSoars@reddit

That’s fair enough. I just figure this sounds like a primary location where they’d want all the bells and whistles rather than a remote location looking to just get out to internet/back home. Guess we need more use case info from OP on this one

Reply

[-]

PatientBelt@reddit

Opnsense is great, better ui and better updates.

Reply

[-]

quasides@reddit

better ui? no objectivly this is not true. its more modern yes, looks more polished but is a lot worse in usability. ofc if you just run it in a home with not much going on it wont matter. if you have a lot of rules, tons of netowrks and aliases opnsenses ui is aggrevating. alone the idea to make network lists with that one combobox, instead line by line entrys can make life really difficult. the meneue structure also makes its annoying to switch back and forth and who ever had the idea to put diagnostics in 5 different diganostics under each category should burn in hell. also no drag and drop in rules, no coloring, no seperators, no copy of multiple rules into another interface. and the rules itself, very bad layout, you loose the overview over a rule (not saying that pfsense couldnt do things better too there) meanwhile overly cluttered with explanations and legends in every module. no the UI is clearly made to make things look easy, and look from a design element more modern but its not better its objectivly way behind pfsense from a usability point of view. dont get me wrong, OPNsense has a lot of things going for it vs pfsense, the UI isnt one of them

Reply

[-]

DanTheGreatest@reddit

Also they're pretty much done rewriting the entire codebase from the pfsense fork, making future upgrades much easier.

Reply

[-]

housepanther2000@reddit

That’s a good recommendation. I came here to mention the very same thing.

Reply

[-]

ConfectionCommon3518@reddit

Think backwards in that if someone gets in who will get the blame when the lawyers start to circle looking for blood ...?

Reply

[-]

z0d1aq@reddit

imho, pfsense is more polished and works from the box..

Reply

[-]

Key-Calligrapher-209@reddit

In what way does Opnsense not "work from the box?"

Reply

[-]

TarzUg@reddit

Tried 2 years ago, nothing worked, uninstalled... skill issue? maybe... but still crap.

Reply

[-]

electrobento@reddit

When is the last time you tried OPNSense?

Reply

[-]

nichetcher@reddit

Why open source?

Reply

[-]

Technical_Drag_428@reddit

Jeez, it's no wonder why ransom attacks are happening. Do you guys really use open-sourced FW applications like pfsense for your businesses? I don't know enough about them to tarnish them, but the words "open and source" should IMO be nowhere near the word firewall. I feel I'd trust an off the shelf TPLink to anything open-source.

Reply

[-]

techw1z@reddit

anyone who thinks opensource is an argument against anything except possibly profit is clearly an idiot and their opinions in terms of IT and security are worthless. dont believe me, just google all the writeups of popular security professionals who all agree with this conclusion. now go back to computer 101 and wait 10 years before discussing security again pls.

Reply

[-]

unix_heretic@reddit

Wow. "Open source isn't as secure as proprietary". Haven't heard that one in a decade or more. Also, considering that a lot of firewall vendors use open-source components *in their actual firewall appliances*, I'm not sure that your reasoning holds up.

Reply

[-]

Technical_Drag_428@reddit

Really? Which commercial enterprise FW uses open-sourced OS software? I'll wait.

Reply

[-]

unix_heretic@reddit

Well, let's see. [Palo Alto.](https://docs.paloaltonetworks.com/oss-listings/pan-os-oss-listings/pan-os-11-0-open-source-software-oss-listing#idd1dcdcaa-bc6c-4b0a-8d1b-570f9132b0ce) Juniper used to run based on FreeBSD for a lot of their gear, but AFAIK they've been moving to Linux in the past few years. [At least some of Checkpoint's gear.](https://www.checkpoint.com/about-us/copyright-and-trademarks/) [Some of Cisco's gear](https://www.cisco.com/c/en/us/about/legal/open-source-documentation-responsive.html#~documentation1). The aforementioned Fortinet. Thank you for waiting.

Reply

[-]

Technical_Drag_428@reddit

Do you know what the Palo Alto OSS is used for? I get it that you're trying to mislead, but I hope you at least know its purpose. It's a spare tire in a no downtime environment. Like a hospital. It's not something you run longer than to get your real FW back online. Also, you guys keep trying to, but using a Linux or Unix shell to support proprietary command line OS implementation not the same thing as a complete open-source application that's most likely also using a Linux shell.

Reply

[-]

unix_heretic@reddit

Let's dive into that, shall we? What I linked was the OSS licenses for components used in *PAN-OS*, which is the standard OS for Palo Alto gear. Quoting from the link: >The following list displays the Open-Source Software (OSS) versions and licenses used in our PAN-OS® 11.0 software. You originally made a statement about enterprise firewall vendors not using open source operating systems as a baseline. Quoting /u/Technical_Drag_428 : > Which commercial enterprise FW uses open-sourced OS software? The reality is that several (if not most) firewall vendors use either Open Source operating systems, and/or Open Source components within their products. If you want to move your argument to "Open Source Product Companies are less secure", so be it - but you might want to tell that to Red Hat, IBM, Microsoft (who has their [own Linux distro](https://github.com/microsoft/azurelinux) that is used in Azure-internal services), AWS, Google, or...pretty much any enterprise vendor.

Reply

[-]

Technical_Drag_428@reddit

Sorry, I saw OSS and (On Site Spare) clicked in. However, it's even less trivial than that. You're referring to common connector applications. The Palo OSS Open source software licenses are common public licenses. Even proprietary applications use them because they are common. Every machine will have them, so this application will work. Palo ensures you maintain the most up to date version of these licenses so that you can do things like, reach your FW URL using mozzilla or access your Linux shell without worrying that there could be an vulnerable license. For instance, the Apache log4j exploit a few years ago. The exploit had nothing to do with the web facing security application, but it was able to hijack Java and extract JNDI lookups passing through it. Hell, the patch in most cases, was to just remove it. These are not applications Palo or Cisco or need to use but must be included because they are limited by the browser or server shell available to the companies using using it.

Reply

[-]

unix_heretic@reddit

Really? Iptables is needed by a browser or shell? The Linux kernel is a "connector application"? These are licenses listed in the PAN-OS link. It seems reasonable to me to assume that because these licenses are listed, the components in question are part of the functionality of the underlying firewall appliance. You are correct that the reason for those licenses is that Palo Alto (or any other vendor) wishes to establish license safety for their downstream customers. *That's because their gear uses open-source components*. As I've repeatedly noted throughout this thread, they aren't the only ones who do so. You even allude to this yourself: log4j is a common open-source component used by many Java applications, including those from enterprise vendors. That's part of why the exploit several years ago was so devastating: it was used by a *lot* of vendors that rely on Java (which also has open-source implementations, btw).

Reply

[-]

Technical_Drag_428@reddit

Why is this hard? How do you access your FW via HTTPS? Browser Is your browser an application, yes or no? Yes Is your browser a part of your FW? No What common open-source BROWSER programming language is used in JVM applications to manipulate fields, tables, columns, and data in an application? Java Are Palo alto JVMs open-source? No, Palo proprietary Do proprietary JVMs use common open-source Java licenses? Yes Hope that helps you understand what open source licenses do. A license is not an application. Stop pretending it is. It's only a key to use a common language source available to the customer. After all, if the customer cannot operate your product with off the shelf browsers and VM shells then they most likely will not buy your product.

Reply

[-]

Technical_Drag_428@reddit

As far as iptables.. lmao. You guys are pretty hung up on Linux command line features. I love it. Now tell me. If I am installing my FW on a Linux VM is my FW a part of that VMs Linux application suite or is it it's own separate being encased in that VM? You see, the FW developer has to build the application to accommodate as many customer VM needs. They will make a build for Linux. They will make a build for windows. To do this, there are supplemental applications needed for that to work. If you don't want these supplemental applications, then buy the appliance version that has a proprietary OS like Cisco UCS for its VMs.

Reply

[-]

TheFluffiestRedditor@reddit

Fortigate runs on Linux. When I was working with f5 kit a while ago, it also ran a lot of Linux, it probably still does. Please go back to the 1990s when this attitude was more accepted. Wrong, of course but you might find some friends.

Reply

[-]

Technical_Drag_428@reddit

Wait, you dont think a Linux shell is the same as a complete open source application? Do you? Do you?

Reply

[-]

TheFluffiestRedditor@reddit

I'm talking about the Linux kernel, and libc6, and bash, and all the other components that go into an OS. To be pedantic, there is no such thing as a Linux shell. Linux is a kernel, a vastly different thing from a shell. If you don't know that, why are you here, troll?

Reply

[-]

Technical_Drag_428@reddit

"If you don't know that, why are you here, troll?" You're welcome for the education. https://preview.redd.it/uk1fwtc3c0ce1.jpeg?width=1080&format=pjpg&auto=webp&s=9f5dac4af3b5b646a0fce33c2227eae0e100c858

Reply

[-]

CluelessPentester@reddit

What the fuck are you talking about dude. I'm not saying that you should *sense in an enterprise environment, but the argument that open source is more vulnerable certainly is something. Also, you realize that you can have shit network security with a commercial firewall, too, if you don't configure it correctly, right?

Reply

[-]

Technical_Drag_428@reddit

Maybe you should check your tone and reread what I wrote. I gave my opinion on using an open source app to protect my infrastructure. I clearly said it was an opinion. Sure, you can be a compete idiot and misconfigure and off the shelf FW. That's different than the actual software of the FW being an open book for the world to create vulnerabilities to.

Reply

[-]

CluelessPentester@reddit

>I gave my opinion on using an open source app to protect my infrastructure. I clearly said it was an opinion. "It's just an opinion bro" doesn't mean someone else can't call you out. Especially if you voice an uninformed opinion at the same time as you say "I'm not informed enough" (why even make the post then?) Just check the security advisories for big commercial FW vendors like Palo/Forti/etc. vs. the advisories of pfsense/opnsense. That should tell you everything about >software of the FW being an open book for the world to create vulnerabilities to Still not saying you SHOULD use these. Only saying that THIS argument doesn't make sense.

Reply

[-]

Technical_Drag_428@reddit

I don't know what's funnier. Someone who pretends to be knowledgeable enough to validate the effectiveness in using open-sourced applications to defend data against proprietary systems or the fact that that person purposely uses the name CluelessPentester. To a network engineer, "Clueless Pentester" is redundant terminology. And then he closes with "Still not saying you should use this." Bwahahahaha

Reply

[-]

CluelessPentester@reddit

>To a network engineer, "Clueless Pentester" is redundant terminology. Cool, I'll make sure to remember it the next time when I pop DA or pivot unhindered around in a network and prepare my report for the boss of people like you.

Reply

[-]

Technical_Drag_428@reddit

To say im stupid for thinking closed-source is inherently safer than open-source. Let's digest that statement... lol, CluelessPentester. Let's say we both have a book. My book is locked in a box, written in a propriety language that's updated often. It's also guaranteed by its maker. You have a book that you found sitting on a table written in a language by an anonymous person, and anyone can learn to read it. Which do you think can be better trusted? The best bit is that you invalidate your own argument by going out of your way to not recommend it. Please stop acting like pentesters do anything more than pick a few random ports and open applications on a computer. Bwahaha Just had our audit. Clown. The CluelessPentesters couldn't even get past NAC. They had to beg for their macs to be whitelisted. Then they begged for us to span our traffic to their port. GTFO.

Reply

[-]

techw1z@reddit

the company/staff behind pfsense sometimes behave a bit asshole-like. opnsense seems better in this regard

Reply

[-]

8008seven8008@reddit

Have you tried IPFire?

Reply

[-]

ben_zachary@reddit

We have maybe 30ish pfsense out there with IDS and IPS suricata , a couple of our clients have 10+ IPsec tunnels and multiple vlan segments with rules restricted like DMZ UAT and Prod. It's not what device you use it's the experience in configuration and management. Everything can be secured We picked up a client not long ago who had an IT person they have a sonicwall and there's freaking any any rules on the fw from wan and relying solely on the nat table cuz the guy couldn't figure it out ..

Reply

[-]

scytob@reddit

I think that guy would have been bamboozled by any firewall, lol. Yeah pfsense and opensense are great, I tend to the latter after a run in with pfsense founder a few years ago who was incredibly unhelpful and rude when I wanted to do a transparent bridge. Never been back to pfsense since then.

Reply

[-]

ben_zachary@reddit

Yah I have one open sense and I do like it but all our sop and kb are all pfsense driven so until I can make time to redo them all we won't switch. I'm sure alot of it is close enough but still we want everything to be just the same wo any interpretation by a tech

Reply

[-]

MeisterCyborg@reddit

Rather get yourself a NGFW appliance (I use Sophos XGS Firewalls). Open Source FW's are fine for home use, I would not trust them as the gatekeeper to my org's networks. Even if the open-source software is configured 100% correctly, NGFW appliance hardware is security & performance optimized in ways a normal PC-based host could never be.

Reply

[-]

urb5tar@reddit

We switched from pf to opnsense because of the better and faster update-cycle. Currently we use four of them in our two locations. works pretty well.

Reply

[-]

puffpants@reddit

2 per site in a ha/failover config? Is that supported?

Reply

[-]

urb5tar@reddit

Yes this is supported. you can reboot a single machine while somebody calls via voip and no paket is lost.

Reply

[-]

Nacona04@reddit

Same .. made the switch to OpnSense a while back and no regrets.

Reply

[-]

djgizmo@reddit

Neither. Spend the money on Fortinet. Their subscription is $500 per year. If your org can’t afford that, you can’t afford threat protection. Stop trying to do things the wrong way. At minimum, I’d say get UBNT gateway and subscribe to their new service for cheap.

Reply

[-]

D1TAC@reddit

When I worked in the MSP world about seven years ago, they used a combination of SonicWALL and Unifi, I do remember as I was leaving they went to pfSense, then I kept in touch with the owner, they moved back to SonicWALL cause it took too much to learn how to do basic functions, and configuration was too in-depth for the pfSense setups. Since you mentioned open-source aka free - pfSense or Opnsense are great options. If you decide this is for a business, go with Netgate and get actual hardware support for less then competiton.

Reply

[-]

Casty_McBoozer@reddit

That's insane. It's SOO much easier to do basic things in pfSense than in Sonicwall.

Reply

[-]

fk067@reddit

Have you considered Firewalla?

Reply

[-]

MirkWTC@reddit

Don't. The firewall should be a security appliance in a midsize company, a free/open source firewall would never have a good threat protection. Pf/OpenSense are amazing products, in a home or really small company, but not in enterprise. A Palo Alto PA440 doesn't cost a lot and provide a really good protection if configured correctly. If you choose a free product and something happen it's your problem, if they buy a good NGFW and something happens you have one of the best firewall and so it's not your fault for choosing that one, it just wasn't avoidable.

Reply

[-]

zerotouch@reddit

Do you want open source because of the fact it’s open source? Or are you looking for free? We also need more details. How many users do you have? How many sites? What throughput do and ISP type do you have?

Reply

[-]

toaster736@reddit

For threat detection, you need a paid service to be honest. Signature updating is something that requires a dedicated, responsive team actively looking for the latest crap and that means someone needs a salary.

Reply

[-]

KiloDelta9@reddit

If you install an open source firewall in an enterprise environment, just keep your resume polished up for the inevitable.

Reply

[-]

theRealNilz02@reddit

We've been using plain FreeBSD with a custom pf config for many years without issue and a lot of flexibility.

Reply

[-]

ProfessorWorried626@reddit

Don’t bother just go with something paid. You will spend more time babysitting it that it would cost to get something half decent.

Reply to Post

65 Comments