Netgate SG-1000 microFirewall

Author Topic: Given up on 2.2  (Read 4600 times)

0 Members and 1 Guest are viewing this topic.

Offline cmb

  • Hero Member
  • *****
  • Posts: 11228
  • Karma: +896/-7
    • View Profile
    • Chris Buechler
Re: Given up on 2.2
« Reply #30 on: January 30, 2015, 08:28:54 pm »
I wouldnīt even considered upgrading if I had seen some of the packages didnīt work with 2.2.

Then you didn't read the release announcement, much less the upgrade notes. Blindly upgrading things isn't a good idea, please read them in the future.

- And frankly, "packages are now in full control of the dev team" is exactly what did NOT help.

Huh? No such changes were made at all. Packages must use binaries built on our build servers, but that's as simple as telling it what port and options to build. Pull requests off github accommodate that process, and have for quite some time, well before 2.2. That's for security and maintainability reasons. In the early days, we weren't as strict about that, some package maintainers had people pull binaries from their own systems. That's the only tightening of control that we've done on packages, and that happened years ago.

Offline cmb

  • Hero Member
  • *****
  • Posts: 11228
  • Karma: +896/-7
    • View Profile
    • Chris Buechler
Re: Given up on 2.2
« Reply #31 on: January 30, 2015, 08:33:02 pm »
Another option is to have more than one repository for packages, like stable, testing, unstable etc.

I've tried it once but before starting coding I've decided to ask core team about it and the answer was no.

That was relevant to having people point their systems to package servers other than our own, to avoid situations like the lusca stupidity where people are having their package repos pointed to some free web hosting service that's continually hosting a slew of malware. Then their packages break because no one's updated what is on that server in years.

I expect we'll do something along the lines of official/unofficial classifications or similar, along the lines of what I noted in my earlier post.

Offline Harvy66

  • Hero Member
  • *****
  • Posts: 2320
  • Karma: +213/-12
    • View Profile
Re: Given up on 2.2
« Reply #32 on: January 30, 2015, 10:18:25 pm »
Even though PFSense is a firewall, it also does some routing and supports some tunneling like OpenVPN, but I don't get the whole installing a ton of these packages. People try to make their "firewall" do way too much crap. Asking for the kitchen sink is asking for trouble. Firewalls are critical infrastructure. It needs to do one job and do it well.

Need a proxy? Set up a proxy server. Need an IDS? Set up a passive IDS that watches the traffic and turns off network ports when bad traffic is detected.

By putting all the responsibility on one device, you're making all of those features co-dependent on each-other. Distinctly separate services should be distinctly separate machines/vms.

As for "bugs". PFSense 2.2 had 0 open bugs the day before release and had almost no new bugs for months, and gained 40+ in 1-2 days. Obviously the people testing 2.2 beta weren't reporting bugs or weren't having bugs. Seems most of the people with crippling issues have some strange configurations, strange/old hardware, Xen doing crazy things, and a few actually being PFSense related.

1. Don't use hardware raid
2a. Why are you using VMs?
2b. It's a VM, snapshot it and test it
3. Your Firewall is not meant to be an file serving, database running, web hosting, time serving, web caching, load balancing monstrosity.

I don't even want to run NTPD or OpenVPN on mine because that's outside the scope, but it is a nicety that allows me to cut corners at home and not do things correctly.

I'm not saying that PFSense can get away with some things like if OpenVPN stopped working and they were too lazy to fix it in a timely fashion, but as someone who has a background in security at all levels of computer systems, and network design, I don't blame others when things go wrong because I design my entire network to hinge on a single device that is forced to do way more than it should, and I didn't modularize my network services.

I know I took a gamble when I upgraded to 2.2, but I did my research, figured out my risks, had a back-up plan, and asked the wife when she could handle being without the Internet for an hour or two as I messed around. When I built my machine, I made sure it was all standard parts that have nothing special, but will be around. AHCI harddrives, no special drives required. Intel CPU, nothing special. Intel NIC that is recent, will be supported beyond its usefulness. Video card, integrated into the CPU and is well supported as fully opensource drives.

I leave as little to chance as possible.
« Last Edit: January 30, 2015, 10:27:17 pm by Harvy66 »

Offline exograpix

  • Full Member
  • ***
  • Posts: 142
  • Karma: +2/-2
    • View Profile
Re: Given up on 2.2
« Reply #33 on: January 31, 2015, 03:16:19 am »
I do agree some of your points, but in today's world nobody apart from big corporate will put a box for every other function. Pfsense as a firewall is good, but basic function like web filtering http/https is part of the utm device, which pfsense project claim to have.

It should work perfectly and without pain (not requiring a patch and workaround for everything), and administrator should take responsibility for atleast the basic function, otherwise, most of the good users will move away from this project.

I feel administrators should look into these basic function more seriously on urgent.

Offline mir

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +9/-0
    • View Profile
Re: Given up on 2.2
« Reply #34 on: January 31, 2015, 04:42:00 am »
How I do upgrades in most cases follows these rules:
1) Does the new release have some feature I cannot live without which the old release is missing? if no there is no need to do an imminent upgrade - wait for X.1 release
2) Create a test environment - a clone of your current setup, and try the upgrade of this test environment. Work with this test environment until you are convinced that you know its ins and outs.
3) If the test environment is not the same hardware as your current appliance try to make a boot on your current system from CD/USB/PXE to see that all components are recognized and functioning.
4) When you finally initiate your upgrade make a full backup as part of the upgrade (The checkbox 'Make a full backup before upgrade')
5) If you are using CF or some kind of limited space environment buy a similar device and clone your current setup to this. Then install the clone and upgrade on the clone

Above list should ensure minimal downtime and guaranty you always have fallback plan. 

Offline Cino

  • Hero Member
  • *****
  • Posts: 1516
  • Karma: +61/-2
    • View Profile
Re: Given up on 2.2
« Reply #35 on: January 31, 2015, 06:34:07 am »
I do agree some of your points, but in today's world nobody apart from big corporate will put a box for every other function. Pfsense as a firewall is good, but basic function like web filtering http/https is part of the utm device, which pfsense project claim to have.

Can you share a link where ESF has claim pfSense is a UTM? I dont recall them saying that, but the community has.