# Have you used HardenedBSD ? Did you like it ?



## john_rambo (May 2, 2021)

https://hardenedbsd.org/content/about

I am using GhostBSD. I like it. Its quite user friendly. I searched about which is the most secure OS & found 2. The first one is OpenBSD & the second is HardenedBSD. I care a lot about security so I am curious. 
Is HardenedBSD really more secure than GhostBSD/FreeBSD ? 
Have you used HardenedBSD ? Did you like it ?


----------



## gpw928 (May 2, 2021)

You might get more feedback form the OPNsense forums, as is is based on HardenedBSD.


----------



## john_rambo (May 2, 2021)

gpw928 said:


> You might get more feedback form the OPNsense forums, as is is based on HardenedBSD.


I am at the moment using 4G internet. I am stuck with ISPs router. In future I am going to use a fiber connection. If OPNsense is based on HardenedBSD I will definitely use OPNsense. My plan was to use PFsense but I guess OPNsense is more secure. Thanks for the info.


----------



## rootbert (May 2, 2021)

I like both, and I both appreciate those projects, they are very important. I have used HardenedBSD on some servers, however, testing updates was too time-intensive so we switched to FreeBSD. Some updates break stuff so be prepared for that. I hope we do get some of the great features of HardenedBSD upstreamed/ported to FreeBSD because they really make sense. FreeBSD lacks quite some security features compared to other operating systems, but also note that some of those mitigation technologies make the code more complex and might introduce more bugs so this also is a philosophical question.

However, I think (fuzz) testing etc. is better in FreeBSD, so there might be some bugs in HardenedBSD but that is just what my wild feelings are suggesting.

I have used OpenBSD for firewalls, servers and on my personal desktop. The biggest draw for me was that at that time you had to run -current to get pkg-updates in a timely manner, so i switched my desktops to FreeBSD. Plus: i consider having a patched browser more important than having an ultra-secure OS.


----------



## john_rambo (May 2, 2021)

rootbert said:


> . FreeBSD lacks quite some security features compared to other operating systems


Can you please explain what you mean by that ? Honestly I am a bit scared after reading that.
The only reason I switched from Linux to GhostBSD is because I read BSD is more secure.


----------



## fraxamo (May 2, 2021)

gpw928 said:


> You might get more feedback form the OPNsense forums, as is is based on HardenedBSD.


Not for much longer


----------



## fraxamo (May 2, 2021)

john_rambo said:


> Can you please explain what you mean by that ? Honestly I am a bit scared after reading that.


Don't be scared. The OP is probably talking about ASLR and W^X, security features that have been implemented in OpenBSD and HardenedBSD. These features are not currently in FreeBSD, but may be added at some point.


john_rambo said:


> The only reason I switched from Linux to GhostBSD is because I read BSD is more secure.


Security isn't a product, it's a process. And any operating system can be rendered insecure through bad practices. OpenBSD is deemed slightly more secure at install by turning off or not loading unneeded services to reduce the attack surface. FreeBSD doesn't do this by default and has been criticised for that here. However, if you follow best security practices then FreeBSD can be as secure as any other general purpose OS.


----------



## john_rambo (May 2, 2021)

fraxamo said:


> Don't be scared. The OP is probably talking about ASLR and W^X, security features that have been implemented in OpenBSD and HardenedBSD. These features are not currently in FreeBSD, but may be added at some point.
> 
> Security isn't a product, it's a process. And any operating system can be rendered insecure through bad practices. OpenBSD is deemed slightly more secure at install by turning off or not loading unneeded services to reduce the attack surface. FreeBSD doesn't do this by default and has been criticised for that here.


Okay, that's a relief. After reading the official doc of GhostBSD I found that the firewall is enabled by default. Other than that what I do is check for updates on a daily basis & install them as soon as they are offered. 

In your opinion is that enough ? If not what other steps should I take ?


----------



## fraxamo (May 2, 2021)

john_rambo said:


> In your opinion is that enough ? If not what other steps should I take ?


If you're new to *nix systems then I would learn about the basics first, like file permissions, logins, users, privileged accounts like root etc. Then read the Security chapter of the handbook. I'm sure other people will chip in with their recommendations.


----------



## mtu (May 2, 2021)

john_rambo said:


> Can you please explain what you mean by that ? Honestly I am a bit scared after reading that.
> The only reason I switched from Linux to GhostBSD is because I read BSD is more secure.


The best way to gain confidence and make informed decisions about security is to gain knowledge about what _exactly_ security features protect against, why they do it, benefits and disadvanteages of different ways of doing things etc. – it's a good way to overcome fear and anxiety.

Try some stuff out, try to break it for yourself, test out some security features and weaknesses on a toy system (in a virtual machine, for example) and read reports about real-world security problems. It's a lot of information, and some stuff will be forever mysterious to most people (like the mathematics behind encryption) – but to learn is the best way to gain confidence 

Oh, and don't forget to talk to others about what you learned. It protects you from "living in your own world" of incomplete information


----------



## ShelLuser (May 2, 2021)

fraxamo said:


> OpenBSD is deemed slightly more secure at install by turning off or not loading unneeded services to reduce the attack surface. FreeBSD doesn't do this by default and has been criticised for that here.


_Errr_, FreeBSD does that as well. A default installation doesn't have any processes listening and/or reacting to network connections. SSH for example isn't turned on by default unless you set this up yourself.


----------



## john_rambo (May 2, 2021)

mtu

I was using Linux before & now I am using GhostBSD. One issue that I don't worry about in both these platforms is viruses.
While using Linux I never installed anything outside of the official repos. I still follow that same rule for GhostBSD.

Now the second point >> Click here ...... Why I decided to quit Linux & install BSD.



> Officially, Linux is just a kernel. Linux distributions have to do the work of bringing together all the software required to create a complete Linux OS and combining it into a Linux distribution like Ubuntu, Mint, Debian, Fedora, Red Hat, or Arch. There are many different Linux distributions.
> 
> 
> In contrast, the BSDs are both a kernel and an operating system. For example, FreeBSD provides both the FreeBSD kernel and the FreeBSD operating system. It’s maintained as a single project. In other words, if you want to install FreeBSD, you just install FreeBSD. If you want to install Linux, you’ll need to choose among the many Linux distributions first.



The third point is IPFW Vs Iptables which offers more protection ? I didn't find any clear answer on the web so I guess I will to do so pen testing to find that.


----------



## fraxamo (May 2, 2021)

ShelLuser said:


> A default installation doesn't have any processes listening and/or reacting to network connections


I was referring to services like Sendmail that are enabled by default on FreeBSD, but not on OpenBSD. Apologies for not making that clearer.


----------



## john_rambo (May 2, 2021)

rootbert said:


> Plus: i consider having a patched browser more important than having an ultra-secure OS


I used OpenBSD in the past for 3-4 months. I too noticed this characteristic. I was able to update the OS but not the apps like Firefox. Can someone who uses OpenBSD or used OpenBSD in the past tell me the reason behind this approach ?

Under GhostBSD I run the following command and everything is updated :


```
sudo pkg update -f
sudo pkg upgrade
```

By the way that was not the reason why I discontinued OpenBSD. I ran an update which messed up the GUI. When I booted the GUI (XFCE) won't load. So I moved to Linux.


----------



## tingo (May 2, 2021)

john_rambo said:


> By the way that was not the reason why I discontinued OpenBSD. I ran an update which messed up the GUI. When I booted the GUI (XFCE) won't load. So I moved to Linux.


Instead of fixing the OpenBSD problem? If you did switch right away, without trying to fix it, that doesn't show a lot of stamina and eagerness to learn. Just sayin' ...


----------



## john_rambo (May 2, 2021)

tingo said:


> Instead of fixing the OpenBSD problem? If you did switch right away, without trying to fix it, that doesn't show a lot of stamina and eagerness to learn. Just sayin' ...


There's a reason for that. I have only 1 desktop at home. So it was not possible for me to do the necessary research about the problem. Frankly I just panicked. When I later got a functional desktop environment I found that it was not only me but some other people faced the same issue. 

http://daemonforums.org/showthread.php?t=10812


----------



## ShelLuser (May 2, 2021)

fraxamo said:


> I was referring to services like Sendmail that are enabled by default on FreeBSD, but not on OpenBSD. Apologies for not making that clearer.


And those don't listen for incoming connections 

The one service which is bound on all nics listens but doesn't respond. But that one also isn't enabled by default.


----------



## kpedersen (May 2, 2021)

OpenBSD has some great features so is worth checking out. However it does lack a little in other areas. For example they do have a good memory error catching system but they also lack AddressSanitizer.

Likewise, they have a pretty secure by default system and a chroot'ed (and audited) web server built in. But they lack full fledged Jails.

Obviously I am not qualified to truely decide if AddressSanitizer and Jails are better or worse approaches to theirs.


rootbert said:


> Plus: i consider having a patched browser more important than having an ultra-secure OS.


It depends if those patches are security patches or feature patches. Many patches open up security holes by adding new and wonderful (mis-)features. Instead, OpenBSD has done some good work with pledge and unveil to reduce the browsers reach to the rest of the system. I think their browser is also fairly up-to-date so I am not sure which I would recommend.

Same with Iridium, it has privacy / self-auditing features within the codebase but it can lag behind on versions. Perhaps it is in the weird position of being more private but less secure.

We are always playing catchup when it comes to browsers so Jails or VMs is generally my recommended approach.


----------



## mtu (May 2, 2021)

john_rambo said:


> I used OpenBSD in the past for 3-4 months. I too noticed this characteristic. I was able to update the OS but not the apps like Firefox. Can someone who uses OpenBSD or used OpenBSD in the past tell me the reason behind this approach ?


OpenBSD focuses on a stable and secure base system, as well as up-to-date server applications. Firefox is a purely graphical application for desktop end-users. It's just a very low priority for the OpenBSD project as a whole.

Running OpenBSD and complaining about Firefox is like working at NASA and complaining about the coffee. It's NASA, not Starbucks


----------



## john_rambo (May 2, 2021)

mtu said:


> OpenBSD focuses on a stable and secure base system, as well as up-to-date server applications. Firefox is a purely graphical application for desktop end-users. It's just a very low priority for the OpenBSD project as a whole.
> 
> Running OpenBSD and complaining about Firefox is like working at NASA and complaining about the coffee. It's NASA, not Starbucks


I am not trying to argue. I am just trying to learn. Don't you think FreeBSD does the same thing ? I mean FreeBSD too focuses on a stable and secure base & both FreeBSD & OpenBSD are meant for servers. This is the reason why GhostBSD exists. But despite being a server OS FreeBSD offers updates for graphical apps like Firefox. As you know what the GhostBSD team has done is they took FreeBSD & did the neccesarry tweaking so that an average desktop user can take advantage of the excellent base of FreeBSD.


----------



## mtu (May 2, 2021)

john_rambo said:


> I am not trying to argue. I am just trying to learn. Don't you think FreeBSD does the same thing ? I mean FreeBSD too focuses on a stable and secure base & both FreeBSD & OpenBSD are meant for servers. This is the reason why GhostBSD exists. But despite being a server OS FreeBSD offers updates for graphical apps like Firefox. As you know what the GhostBSD team has done is they took FreeBSD & did the neccesarry tweaking so that an average desktop user can take advantage of the excellent base of FreeBSD.


You're doing well with learning  Discussions like these will bring you more understanding. (And to me, and almost everyone else. If someone says they already know everything, they are always wrong )

In comparison with OpenBSD and GhostBSD, I would says that FreeBSD in "in-between". There's more focus on the graphical desktop and end-user applications in FreeBSD, but not enough for most people who are used to other operating systems. Which is the reason why GhostBSD exists, so you're right about that.


----------



## Emrion (May 2, 2021)

john_rambo said:


> I am not trying to argue. I am just trying to learn. Don't you think FreeBSD does the same thing ? I mean FreeBSD too focuses on a stable and secure base & both FreeBSD & OpenBSD are meant for servers. This is the reason why GhostBSD exists. But despite being a server OS FreeBSD offers updates for graphical apps like Firefox. As you know what the GhostBSD team has done is they took FreeBSD & did the neccesarry tweaking so that an average desktop user can take advantage of the excellent base of FreeBSD.


I'm not sure where I read it, maybe on this very forum: "Security is more a feeling than a reality".

My point is: if you have one or several servers exposed on the internet with one or more services running on it, you have to be seriously concerned with security. And it's a full-time job.

If you speak about a user on a desktop station, you have just to avoid the most used OSes on the earth and security is done. From this point of view, FreeBSD (and its derivates) is ultra-secure. Of course, it remains some minor problems related to the browsers. And what you can only do is to update them as often as possible.


----------



## rootbert (May 2, 2021)

john_rambo said:


> Can you please explain what you mean by that ? Honestly I am a bit scared after reading that.
> The only reason I switched from Linux to GhostBSD is because I read BSD is more secure.


The Linux kernel offers all kinds of bells and whistles regarding security - it offers the grsecurity/PaX patchset, apparmor/tomoyo/SELinux security framework, strong ASLR, trusted path execution, various stack protection functionalities, seccomp etc. and some distros offer additional userspace protections like position independent code/executables, pointer obfuscations, stack/heap protections and whatnot. However, all of those features introduce quite some more lines of code, and if you have a big chunk of sourcecode you have quite some bugs also in it. The Linux kernel consists of far more code than the clean kernel of FreeBSD, maybe even than the whole FreeBSD operating system. Also, just look at Ubuntu: there you have a kernel update roughly weekly, and those updates also introduce some regressions. To emphasize this argument, just look at the number of CVEs: FreeBSD CVEs vs Linux Kernel CVEs - here you see that the the Linux kernel alone (without the tools of a base system like Debian or Ubuntu) has far more vulnerabilities than the whole FreeBSD operating system. But also note: just taking the number of CVEs into account for measuring a systems security is not enough.

And while those security frameworks are nice and interesting and do make sense in some environments, just look around at some tutorials about RedHat/Centos: most of them suggest to turn off SELinux in the first paragraph, otherwise the stuff you are configuring won't work - so what's the use of a security framework if you have to turn it of for most of the software you are trying to run? Even if you choose to develop all those complex SELinux rulesets, it is a hell lot of work!

It is not that FreeBSD is lacking all of the features I mentioned above, it just offers not that many. FreeBSD is a quite secure system, and most importantly: security is regarded as important by it's developors. Thats why we have the intrustion detection system feature of the base system, pkg audit and vuxml, security announcements etc. I can tell you that having a patched version of Firefox/Chromium is very important for desktop systems, and the situation with Firefox is very good: we get new versions as fast as with the most secure Linux distributions out there. Furthermore, I have been tracking the security issues of the stacks my clients use (various: mysql, postgresql, nginx, apache, php, nodejs, python, dovecot, postfix, samba, haproxy etc.) on their servers since 2016 and I can tell you that for most of the software packages FreeBSD is among the fastest systems to patch them! FreeBSD offers nice tools for you to have a very secure workstation/server (have a look at jails, or capsicum if you are a developer). I have switched from OpenBSD to FreeBSD on my workstations and do consider them more secure now.



fraxamo said:


> ...
> 
> Security isn't a product, it's a process. And any operating system can be rendered insecure through bad practices. OpenBSD is deemed slightly more secure at install by turning off or not loading unneeded services to reduce the attack surface. FreeBSD doesn't do this by default and has been criticised for that here. However, if you follow best security practices then FreeBSD can be as secure as any other general purpose OS.


! ^^  this cannot be emphasized enough. The process is far more important than what operating system you are using.


----------



## john_rambo (May 2, 2021)

Emrion
Yes, I am using GhostBSD purely as a desktop OS. Nothing is exposed to the web. I ran a nmap scan just to make sure that no ports are open.
rootbert
I learned a lot.

Thanks to both.


----------



## bsduck (May 2, 2021)

john_rambo said:


> both FreeBSD & OpenBSD are meant for servers


Well, www.freebsd.org says:


> FreeBSD is an operating system used to power modern servers, *desktops*, and embedded platforms.


One could also say Linux is meant for servers because it is the most common OS on web servers, while its market share on desktop computers is low. Does this make sense? No. Both FreeBSD and Linux are full featured operating systems that can be used for almost whatever you want. They just happen to be more successful on the server market than the desktop, but things may change with time, especially with the bloated spyware, respectively the locked down toy Windows & MacOS have become.

Speaking about security by default, the FreeBSD installer does ask you whether you want to enable a few security hardening options.








						Chapter 2. Installing FreeBSD
					

Guide about how to install FreeBSD, the minimum hardware requirements and supported architectures, how to create the installation media, etc




					docs.freebsd.org
				



I accepted them all so this should be the complete list of corresponding settings:

/etc/rc.conf
`clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"`

/boot/loader.conf
`security.bsd.allow_destructive_dtrace=0
kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"`

/etc/sysctl.conf
`security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1`

/etc/ttys

```
# name  getty                           type    status          comments
#
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none                            unknown off             insecure
```


----------



## gpw928 (May 2, 2021)

john_rambo said:


> I am at the moment using 4G internet. I am stuck with ISPs router. In future I am going to use a fiber connection. If OPNsense is based on HardenedBSD I will definitely use OPNsense. My plan was to use PFsense but I guess OPNsense is more secure. Thanks for the info.


There is no reason to be "stuck" with your ISP's router.  Both OPNsense and pfSense support 3G and 4G modems directly.

Going to fiber just means that you will need to interface to another sort of modem.

Sorting out how to separate the functions you generally get in the "integrated ISP box" (modem, router, firewall, WiFi transciever, Ethernet switch, Terminal Adapter, ...) is a small challenge.

OPNsense tracks FreeBSD fairly closely, but with some delay, as it must await the HardenedBSD porting effort.  I'm looking forward for ARM support, but have been for quite some time!

pfSense seems to have a significantly greater level of community support active.  It has a long history, and a large commercial base. Those characteristics make it a worthy firewall candidate.

Both offer sound security.  Choosing OPNsense because it is slightly more secure against esoteric attacks might be poor risk analysis, especially if better support from the pfSense community means you are less likely to make mistakes that might allow your system to be penetrated in the first place.


----------



## gpw928 (May 2, 2021)

rootbert said:


> And while those security frameworks are nice and interesting and do make sense in some environments, just look around at some tutorials about RedHat/Centos: most of them suggest to turn off SELinux in the first paragraph, otherwise the stuff you are configuring won't work - so what's the use of a security framework if you have to turn it of for most of the software you are trying to run? Even if you choose to develop all those complex SELinux rulesets, it is a hell lot of work!


My experience with SELinux is that it's a "feature" that managers are told by higher (unquestionable) authorities that they must tick in order to comply with best practice -- and they won't meet their required outcomes unless they do it.

The practical outcome is that applications get their behaviour profiled at run time, and a ruleset created to describe "normal behaviour" in production.

Then, one day, something unusual happens, and the application traverses a normally unused code path leading to the execution of an unexpected system call.

Bang!  Your production system just went down...  Usually at *the* most inconvenient time.

My recommendation would always be to apply an *appropriate* risk analysis before deploying SELinux.  If you are running a nuclear power plant, or a network of spies in a foreign country, by all means get the source code of your application and do the work to create a completely "correct" SELinux ruleset.  Otherwise think through the risk analysis.  As Bruce Schneier says, "More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk".


----------



## john_rambo (May 3, 2021)

gpw928 said:


> There is no reason to be "stuck" with your ISP's router. Both OPNsense and pfSense support 3G and 4G modems directly.


I am not using a 3G or 4G modem. This is the router that my ISP has provided :

https://www.flipkart.com/jiofi-jmr-1140-data-card/p/itmf6mch497kmnpp


----------



## chrcol (May 3, 2021)

I have it running on two VM's one of which does run some services for my personal use.

I do feel at least some of these features are long overdue in FreeBSD but I also understand why there is hesitancy in adding them, the main barrier probably been performance, for all the mitigations using INVARIANT is required in the kernel, and on my two installations it is noticeable on performance.

Another issue I noticed is the binary OS updater is very lacking, usually I do src compile updates but I had let one of the machines go to out of date to the point the clang was too old to build a supported world, so had to use the binary updater, which had some issues, one of them been it doesnt do the stuff normally handled by mergemaster.

It has its own ports tree which requires manual maintenance as portsnap is not supported, but what is nice is that the ports tree does support PIE etc.

I found out recently that opnsense is reverting to stock FreeBSD as its base, so I am not sure now what the future is for hardenedbsd other than a proof of concept.  But I will keep the two vm's on it, unlikely for any production servers though.


----------



## Deleted member 30996 (May 3, 2021)

john_rambo said:


> I care a lot about security so I am curious.


We all care about security. What's going to make one OS any more secure than another _for you_ is what I'm curious to know.



john_rambo said:


> Yes, I am using GhostBSD purely as a desktop OS. Nothing is exposed to the web. I ran a nmap scan just to make sure that no ports are open.


I'm using FreeBSD purely as a desktop OS and connected to the Internet right now. I've had OpenBSD, OpenIndiana and Oracle Solaris desktops, have 9 laptops and 8 are running FreeBSD right now. One is waiting for me to get around to changing it over from Kali Linux.

To me, FreeBSD feels more polished as a desktop OS and have scads of screenshots going back years in that thread. Any vulnerabilities in the Base System addressed in a timely manner and easy to update as `freebsd-update fetch` and if there is one `freebsd-update install`.

Third party programs like Firefox are usually updated quickly. Your skill and ability to work out possible problems with ports or pkg something nobody has to start with and can only be learned from exerience

If you only have 1 computer on your LAN did you run the scan from that machine, another one on the Internet or a site that has online nmap scans? And if you scanned your own machine, from that machine, what nmap command did you use? It makes a difference.

That said, I have something just for you. Right here, right now:









						Beginners Guide - How To Set Up A FreeBSD Desktop From Scratch
					

I'm going to guide you though the process of getting a fully functional FreeBSD 13.0-RELEASE desktop up and running, complete with system files and security settings, step-by-step as if you've never used UNIX or the command line. Now let's get started:  Insert your boot media and at the Welcome...




					forums.freebsd.org
				




You can use pkg and still follow the outline. That should get you to a Fluxbox desktop complete with System and Security settings to get you started including a pf firewall ruleset. And a ruleset if you use CUPS in the comments section, soon to appear on my newly updated site.


----------



## gpw928 (May 3, 2021)

john_rambo said:


> I am not using a 3G or 4G modem. This is the router that my ISP has provided :
> 
> https://www.flipkart.com/jiofi-jmr-1140-data-card/p/itmf6mch497kmnpp


Indiamart says:


> JioFi 4 JMR 1140 is a portable wireless router from Reliance Digital that allows multiple users to access the 4G internet and create a personal Wi-Fi hotspot.


So, it's got a 4G modem, router, firewall, and WiFi transceiver integrated into a single box.

It almost certainly doesn't make sense to change what you have until you have a good reason.  Having said that, it's technically possible to acquire, as separate components:

a stand-alone USB 4G modem;
an OPNsense or pfSense firewall/router on a FreeBSD system; and
a WiFi transceiver for connection to the internal network.
Your ISP should to be consulted to see if they have any recommendations regarding the brand/model stand-alone 4G modem, and to determine the configuration settings required.  Any good ISP will provide this (not all ISPs are good).

If you wish to use  OPNsense or pfSense, you will have to move to this type of architecture (i.e. dump the all-in-one integrated box in favour of separate components).  Then when get your your fiber connection, all you have to do is switch the modem.  Where I live, fiber service modems are provided by the ISP, and present an Ethernet port for connection to the firewall.  [They are the simplest Internet modem of all.]


----------



## john_rambo (May 3, 2021)

Trihexagonal
Since you have provided that tutorial I have 2 questions.

1) I am using GhostBSD which as you know is a fork of FreeBSD tweaked to make it user friendly for average desktop users. Is there any disadvantages if I continue using GhostBSD Vs FreeBSD?  To be honest despite the fact that I have used GhostBSD for like 15 days I really like the experience.

2) You mention PF. GhostBSD uses IPFW by default. Is PF superior in comparison to IPFW ?

Yes since I have only one PC I ran the nmap scan from the same machine. The local IP 192.168.225.21 is provided by my router using DHCP.

I used the following nmap command:


```
~> nmap 192.168.225.21
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-03 12:01 IST
Nmap scan report for homepc (192.168.225.21)
Host is up (0.000016s latency).
All 1000 scanned ports on homepc (192.168.225.21) are closed

Nmap done: 1 IP address (1 host up) scanned in 6.09 seconds
```

gpw928

This is just a temporary solution. We will move to a new house soon & once we move I will replace this 4G connection with fiber broadband & I will buy a low energy consuming motherbard/CPU combo for OPNsense or PFsense. I have some experience with PFsense. I used PFsense some years back when I was using cable broadband. Due to high ping & speed drops I got fed up with that ISP & purchased this 4G router. The hardware that I was using for PFsense is no longer in working condition.

If you are in my position which one will you choose ? PFsense or OPNsense ? There a reason for this question.

When I was using PFsense I registered at their forum but now I now I find that that particular forum has vanished from the WWW. Now when I search "pfsense forum" on Google I see this forum https://forum.netgate.com/

The forum that I participating in was not forum.netgate.com it was something else. Sorry I didn't copy the exact address in my KeePassXC database.


----------



## tingo (May 3, 2021)

john_rambo said:


> There's a reason for that. I have only 1 desktop at home. So it was not possible for me to do the necessary research about the problem. Frankly I just panicked.


This is the one disadvantage of today's world: all the information you need is on the internet, so you need a working computer (or, if so inclined a phone or a tablet) in order to set up / fix things. If working on computers, you need at least one other than the one you are working on.


----------



## Deleted member 30996 (May 3, 2021)

john_rambo said:


> Trihexagonal
> Since you have provided that tutorial I have 2 questions.
> 
> 1) I am using GhostBSD which as you know is a fork of FreeBSD tweaked to make it user friendly for average desktop users. Is there any disadvantages if I continue using GhostBSD Vs FreeBSD?  To be honest despite the fact that I have used GhostBSD for like 15 days I really like the experience.


If you're enjoying your experience with GhostBSD then there is no reason you should change. It would only make things harder for you since that already comes with a desktop.



john_rambo said:


> 2) You mention PF. GhostBSD uses IPFW by default. Is PF superior in comparison to IPFW ?


Not in any area other than personal preference.

It's what I've been using for 16 years so that's what I know and like.


----------



## gpw928 (May 4, 2021)

john_rambo said:


> If you are in my position which one will you choose ? PFsense or OPNsense ? There a reason for this question.
> 
> When I was using PFsense I registered at their forum but now I now I find that that particular forum has vanished from the WWW. Now when I search "pfsense forum" on Google I see this forum https://forum.netgate.com/
> 
> The forum that I participating in was not forum.netgate.com it was something else. Sorry I didn't copy the exact address in my KeePassXC database.


99.9% of the population use a WiFi router appliance with integrated firewall, pretty much exactly the same as what you are using now.  The details may vary (e.g. type of modem, presence of Telephone Adapter for VoIP and hardware Ethernet switch, WiFi standards, hardware speeds), but they all do the same basic task.

Most people just take what their ISP offers, as it will usually be pre-configured, and well supported by the ISP.   

When your Internet connection is by some type of cable (copper, coax, fiber), enthusiasts may look for something "better" and go for the BYO router option.  There's heaps of choice.  Just make sure its "WAN link" will work with your ISP's plug in the wall.

So the first question is why do you want a separate firewall?

There are plenty of good answers, including simple curiosity to learn, portability to a different ISP or Internet connection method, and enhanced control to support unusual things (e.g. VPN, DMZ Internet servers).

OPNsense and pfSense are derived from a common base.  pfSense is commercial (but with a "free" version).  OPNsense is free software.    

OPNsense works traditionally on X86 hardware.  I know that there's a lot of people interested in ARM, especially since it moved to a FreeBSD 12.1 base, but I can't discern any solid support for it yet.

Netgate is the corporation that sells pfSense based products (cloud, appliances, software).  However you can download a "free" Community Edition.  There's a very active forum (sponsored and moderated by Netgate).

pfSense runs on X86, but I think that there are now some ARM platforms sold by Netgate (but I gather it's not a realistic option to build your own from the Community Edition).

As I said above, choosing OPNsense because it is slightly more secure against esoteric attacks might be poor risk analysis, especially if better support from the pfSense community means you are less likely to make mistakes that might allow your system to be penetrated in the first place. 

I'm patiently waiting for OPNsense to get ARM support for a Raspberry Pi (which has sufficient "grunt" for my modest needs).  If I had to purchase new firewall hardware, I would seriously consider the Community Edition of pfSense.  I have used both, and they are very similar.


----------



## john_rambo (May 4, 2021)

gpw928 said:


> So the first question is why do you want a separate firewall?
> 
> There are plenty of good answers, including simple curiosity to learn, portability to a different ISP or Internet connection method, and enhanced control to support unusual things (e.g. VPN, DMZ Internet servers).


There's also a very important reason why I or a any security conscious user want a separate firewall. No matter which brand of router you buy & no matter how expensive it is in my personal experience I have seen the all of them are simply pathetic when in comes to releasing firmware updates. Some brands do offer security updates but not more than 3-5 years. People who have technical knowledge deal with this situation by using open source firmware like DD-WRT.

When I was using PFsense I was updating it like 3-4 times a week.


----------



## gpw928 (May 4, 2021)

john_rambo said:


> No matter which brand of router you buy & no matter how expensive it is in my personal experience I have seen the all of them are simply pathetic when in comes to releasing firmware updates.
> ...
> When I was using PFsense I was updating it like 3-4 times a week.


There are a couple of additional issues that are relevant to the risk analysis.

The first is back doors on turnkey appliance firewalls.  There have been so many of these found from multiple vendors that they alone justify extreme caution.  It's the main reason I don't use a consumer appliance Internet firewall.

The second is attack surface.  Your average consumer appliance firewall is closed to incoming connections.  In that state, the attack surface is small, and the risk is small (modulo back doors).

It's only when you open up the firewall to facilitate Internet facing services (like running a web or mail server) that the attack surface opens up.  And it opens up a *lot*.  So much that I would always be inclined to relocate the risk to the cloud in some way (assuming I didn't have teams of experts in my own organisation).  

The reason pfSense requires such regular patching relates to a whole ecosystem of operating system and application software that is under active development.  Without an operating system and multiple applications and active development, there are fewer bugs to fix.  I'm not saying that you are wrong about consumer appliances needing more patching.  But, as a matter of degree, they need it much less than a full blown application firewall.


----------



## mark_j (May 5, 2021)

john_rambo said:


> https://hardenedbsd.org/content/about
> 
> I am using GhostBSD. I like it. Its quite user friendly. I searched about which is the most secure OS & found 2. The first one is OpenBSD & the second is HardenedBSD. I care a lot about security so I am curious.
> Is HardenedBSD really more secure than GhostBSD/FreeBSD ?
> Have you used HardenedBSD ? Did you like it ?


I wanted to try it a while back, but I couldn't get it to boot in VMWare. I might give it a try under virtualbox one day, though.

1) As to security: what does it matter when the major CPU providers have micro-op caches that can be read & manipulated?

2) It's all matters of degree. An OS can only do so much and provided it doesn't provide easy targets for stack smashing, buffer overflows etc, then it's done its job. The role of OpenBSD and to a lesser extent HardenedBSD are admirable, though, especially in appliances.  See point 1.


----------



## Deleted member 30996 (May 5, 2021)

When I decided to learn about Internet Security I figured the best way to prevent being exploited was to know how exploits were carried out. And there had to be a hard way to do it... 

That was back when I did everything the hard way, because I didn't know any better. 

Now I do and try not to make things any harder than they already are.


----------



## tOsYZYny (May 6, 2021)

A firewall is just one layer of protection.  It depends on what you're worried about.

Nowadays, DNS may be over HTTPs, so even if you were to block DNS requests to certain domains, that can be subverted.
Secondly, if you're not proxying your HTTP and HTTPs traffic and filtering out traffic, traffic can still go through unrestricted.
And, furthermore, if you are running a proxy and filtering HTTP and HTTPs, you'd need a good proxy to ensure you're not leaking private information.  I suppose though, if you're leaking private information, then you must have already entered it into the browser.  But I am really thinking about mobile and IoT.  All of those apps we have installed pretty much do whatever they want.  Some of them use their own DNS.  Depending on the app, you have to let it record audio, camera, access to the network, your contacts, the list goes on and on.

What can an average consumer do at that point?

I have had suricata, snort, bro, elasticsearch, kibana, argus, and squid (with SSL bumping) installed in the past and as a "security enthusiast", it would be fun to see what I could find and potentially protect.  However, merely installing it isn't enough, a little bit more know how is required and time in keeping those systems patched.

I run FreeBSD on my "router", I do filter some IP traffic, have time of day restrictions (via PF anchors), and block certain DNS traffic.


----------



## Beastie7 (May 6, 2021)

Thanks for reading the brochure guys. I love it.


----------

