Re: Debian as My home firewall/router

To: debian-user@lists.debian.org
Subject: Re: Debian as My home firewall/router
From: David Christensen <dpchrist@holgerdanske.com>
Date: Sun, 28 Feb 2016 00:10:12 -0800
Message-id: <[🔎] 56D2AB64.8030208@holgerdanske.com>
In-reply-to: <[🔎] 20160228002903.3027540a1202a9c24ff37a0a@gmail.com>
References: <[🔎] 56D1B111.6020706@runbox.com> <[🔎] 20160227121521.49be55be@ron.cerrocora.org> <[🔎] 20160227194945.a1895a9cdb3eb8ab38a333ae@gmail.com> <[🔎] 56D1DFDB.1060500@holgerdanske.com> <[🔎] 20160227214013.4baa113bc47b5b01c5996632@gmail.com> <[🔎] 56D20D1C.7040003@holgerdanske.com> <[🔎] 20160228002903.3027540a1202a9c24ff37a0a@gmail.com>

On 02/27/2016 01:29 PM, Reco wrote:

On Sat, 27 Feb 2016 12:54:52 -0800
David Christensen <dpchrist@holgerdanske.com> wrote:

On 02/27/2016 10:40 AM, Reco wrote:


On Sat, 27 Feb 2016 09:41:47 -0800
David Christensen <dpchrist@holgerdanske.com> wrote:


3. What is your opinion of pfSense?

	https://pfsense.org/


I'm by no means an expert on FreeBSD (from which pfSense is derived) so
I suggest to search more educated evaluation elsewhere.


I ran pfSense briefly on the Internet connection for my SOHO LAN.  There
are differences between BSD vocabulary and Linux vocabulary, but
functionality is pretty much the same.  pfSense seemed more
sophisticated and featureful than IPCop, but more brittle.


Now you picked my curiosity. In what ways pfSense is "more brittle"?


The two things I remember are:

1. The pfSense installer wanted to use the whole disk. The only way Icould get it to use only part of the disk was to create a slice forpfSense and create another slice that ate up all remaining free space.Then every time I booted, the boot loader (GRUB2, I believe) would showboth slices, even though I don't recall setting the boot bit on thesecond slice.

2. I typically power down my machines every night. After a month ortwo of use, the pfSense box would not boot. I didn't, and still don't,know enough about BSD to figure out why. The first time or two, I wipedthe HDD, reinstalled, and reconfigured. The last time it was behindanother firewall, so I pulled the pfSense box.

I suspect that pfSense lacks any meaningful mandatory access control
pre-installed (no *BSD family has it), but that's it.


According to McKusick [1], p. 34, "FreeBSD implements a framework for
kernel access-control extensibility, the MAC framework".


So it's so called capiscum framework. A nice sandbox effort, but it's
nowhere near SELinux capabilities. A direct analogy from the Linux
world is seccomp.

If they use it in pfSense - that's good. The main question is - how
meaningful is the use of this framework pfSense has?

I need to finish McKusick's book and research if/ what/ how pfSensemakes use of the BSD MAC framework.



David

Reply to:

Follow-Ups:
- Re: Debian as My home firewall/router
  - From: Stuart Longland <stuartl@longlandclan.id.au>

References:
- Debian as My home firewall/router
  - From: heqamilus <heqamilus@runbox.com>
- Re: Debian as My home firewall/router
  - From: Renaud (Ron) OLGIATI <renaud@olgiati-in-paraguay.org>
- Re: Debian as My home firewall/router
  - From: Reco <recoverym4n@gmail.com>
- Re: Debian as My home firewall/router
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Debian as My home firewall/router
  - From: Reco <recoverym4n@gmail.com>
- Re: Debian as My home firewall/router
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Debian as My home firewall/router
  - From: Reco <recoverym4n@gmail.com>

Prev by Date: Windows Shares Abound Continuously
Next by Date: Re: Windows Shares Abound Continuously
Previous by thread: Re: Debian as My home firewall/router
Next by thread: Re: Debian as My home firewall/router
Index(es):
- Date
- Thread